Security researchers have discovered major vulnerabilities in Lenovo's PCs that could allow hackers to bypass validation checks and replace legitimate Lenovo programs with malicious software to control the computers remotely.
Security firm IOActive reports that attackers could create a fake certificate authority to sign executables, allowing malicious software to impersonate as official Lenovo software. When a Lenovo pc user updates their machine outside in a crowded place like a coffee shop, another individual could easily use the security hole to swap Lenovo's programs with their own. Researchers call this the "classic coffee shop attack." The security flaws are reportedly present in Lenovo System Update 18.104.22.168 as well as earlier versions.
The security threat was first discovered in February and were brought to Lenovo's attention in order to allow the Chinese firm to develop a fix. The pc maker quickly released a security patch last month to removes the bugs from the system, but users have to download the security update themselves to avoid having their computers compromised by what IOActive calls a major security threat. Researchers state, “Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk.”
The researchers explain, “The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables. Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable.”
Earlier this year, one of the world's largest PC makers was accused of installing adware on its new computers, that displays ads into search engine results without the user's permission. The software could also be used for man-in-the-middle attacks and even take control of SSL/TLS connections to websites. After the news was made public, Lenovo had issued a public apology for installing the adware. Peter Hortensius, Lenovo’s Chief Technology Officer had said in an interview, “We messed up badly here. We made a mistake. Our guys missed it. We’re not trying to hide from the issue — we’re owning it.”