Chinese spy concerns:
Key Australian defence agencies ban Lenovo

47

lenovo-1

blog Wow. Consider us flabberghasted by this one. Under the ownership of United States-headquartered technology giant IBM, the ThinkPad line of laptops was considered to be the iron grade of corporate quality — reliable, secure, stable. But at some point after IBM sold its PC business to Chinese company Lenovo in 2005, it appears that key government agencies have decided that ThinkPads and other Lenovo-manufacturered PCs are no longer secure enough. The Financial Review reported over the weekend (we recommend you click here for the full article):

Computers manufactured by the world’s biggest personal computer maker, Lenovo, have been banned from the “secret” and ‘‘top secret” ­networks of the intelligence and defence services of Australia, the US, Britain, Canada, and New Zealand, because of concerns they are vulnerable to being hacked.”

Obviously this move contains striking similarities to the ban placed on Chinese vendor Huawei from supplying equipment to Australia’s National Broadband Network, and we’re sure it’s related.

Look, to be honest, I am extremely disturbed by this move. It would appear that the decision to ban Lenovo — one of the technology industry’s most respected PC manufacturers — from having its products used in the top-secret networks of Western governments is based upon the suspicion that the vendor is including so-called ‘back doors’ in its hardware or software that would allow Chinese interests to infiltrate those machines remotely.

However, the way that the various Western governments has gone about dealing this issue is simply preposterous. If this allegation is true: If Lenovo does indeed include back doors in its equipment that could be used by Chinese interests, then the governments mentioned in the Financial Review’s article must have evidence of this, and that evidence should be provided publicly. After all, it’s not just governments that use Lenovo gear — it’s everyone! Lenovo ThinkPads, for example, are used extensively throughout the corporate world globally. Banks, law firms, consulting firms, mining firms … everyone uses Lenovo ThinkPads. If those machines are inherently compromised, and evidence exists, that evidence should be made public immediately, for the good of the global business and government community.

If such evidence doesn’t exist and Lenovo is innocent of these allegations, and bear in mind that no evidence along these lines has been presented so far, then by acknowledging that Lenovo has been blocked from supplying equipment, the Western governments are perpetuating, as Huawei has alleged in its own situation, a massive case of corporate defamation perpetuated on Lenovo. With key government agencies blocking the manufacturer on security grounds, how can any other corporate purchaser possibly feel secure buying Lenovo gear? This issue has a massive potential to impact on Lenovo’s reputation and, ultimately, revenue.

We’ve seen so far that absolutely no evidence of this kind has been presented in public with regards to the Huawei case, and I suspect that we won’t get any with respect to Lenovo either. Instead, as Prime Minister Kevin Rudd has acknowledged, government concerns about Huawei and Lenovo appear to be based on a shadowy concept of “risk” — in other words, because these companies are Chinese, that they must be open to working directly with the Chinese Government on espionage matters.

This might be good enough for government agencies. But it’s not good enough for me. And I suspect it’s not good enough for the global business community. I find myself returning to comments made by Huawei last week with respect to its own situation. They could easily apply to Lenovo as well:

“This is tired nonsense we’ve been hearing for years, trotted out anew as a flimsy bright and shiny object to distract attention from the very real compromising of global networks and information that has been exposed in recent weeks. Misdirecting and slandering Huawei may feel okay because the company is Chinese-based – no harm, no foul, right? Wrong.

Huawei is a world-proven multinational across 150 global markets that supports scores and scores of American livelihoods, and thousands more, indirectly, through $6 billion a year in procurements from American suppliers. Someone says they got some proof of some sort of threat? Okay. Then put up. Or shut up. Lacking proof in terms of the former, which seems clearly the case, this is politically-inspired and racist corporate defamation, nothing more.”

The Governments which have blocked Lenovo have a responsibility to say why, and present evidence of Lenovo’s wrongdoing. If they do not, then they are recklessly engaging in corporate defamation that has the potential to massively impact one of the technology industry’s most respected laptop brands. And that kind of thing should never be done lightly.

Image credit: Lenovo

47 COMMENTS

  1. I agree with what you say Renai it is really time for the Governments who are making these anti-competitive decisions, and one suspects the secret spy networks advising them, to put up or shut up.

