Several Western Govts. Ban Lenovo Equipment From Sensitive Networks 410
renai42 writes "If you've been in the IT industry for a while, you'll know that Lenovo's ThinkPad brand has a strong reputation with large organisations for quality, dating back to the brand's pre-2005 ownership by IBM. However, all that may be set to change with the news that the defence agencies of key Western governments such as Australia, the US, Britain, Canada and New Zealand have banned Lenovo gear from being used in sensitive areas, because of concerns that the Chinese vendor has been leaving back doors in its devices for the Chinese Government. No evidence has yet been presented to back the claims, but Lenovo remains locked out of sensitive areas of these governments. Is it fearmongering? Or is there some legitimate basis for the ban?"
Welcome to Cisco and MS's future... (Score:5, Interesting)
The problem is the credible fear of a lifecycle attack is sufficient to require that such hardware be avoided. There is a reasonable fear that the chinese might try something using Lenovo kit, therefore the classified networks need to avoid it. Its the same reason why Huawei networking hardware is avoided in some circles.
Of course, with the NSA now clearly off the leash, US IT equipment is now in the same position. Microsoft clearly backdoored Skype to enable easy wiretapping, the NSA is reportedly hacking foreign networks to introduce monitoring (who knows, perhaps it was the NSA responsible for the Athens Affair [ieee.org]?), and with any US Cloud service provider subject to PRISM-style requirements, US IT infrastructure is now in the same boat that the Chinese have been struggling with for years now.
Re: So instead? (Score:3, Interesting)
HP doesn't manufacturer in China or use components from others within there systems that are manufactured in China?
I doubt that.
Re:Their loss (Score:4, Interesting)
Not Capitalism, it's the "American way".
If you can't make a better product. get the other one banned or tie them up in litigation.
Not easily (Score:4, Interesting)
The motherboard may be made in China but the components are not. The chips are largely American in manufacture (most of them are Intel). Now I suppose the company making the motherboards could add a chip, but, well, that would kinda be noticed during the QA process by the company that ordered them. It isn't like you get parts from a Chinese manufacturer and just slap them in a unit sight-unseen. Not because of worries about spying but because quality control with Chinese companies can be... problematic. You have to test the parts and send back the failed ones (1%ish usually, sometimes more).
In terms of BIOS/UEFI? That's all Phoenix Technologies and American Megatrends. They are in California and Georgia respectively.
What a load of crap (Score:5, Interesting)
There isn't a single US manufacturer of motherboards any more; that would be the most sturdy place to insert any nefariousness (at least, nefariousness by the PC manufacturer.) Who knows where BIOS code is written these days; but I doubt it's the US.
Not to mention the whole stack of drivers you need, like those for on-board peripherals. It'd be just as easy to put a back-door in a Windows I/O driver as it would the BIOS.
Re:Their loss (Score:2, Interesting)
Hmmm. The fact that most (or all) Lenovo chief executives are Communists is not a legitimate concern?
Not really. I live in a part of the world were we aren't blindly taught that communist = evil, just as we aren't taught that corporations = evil.
If you can prove that the Lenovo chief executives are psychopaths then I might be concerned, but the competition doesn't really have a good track record so the alternative might be to not have a laptop at all.
Re:Their loss (Score:3, Interesting)
Re:Their loss (Score:5, Interesting)
This case was discussed also on Slashdot [slashdot.org]. However, if I remember correctly, it was never shown that the backdoor" (it had plausible deniability as a bug / stupid debugging feature) was added in the fab and the chip design came from outside China. I would think that if the designer had not put the backdoor in then they would very clearly have denied responsibility.
I'm really interested to know if anyone has any evidence that someone actually found such a backdoor. I'm sure they exist; I'm sure some spy services have found some, however I'm not sure that anyone admitted to doing it (and so giving away the level of their ability) and I don't have any evidence that the bug that was found was created by China (which would be fascinating).
Re:Their loss (Score:5, Interesting)
If you read the ORIGINAL article from Financial Review you may note this:
"Members of the British and Australian defence and intelligence communities say that malicious modifications to Lenovo’s circuitry – beyond more typical vulnerabilities or “zero-days” in its software – were discovered that could allow people to remotely access devices without the users’ knowledge. The alleged presence of these hardware “back doors” remains highly classified."
So, they found hardware vulnerabilities but they aren't stating what they are. Probably because they know that people would start exploiting them immediately. There's a reason this stuff stays quiet. Also note that the ban started in 2006. This is pretty old...it only getting reported now.