May 6, 2015 · 2 minutes

Lenovo just can't keep its devices secure.

Researchers have discovered a "massive security risk" in Lenovo computers. The multiple vulnerabilities could allow hackers to replace legitimate software with malware and remotely control that malicious code without detection.

Here's how the researchers at IOActive, which spotted the problem in February and brought it to Lenovo's attention that same month, explain the issue:

Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user.

The System Update downloads executables from the Internet and runs them. Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against 'coffee shop' style attacks. Lenovo has released an update that's supposed to fix these problems. Consumers will be prompted to download it the next time they run a System Update, but they can also download it themselves from Lenovo's website.

The existence of these vulnerabilities would be problematic by itself. But this didn't happen in a vacuum -- the problem came right after Lenovo was taken to task over another security problem that put an untold number of consumers at risk.

That problem was the result of Lenovo's partnership with Superfish, which saw the latter company's software pre-installed on several Lenovo products. It was supposed to offer a visual search engine; instead, it injected ads in web browsers.

Inserting those advertisements required Superfish to "replace the certificate used to ensure connections to sensitive websites, like email services and banking sites, are secure," as I wrote when the vulnerability was revealed.

And here's the Verge explaining why that certificate replacement is a problem:

It appears as though Superfish has used the same private key for its spurious root certificate on every machine. As Eric Rand, researcher at Brown Hat Security, explained to The Verge, if someone was able to crack the key, nefarious individuals could create certificates that all Lenovo machines inherently trust, or write malicious software that all Lenovo machines see as trusted programs.
Lenovo undermined the security of its own devices to install an advertising tool that many consumers probably didn't want to use in the first place. Now, as the researchers at IOActive report, it also had vulnerabilities in a tool that actually matters to consumers.

So what's a Lenovo customer to do now that it's been made abundantly clear that the company can't secure its own products? At this point, it seems like the solution is actually quite simple: buy a computer from a different manufacturer.

[photo by Kenneth Hagemeyer]