    Can anyone recall seeing any reports of secret accessing of citizens internet data in China. Of course you can’t because the Government there has the cojones to say they are doing it up front.

    This smells horribly like a new way of imposing trade sanctions by the holier than thou western democracy cartel.

    • They’ve published them, just not shared them widely. You need to know where to look. Yes, Hua-wei did some pretty terrible stuff whether by gross negligence as they claimed or due to ulterior motives.

      Hua-wei’s always had shitty products (code copied wholesale from Cisco etc.) but Lenovo was top-notch and it’s sad to see how far they’ve fallen. My last Lenovo laptop shipped with 3 broken pixels and they wouldn’t take it back.

    • Just a little up date from the horses mouth.

      “Media articles in the Australian Financial Review, 27 and 29 July 2013”

      “This reporting is factually incorrect. There is no Department of Defence ban on the Lenovo Company or their computer products; either for classified or unclassified systems.”
      http://news.defence.gov.au/2013/07/30/media-articles-in-the-australian-financial-review-27-and-29-july-2013/

      Looks like the MSM has mislead us again. Defence 1 Media 0
      Chinese whispers perhaps.

    • Last year QLD police reported an incident. Where desktop machines that normally get sent to business and governments was coming with malware/rootkit software preinstalled which allowing someone remote access to a computer network and infrastructure

  2. It absolutely would be good to have some evidence one way or the other. One reason for not supplying it would be it’s usefulness for counter-intelligence operations. Supplying it might damage diplomatic relationships and cause Lenovo/Huawei extensive financial loss on a far broader scale than the loss of sales from paranoid government departments. It doesn’t seem totally unreasonable to adopt a precautionary policy, however and if that’s the case it should be spoken of plainly. That would be a great smokescreen too for not supplying evidence.. oh it hurts my head these “intelligence”/politics/diplomacy games

  3. So NSA, PRISM, IBM, Apple, Microsoft, Google etc. being in the front pages of the newspapers for supplying all our secrets to the US government (whom despite being a nominal ally are definitely a commercial competitor) aren’t worth worrying about but Lenovo on what appears to be a vague suspicion?

    Nice to see they’re doing smoke-screen work for their US masters.

    BTW How are our F-35s coming along? Oh, that’s right, delayed yet again and even more expensive. Some ally.

    • There’s no way those allegations are true. Do you have any idea how expensive and risky it would be for any of those companies to do what’s claimed? Have you noticed how they’re all denying it and seeking permission from the government to prove the allegations false? Assume for the second the allegations are false, what more could you expect from Google, Apple etc.?

    • Yeah.. the US and all governments do it. But prefer it done by democracies, than pseudo communist governments, but are really just openly corrupt totalitarian regimes… Just don’t mention Tiananmen Square, you might upset the Apple maker overlords and they’ll start spying on us through our iPhones!

  4. There are some thigns where we have the right to know.

    There are other things where we don’t. Issues that potentially affect national security fall into the latter category.

    I am sure that you could try to justify a need to know absolutely every security related decision that our governments make, extrapolating it into an affect on yourself – or some other dire need to know.

    But bad luck. You don’t get to know. It doesn’t matter how curious you are. It doesn’t matter what impacts you can imagine. You either have to accept that there are security necessitates secrets, or you can flap your hands in the air melodramatically and without effect.

    I’m also curious about why our respective government’s security expertise has made these decisions. However I don’t presume that I am in a position to second-guess them.

    • Micky,

      That is all good and all, however if there are security concerns with a piece of hardware (In this case Lenovo) this doesn’t just affect the ‘Government’, it affects Business/Enterprise/Education/Corporate/etc, not just themselves and they should be going out of their way to show where this ‘Security’ issue exists with proof.

      • Like I said – you can always try to find an excuse as to why you should know classified information. You can always try to find someone it affects in some way.

        I’m reasonably sure that the people who are looking after national security interests will ignore you, just as they ignore everyone else who thinks they have some kind of right to know everything.

        It is difficult to accept. After all – who watches the watchers etc. How do we know that we shouldn’t have access to information unless we have access to it in order to make an informed decision? Kind of a catch-22.

