Lenovo’s IBM server + Motorola buys will raise new security questions

4

lenovo-x1-carbon

blog Remember when the Financial Review reported in August that devices manufactured by Chinese vendor Lenovo (including its extremely popular ThinkPad line) had been banned from use in the “secret” and “top secret” networks of the intelligence and defence services of Australia, the US, Britain, Canada and New Zealand, because of similar espionage concerns as have been leveled at Chinese networking vendor Huawei? Well, Australian government agencies just got a whole new kettle of fish to ponder over, with two key acquisitions by Lenovo which have taken place over the past week or so.

The first and most obvious issue for the security-minded in the nation’s public sector relates to Lenovo’s buyout of IBM’s x86 server business. This is what Lenovo had to say about the buyout last week:

“This includes System x, BladeCenter and Flex System blade servers and switches, x86-based Flex integrated systems, NeXtScale and iDataPlex servers and associated software, blade networking and maintenance operations … IBM will retain its System z mainframes, Power Systems, Storage Systems, Power-based Flex servers, and PureApplication and PureData appliances.

Lenovo and IBM plan to enter into a strategic relationship which will include a global OEM and reseller agreement for sales of IBM’s industry-leading entry and midrange Storwize disk storage systems, tape storage systems, General Parallel File System software, SmartCloud Entry offering, and elements of IBM’s system software portfolio, including Systems Director and Platform Computing solutions.”

Now, it may just be me, but I’m betting that right now, there are a stack of IBM x86 servers and associated product lines now under the Lenovo umbrella littered throughout all levels of Australian governments — Federal, State and local. Many of these will be actively receiving updates direct from Big Blue. If you believe that there are legitimate security concerns around Lenovo’s gear — which some of Australia’s spy agencies and Defence personnel clearly do — then you would have to be concerned about any potential Lenovo access to that infrastructure. I would bet that the Australian Signals Directorate would be particularly leery about any Lenovo-sourced ROM patches being applied, post the acquisition.

The US$2.91 billion sale of Google’s Motorola Mobility division to Lenovo announced on Wednesday is of less obvious security importance. Motorola’s top handset at the moment, the Moto X, hasn’t even made it to Australia, and although we saw moderate degrees of interest in the company’s previously locally launched RAZR M and RAZR HD handsets, we don’t anticipate that many public servants or government security personnel will be using the units for secure communications, given the Australian Signals Directorate’s historical aversion to Android.

However, this move could still possibly stimulate the most sensitive areas within Australia’s public sector to formally avoid whatever new Android handsets Motorola has in the pipeline.

I want to note that, with this article, that I’m not accusing Lenovo of anything. I have not personally seen a shred of evidence that the company’s products or the company itself represents anything of a security risk; in fact, I strongly personally believe that Lenovo’s ThinkPad line in particular represent some of the most secure and best quality laptops available. I don’t personally have concerns with Lenovo. Concerns of this nature should be based on evidence; and there just hasn’t been any presented. The fact that a company is headquartered in China does not inherently make it a security risk; in fact, Edward Snowden’s revelations have shown that it’s more likely US technology giants that are considered to be security risks for many organisations these days.

However, it’s still important to note that these acquisitions will be a closely watched issue for some IT security types in Australia — especially in the Federal Government, and especially in Defence. As an issue, this one hasn’t gone away just yet; and it won’t until companies like Lenovo and Huawei are allowed into key Australian Government areas.

Image credit: Lenovo

4 COMMENTS

  1. “I may be paranoid but am I paranoid enough?” – a quote so often used I can’t determine the originator.

    Me: I’m retired from being an IBM contract instructor. I had a telecoms background before joining IBM and along the way I was involved with security. Reserve Banks ( not just ours), defence stuff (don’t ask).

    Most of my work these days uses OpenBSD: Firewalls, BGP routers, email servers. I wrote the IPv6 functionality for the BGP Looking glass in OpenBSD.

    Enough said.

    The developers working on OpenBSD are very conscious of the need for secure computers and software. They wrote OpenSSH to provide a secure substitute for telnet and they provide the source code to a portable version for use by any person or company who needs their own version.

    That is just one “present” to the computer world. There are many more. The licence is just two sentences long. (http://en.wikipedia.org/wiki/ISC_license)

    OpenBSD people believe that the world is a better place when manufacturers use secure code in all software. Please use our stuff, just include the copyright.

    If I ask the developers which laptop I should buy the answer is almost 100% Lenovo ThinkPads.

    I have about seven of them currently including a bunch of “genuine” IBM ones up to two very current Lenovo models (one featherweight for travel and one heavy beast for grunty work) and I have never caught any “talk to momma” traffic but then I’m not testing with Windows of any kind. 8-)

    I may not be able to see some well hidden snooping but I find it hard to believe that it would not be detected by a bunch of the world’s security experts.

    • The counterargument against the Lenovo backdoor spying code has been that the problem isn’t that the Chinese have added a backdoor but rather Lenovo had refused to allow the NSA to put one in. More recently it has been reported that this is not the case and in fact Lenovo has now allowed this code to go in as required. Strangely though, it seems to me to be a potential worry no matter which of the 3 scenarios are in play.

  2. Lenovo never had much of a server line. They added a couple of token machines last year but very low end. This will fill in a big gap forLenovo. It could also be telling about the direction of server sales as IBM canily got out of laptop/PCs just before that went spiralling down (an unexpected shock decision at the time that proved a real bonus for IBM profitability in the longer term).

  3. tin foil hat anyone?

    I’m sure the sensitive government server owners have more to worry about from the US NSA who intercept the communications once they have left the server, that a firmware or driver update that would trigger a “red” alerts from the govt firewalls once they stopped any unsolicited/suspicious traffic to China!

Comments are closed.