Does Lenovo put backdoors in if the Chinese government asks?
“If they want backdoors globally? We don’t provide them. If they want a backdoor in China, let’s just say that every multinational in China does the same thing.
“We comply with local laws. If the local laws say we don’t put in backdoors, we don’t put in backdoors. And we don’t just comply with the laws, we follow the ethics and the spirit of the laws.”
This shouldn’t surprise anyone, really. At this point, it’s pretty safe to assume that any major technology company selling products in China are putting backdoors into their products sold in China. Microsoft, Apple, phone makers – China is simply too powerful and important to ignore.
The question is whether they are also doing the same in Europe and USA following request of the respective local governments
Considering Lenovo has already been caught more than once putting counterfeit certificates in their Windows installations at the behest of malware/adware makers, it’s a given they are also leaving the doors open for any government agency that asks. I don’t believe for a second they have any sort of morals about this at all. They are beholden to money, their shareholders, and the Chinese government in that order.
Some folks have said that despite what was found (again, more than once) on Lenovo’s consumer products, it has no bearing on their business machines like the ThinkPad series, but that’s just wishful thinking.
Bottom line, unless you built the device yourself from scratch, it should automatically be considered compromised. Even then, unless you control the CPU/APU/SoC supply chain, you could still be at risk. That said, unless you’re a high value target of some government agency or corporate spy, you have little to worry about for your day to day computing.
Edited 2018-09-19 22:54 UTC
One word answer: “Yes.”
The long(er) answer:
The only question isn’t whether they’re doing it, we know they do and will. The question is if they’re doing it to nations where that would be considered espionage: ex. putting Chinese snooping programs in hardware destined for the US or EU.
I’m willing to bet the PRC’s intelligence organs are every bit as efficient and perhaps more so than their western counterparts. Since a great deal of foreign companies have their products made in China, it’s just as likely their government is inserting both hardware and software back doors into products for both domestic distribution and export.
China has just as many resources, as much engineering knowledge, and even less oversight than the NSA which has already been exposed as having widespread surveillance activities both abroad and at home from inserting back door hardware in Juniper and Cisco ISP grade routers, weakening Intel hardware RNG, inserting bogus Elliptical Curve algorithms in officially accepted cryptographic specs, taps in every major international telephone and data exchanges in the US.
Lenovo has already shown they either have gross incompetence or malicious intent in the past with the security of their devices. It’s foolish to trust them with anything at this point.
Afterall, how can you legitimately trust a company with the policy of having system firmware reinstalling software the user has uninstalled?
https://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/
That’s quite literally the definition of a firmware rootkit.
>putting Chinese snooping programs in hardware destined for the US or EU
We know for a fact that the US does this to hardware used by manufactures in China, so why not the other way around? Big players like Huawei are cutting lots of their circuit-boards from sub-contractors in pieces because they know that some of them could contain hidden circuits planted there by the US, Israel, etc. as they have found this more than once.
Never trust hardware from China. It is often full of snooping hardware and/or software made in The USA. It is almost as bad as Cisco etc.
…their country, their rules.
Now the USA invaded countries for less democracy and human’s right breach. Ok, by a strange circumstances these countries had oil and other strategic resources, but I guess China have some too.
Trump ?
#popcorn
Oh, sorry, someone just told me that the USA have basically the same rules about backdoors, my bad.
And ironically enough the chinese regime request for backdoors in software and hardware is likely to backfire spectacularly: if there’s a backdoor then anybody can use it, not just them. It’s just a matter of discovering and exploiting it.
Based on what? How is China important for the company in itself? Would ignoring Chinese market lead to fading popularity and market cap in Europe or the Americas? Or even the neighbouring Asian countries? Personally I don’t see it. Nobody goes to China because they have to, no, they go there because they want to make more money.
It isn’t about capitalistic necessities, it is only about greed.
Edited 2018-09-20 07:51 UTC
Also, someone correct me if I’m wrong, but I’m pretty sure that Lenovo sells waaaay more laptops in Japan, Europa and the USA than they do in China, so in that case China isn’t that important for Lenovo anyway.
China isn’t important for Lenovo, a Chinese company based in China?
Clearly you’ve misunderstood me as I said “not important” with regards to *laptop sales*.
You realize, they will have 0 laptop sales if the Chinese government decides it needs to go.
Are there any Chinese companies not based in China?
Greed is an overused word. They do business in China like everyone else and with that they obey the local laws.
I suppose you don’t boycott Chinese products right?
Let’s say a US company ignores the Chinese market. Another US company dives head first into it.
Which US company is going to be more profitable? Which US company could use their profit and invest back into their US operations?
Can a US company ignore a US+China company?
The article does not mention what kind of backdoors but they are more likely preinstalled trojans for Windows 7,10 come with laptops.
It would be more serious if these would be UEFI based backdoors or some other chips would be modified on board like to directly record keystrokes store it in flash and send it to their servers in china.
I always say for those who using windows are too dumb and deserve all the viruses they get. The learning curve of Todays Linux on user level is no more than couple of weeks. Just ditch windows and you will get rid of all this.
At the least 1 entry point, to sanitize firmware.
Unix philosophy is not out of caprice.
On keeping things simple and single you can hard, harden them.
All machines have to be approached as far as possible to a finite number of states.
Accepting firmware is like accepting a contract with the critical paragraphs written with pencil.
Replacing the computing unit, not updating it, the path forward.
This is especially true of critical, now social, services.
At times believing this was born from a policy of leaving no traces of very, very bad works.
Edited 2018-09-21 14:23 UTC