        Anyway, I think that any demands for information will prove fruitless. Once you are allowed to know then you will know. Until then, you can complain but it will be just pointless gum flapping.

        • I’m sorry, but speaking for the global IT security industry, it’s fucking hard to see how backdoors in products as popular as the ThinkPad could possibly be counted as “classified information”.

          • Because then they wouldn’t be able to exploit them for their own commercial espionage purposes?

            Not saying that’s the case, but it’s one plausible explanation.

          • Speaking on behalf of national security, we don’t give a rat’s arse what you think. (No, I am not national security)

          • When someone wants to make up a story without any logical clue, the best approach is to clasify it as secret, a dirty little secret…

          • I agree, Micky seems to know how it works. We don’t always like it but when something is classified information then we are bashing our heads against a brick wall if we think we can get access to it. We can only hope that there are good, legitimate reasons that information becomes classified.

            It would suck to think that the person who wants Lenovo to be banned does so because they own shares in Acer.

            But what can you do? You can’t deny the need for secrecy when it comes to national security. Can secrecy be abused? Of course. Is this something to be concerned about? I suppose that being concerned is a pretty natural reaction. But the only way to allay your concerns would be to know the secrets – and that kind of defeats the purpose.

          • Renai,

            It’s “classified information” because it’s information not known to the public that if made public or otherwise made known to an adversary, could adversely impact national security. Classified information is such information that has been assigned a label, or classification, commensurate with the level of risk involved and the level of protection that information requires.

            Whether or not you can grasp this very simple concept doesn’t change the fact that if what AFR reported is true, the details are classified. It really is as simple as that.

            The primary reason the intelligence community classifies information is to protect its sources and methods. When intelligence information becomes known to an adversary, the adversary can in many cases easily infer the source of the information, the capabilities of the intelligence service that obtained the information, and develop countermeasures accordingly to prevent that intelligence from being acquired in future.

            Given that you’re only opining on what was reported by AFR, and have no knowledge of the matter of your own beyond that reported in the media (most likely with a questionable level of accuracy), you’re not really in any position to make a valid assessment regarding whether the information should or shouldn’t be released.

            Nonetheless, if the alleged backdoor/s exist, they probably don’t exist in every machine; only those shipped to a small number of particularly sensitive end destinations, where those backdoors are necessary because no other viable access to the information those systems will process is available because those systems reside in highly premises, or aren’t connected to public telecommunications networks, or both.)

    • And when governments use this, as they always do, to protect corrupt and illegal practises you’re happy with that.

      Just because you believe in unquestioning support of authoritarianism doesn’t mean we all do.

      I’d suggest you need to find a functioning moral compass, your current one is faulty.

      • I suspect you are slightly insane, not just extremely unpleasant.

        If you really think it is viable for you to know all classified information then you are also stupid.

      • “I’d suggest you need to find a functioning moral compass, your current one is faulty.”

        hey Stephen,

        another impolite comment like that and I’ll ban you from commenting on Delimiter for a month. Yours wasn’t as bad as Micky’s, but it’s still not what we want on this site. I suggest you read our comments policy:

        http://delimiter.com.au/comments-policy/

        Cheers

        Renai

        • I stated an opinion based on his original, highly objectionable statement – the unpleasantness was a reflection of that.

          His response was of arguably libelous – it’s a bit of a different order of magnitude.

  5. In defence of the government (*shock horror*) when it comes to Huawei, I’d like to refer people to an interview with Recurity Labs’ Felix “FX” Lindner and Greg Kopf on a risky.biz podcast (http://risky.biz/RB250) and its accompanying DEFCON Slide Deck (http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf) which talks about the inferior security configuration found in these products.

    Therefore with Huawei, it’d say its safe to assume the DSD did their homework through Threat Risk and Vulnerability Assessments if these guys have found significant vulnerabilities and published them.

    Lenovo however I’m unsure about… I think you hit the nail on the head when you said “…If those machines are inherently compromised, and evidence exists, that evidence should be made public immediately, for the good of the global business and government community.”

    They use common components found in most computer systems which (despite the vendor) are probably made in similar locations. Hence, most corporations will “harden” systems by using their own SSOE.

    Therefore, how can they say a Lenovo laptop (vs. a HP made in China) is any different? Unless you talk about the “vanilla” SOE, but I’m pretty sure they wouldn’t be using that in Defence.

