-
Intel Unveils New AI Chip, Gaudi 3, in Bid to Challenge Nvidia10 April 2024 -
Intel Announces New Initiatives for AI PC Developers and Hardware Vendors27 March 2024
-
Microsoft Wants OEMs Making AI PCs to Include a Dedicated Copilot Key in the Keyboard: Report27 March 2024
-
Intel Core 14th Gen i9-14900KS, With 24 Cores and Up to 6.2GHz Speed Launched: Details15 March 2024
-
Intel Launches New vPro Platform for Business Focused AI-Powered PCs at MWC 202429 February 2024
- Home
- Laptops
- Laptops News
- Critical 'ThinkPwn' Security Flaw Found in Lenovo Laptops; Other Manufacturers Potentially Vulnerable
Critical 'ThinkPwn' Security Flaw Found in Lenovo Laptops; Other Manufacturers Potentially Vulnerable
By Jamshed Avari | Updated: 4 July 2016 22:38 IST
Advertisement
Lenovo has owned up to the existence of a critical security vulnerability in the firmware of many of its laptops. After teasing it on Twitter on June 29, developer and self-described "unethical hacker" Dmytro Oleksiuk posted details of the vulnerability on GitHub. Commentators have quickly dubbed the issue 'ThinkPwn' although it now seems to be common to other hardware vendors. 
According to Oleksiuk, the flaw affects a large number of Lenovo's ThinkPad models going back several years. He claimed to have verified it on a ThinkPad X220, which launched in 2011. He has provided snippets of code and instructions on his GitHub post so that others can detect the vulnerability on systems they have access to.
The flaw allows remote attackers to disable write protection on a device's firmware and gain access to the System Management Mode, which is intended to be a secure environment for approved code to be run in. This must be done by physically accessing the device, which at least limits the scope of the attack. However, once that is done, an attacker can remotely disable the Secure Boot feature found in most modern UEFI BIOSes which verifies the integrity of the OS. Rootkits can then be introduced into a compromised system, allowing attackers to spy on them and take control of them remotely. Software security features designed to protect a person or company's credentials can also be compromised.
The company has issued an initial security advisory, LEN-8324, in which it says it is working on a solution as quickly as possible. According to the statement, Lenovo tried to contact the independent researcher who claimed knowledge of the problem, but he published it without any coordination. The statement goes on to state that Lenovo has identified vulnerable parts of its System Management Mode code, but pins the blame on "at least one of our Independent BIOS Vendors (IBVs)" - software companies to which Lenovo outsources the development of its custom BIOS firmware - as well as Intel, which created the common code base that IBVs work with.
Oleksiuk has tweeted that Lenovo only demanded that he not release his findings, and statements on his GitHub accuse the company of "copy-pasting" Intel's reference code for 8-series chipsets. He also makes a passing note that the code could have been crafted intentionally for use as a backdoor. This heavily suggests that Lenovo isn't the only company whose products are affected by the flaw, and at least one Twitter user has tweeted Oleksiuk with purported evidence that at least one HP laptop model is vulnerable.
Lenovo says it is working to identify the author of that specific piece of code, implying that it was not a mistake but put in purposefully. Functions such as remote administration have been known to expose controls of computer systems to unintended people either due to security lapses or poor judgment.
Lenovo has had several security problems of late, including revelations that it deliberately shipped PCs with spyware as well as easily compromised adware and other bloat preinstalled.
Comments
For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.
Further reading:
Intel, Lenovo, Lenovo System Management Mode, Lenovo ThinkPad, ThinkPad, UEFI BIOS, UEFI security, UEFI security flaw, UEFI vulnerability, security, security flaw, vulnerability
Related Stories
Critical 'ThinkPwn' Security Flaw Found in Lenovo Laptops; Other Manufacturers Potentially Vulnerable
Advertisement
Follow Us
Advertisement
Popular on Gadgets
- Galaxy S24 Series
- MWC 2024
- Apple Vision Pro
- Oneplus 12
- iPhone 14
- Apple iPhone 15
- OnePlus Nord CE 3 Lite 5G
- iPhone 13
- Xiaomi 14 Pro
- Oppo Find N3
- Tecno Spark Go (2023)
- Realme V30
- Best Phones Under 25000
- Samsung Galaxy S24 Series
- Cryptocurrency
- iQoo 12
- Samsung Galaxy S24 Ultra
- Giottus
- Samsung Galaxy Z Flip 5
- Apple 'Scary Fast'
- Housefull 5
- GoPro Hero 12 Black Review
- Invincible Season 2
- JioGlass
- HD Ready TV
- Laptop Under 50000
- Smartwatch Under 10000
- Latest Mobile Phones
- Compare Phones
Latest Gadgets
- Huawei Pura 70 Pro
- Huawei Pura 70
- Vivo V30e
- Itel Super Guru 4G
- Huawei Pura 70 Pro+
- Huawei Pura 70 Ultra
- Tecno Camon 30 Premier 5G
- Motorola Edge 50 Fusion
- Asus ZenBook Duo 2024 (UX8406)
- Dell Inspiron 14 Plus
- Realme Pad 2 Wi-Fi
- Redmi Pad Pro
- Cult Shock X
- Fire-Boltt Oracle
- Samsung Samsung Neo QLED 8K Smart TV QN800D
- Samsung Neo QLED 4K Smart TV (QN90D)
- Sony PlayStation 5 Slim Digital Edition
- Sony PlayStation 5 Slim
- Voltas 1.5 Ton 3 Star Split AC (183 Vectra Elegant 4503545)
- Hitachi 1.5 Ton 5 Star Inverter Split AC (RAS.G518PCBISF)
- About Us
- Sitemaps
- Feedback
- Archives
- Contact Us
- RSS
- Advertise
- Career
- Privacy Policy
- Ethics
- Editorial Policy
- Terms & Conditions
- Complaint Redressal
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