    • That Defcon XX Huawei vulnerability slide deck is a real eye opener. The vulnerabilities being exploited in that deck are real facepalm material, and should not exist in any currently supported network equipment produced by a mature development process.
      Hard not to see that kind of security quality as showing contempt for the customer.

  6. Can everyone take a deep breath here? We’re not talking about trade sanctions or government departments generally, we’re talking very specifically about offices in charge of the most sensitive government and military information. Information of strategic importance, information that has been determined as so sensitive it must be classified and highly protected.

    It is those offices that have limited the use of Lenovo products. Bear in mind that they don’t ‘ban’ particular products or vendors – all products are banned by default. What they do is certify specific products or classes to be authorised for procurement and use.

    USB flash drives are a great example – only certain drives that meet particular standards for hardware encryption are authorised for use in sensitive departments, and then only for certain staff. Otherwise there is a blanket ban on any other staff even having them on their person at work.

    Manufactures and products are certified based on numerous criteria, and yes one of them is risk profiling. But the list of brands not certified is infinitely longer than the shortlist of those who are.

    Also remember, the commercial impact of these lost potential sales is miniscule – you’re talking about very small volumes in comparison to government purchasing generally, let alone consumer sales.

    IMHO top secret arms of the government have absolutely no need to demonstrate ‘known’ vulnerabilities within products made by a particular vendor – it is enough that they are owned by a foreign entity and their offices and engineering designs aren’t open to scrutiny by said secret government offices. THAT is the sort of cooperation required for full security clearance certification, and I think you’ll find most multinational manufacturers are quite happy to leave that business to others.

    So no, this isn’t an indication that there is anything to be concerned about with regards to the security of devices from Lenovo (or any other brand lacking such clearance). It doesn’t mean the government isn’t being transparent or they are hiding anything. It doesn’t mean there are security implications for commercial businesses. It simply means Lenovo and many many other brands simply fail to meet the standards as set out by security administration to allow their products to be certified with the requisite security clearances to allow procurement for the most sensitive offices in government. This isn’t a racist conspiracy, it is simply sensible security.

    Oh, and it has nothing at all to do with Huawei blocking from NBN tendering – while a similar overall process, the rules in place for security offices are quite separate to the considerations undertaken when planning and designing the NBN. Although the final decision may well have been made for similar reasons -Huawei simply cannot be audited and trusted to the same degree as other major network brands.

    Once there is an element of uncertainty that cannot be mitigated, you have to ask what risk that brings and whether that is acceptable to the project. The Chinese government has consistently demonstrated their appetite for power and control extends to the wholesale hacking and invasion of foreign government and corporate computer systems. The Australian government would be remiss in their duties to protect citizens and businesses in Australia allowing the underlying infrastructure for the nation’s communications to potentially be controlled or circumvented by an undemocratic dictatorship such as the Chinese ruling party.

    Not unlike Telstra have done allowing the NSA complete access to everything on their international trunks. If we can’t trust Telstra, why in the world should we consider Huawei more trustworthy?

    • That is quite a sensible and thoughtful comment Trevor. I think there are a few people that have missed the point about the security grade where this is effective, and the fact that our (sensationalist) media may have not been as liberal with the background facts on the story as they could/should have been.

  7. If they really didn’t want to use Chinese products, it would be much more realistic to simply claim they are using Child labour to make the products, then resort to this sort of crap.

  8. Can’t trust the yanks either.. Shrug… I agree very silly on the face of it. Make me wonder if it might be a “beat up” or out of context issue. ie we are missing key information. Or maybe its just a situation of, we KNOW the yanks have backdoors, but we are their allies, so better them than the Chinese?

    Oh, and in all fairness, the Lenovo build quality that I have seen is pretty terrible compared to when they were under the IBM corporate brand. (Not including the time when IBM moved all laptops under the retail banner. Boy did the quality drop then)

    The thinkpads used to be pretty damn bulletproof once you got them working. (Getting them working was a bloody pain for system builders during NT days tho).

  9. The US and Canadian governments (Aus too I’m sure) have special test laboratories where they sniff and prod every piece of kit and then approve or disapprove it for government use. I know some of those guys and they do not make announcements like this lightly. http://www.cse-cst.gc.ca/its-sti/services/cc/index-eng.html

    Government machines get completely re-installed with a special scrubbed and tested version of Linux or Windows. They do not use the default system shipped with commercial machines. I suspect that the issue is with a built-in BIOS level support (phone home) feature that cannot be disabled.

  10. There’s a point here though. Lenovo is owned by the Chinese government/military if I’m not mistaken – they have an extremely close link to their industry there. I would rather keep them out of our defense and intelligence agencies than find out later (after an altercation or just extended spying) that the Chinese were using such things.

    Supposedly its not software, its actual hardware that is on board and is much more difficult to detect than software exploits.

    Probably time someone in the private sector (if there is someone) stepped up and mapped out what the issues are and get this stuff out in the open.

  11. Current generation Intel chipsets contain a “management engine” processor that is under control of the
    BIOS only and is essentially invisible to the operating system. Erasing or replacing the hard drive, or installing a known-good OS does not affect this. The hardware is used on consumer-grade laptops for features such as an anti-theft “kill switch”, and on business-class machines for encryption support and remote management, i.e., a documented above-board “back door” to allow the IT department to manage the machine over a network. While there are provisions in the BIOS firmware to prevent rogue updates, a sophisticated attacker with access to the machine (e.g., the manufacturer) could install trojan firmware that would allow these same provisions for “calling home” or allowing remote access to be used nefariously. The hardware provisions for this are all above-board, and designed into nearly all machines on the market, and are not unique to Lenovo products. The manufacture, however, is in a unique position to compromise the firmware, and it is beyond the abilities of most end-users to property vet it.
    Given the potential for abuse of the managment engine hardware, I am surprised that one sees so little mentioned about its security downsides.

    • @Bill: Really good points. Little is made of what might happen if APTs got their hands on AMT:
      http://en.wikipedia.org/wiki/Intel_Active_Management_Technology
      http://en.wikipedia.org/wiki/Advanced_persistent_threat

      Squirrelling an extra trusted certificate away deep in the firmware of a machine with AMT would open the door to plenty of mischief. No idea if this is the kind of vulnerability that the rumours are hinting at; it would have to be pretty well obscured to have escaped the attentions of glory-seeking security types this long.

      Then again, a tiny hidden ROM can require heroics to read: Andrew Huang sniffing HyperTransport to capture Xbox boot code is a case in point.

  12. Its pretty hard to comment fairly without knowing what this back code is and what it does. However any security agency worth its salt would have to to treat such things as a danger and act accordingly. This is what they have done.

    Imagine the damage if this is real and this code is sitting there waiting to be activated. The agencies by their nature are conservative and don’t like taking risks with things they do not understand

  13. The Chinese economy is littered with state interests that have no over-sight. The computer technology is extremely expensive to reverse engineer in order to find back doors. Thus, the only way to mitigate risk is to ban the company’s product from various areas. Although the americans do this to, the Chinese are much more prolific and epic in their effort for electronic espionage. The rumours about the Chinese government hacking an Australian contractors PC which had the construction blue prints of DSD new anti-cyber terror building in Canberra is reason enough to ban any high tech Chinese company.

    So, watch out for the yellow peril… and get off my god dam lawn!

    • Yellow peril? Racist much? I would think your last bit of comments would have absolutely no relevance to what is discussed here.

    • Yellow peril? I would think your last bit of comments would have absolutely no relevance to what is discussed here.

  14. This is NOT governments and politicians, its military.

    Its the military’s job to be paranoid. So shut the fuck up about the military *shocked* worrying about its security.

    And im all for Huawei being banned from the NBN. Why you ask when America spys on us? because we are in a fucking military alliance with America and share everything(And i do NOT support that but the fact is we are in alliance with them), we are NOT in a military alliance with China. If anything they are the largest potential threat to our region. They have proven time and again they have no qualms forcing Chinese companies to give them backdoors into their products.

    So when the military goes and says no to Chinese products for their own uses, im happy the military is doing its god damn job and isn’t being sold out to the lowest bidder.

    Too bad for Lenovo, don’t base yourself in China if you want to sell hardware that handles top secret information.

Comments are closed.