Risk
7/29/2013
12:37 PM
50%
50%

Intelligence Agencies Banned Lenovo PCs After Chinese Acquisition

U.S. feared use of PCs built by Lenovo posed security threat long before spying concerns over Huaweii and ZTE surfaced.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Since at least 2006, personal computers manufactured by Lenovo have been banned from being used to access classified government networks in the United States, as well as in Australia, Britain, Canada and New Zealand.

That revelation was first reported by Australia's Financial Review (AFR), which said the blanket ban on using Lenovo's equipment to access "secret" or "top secret" government networks stemmed from fears that the Chinese government may have altered the equipment's firmware or added back doors to the hardware to allow it to be monitored by its own espionage agencies.

Those fears started after Beijing-based Lenovo acquired IBM's personal computing division for $1.25 billion in 2005.

In 2006, the U.S. State Department purchased 16,000 Lenovo PCs, at least 900 of which were to be used on classified networks. But after facing pressure from Congress, the State Department said that it would restrict the devices for use on "unclassified" networks and alter future procurement policies to reflect that change.

[ How far can the National Security Agency go in monitoring cellphone use? Read Can The NSA Really Track Turned-Off Cellphones?. ]

Today, the Lenovo ban is reportedly being practiced by multiple government agencies, including the intelligence agencies that participate in the "five eyes" electronic eavesdropping alliance, which comprises the U.S., U.K., Canada, Australia and New Zealand. According to AFR, the dominant suppliers of PCs used by the five countries' intelligence services that participate in the eavesdropping program are Dell and Hewlett-Packard.

Those five countries' intelligence agencies have reportedly configured their networks to handle classified data in similar ways. Notably, the agencies have connected parts of their top-secret and secret networks to allow for communication between them. Previously, access to each network was blocked, using an "air gap" model, which ensured that a single system could only access one particular confidential network. Now, however, intelligence agencies use a data diode, which allows a single system to access either network.

Despite the Lenovo ban, equipment sold by U.S. PC manufacturers is often built using chips produced in China. Accordingly, it's not clear if the ban would fully mitigate the risk of Chinese intelligence agencies sneaking firmware alterations or back doors into hardware. Prof. Farinaz Koushanfar at Rice University's Adaptive Computing and Embedded Systems Lab, notably, told AFR that the National Security Agency was "incredibly concerned about state-sponsored malicious circuitry and the counterfeit circuitry found on a widespread basis in U.S. defense systems."

"I've personally met with people inside the NSA who have told me that they've been working on numerous real-world cases of malicious implants for years," she said. "But these are all highly classified programs."

The revelation that intelligence agencies both in the U.S. and abroad have banned the use of Lenovo systems comes just one week after Michael Hayden told AFR he believed that Chinese telecom equipment maker Huawei actively spied for the Chinese government.

Fears of the Chinese government using equipment manufactured by Huawei or ZTE to spy on Western businesses and government agencies lead to the publication of a House of Representatives Permanent Select Committee on Intelligence report in October 2012 that prohibited U.S. government agencies from purchasing or using equipment from either vendor. It also strongly recommended that U.S. businesses rethink their use of equipment from either Huawei or ZTE.

UPDATE, 7/31/2013: In response to the AFR story, Australia's Department of Defense called the report of a ban on Lenovo "factually incorrect." It said in a statement: "There is no Department of Defense ban on the Lenovo Company or their products; either for classified or unclassified systems." Lenovo, meanwhile, declined to comment on the AFR report, except to reference the Australian government's statement.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon2776779135
50%
50%
anon2776779135,
User Rank: Apprentice
8/7/2014 | 6:30:49 AM
FotoDarek

Extremely educational post! There is a great deal of data here that can help any business begin with a fruitful informal communication fight!

FotoDarek
anon7665612341
50%
50%
anon7665612341,
User Rank: Apprentice
7/9/2014 | 9:28:06 PM
lenovo insists there is no security risk
While Lenovo insists that their computers present no security threat except some insufficient storage available problems , we must recall they do run the Windows OS that's an important hole:-) On a more serious note, this is clearly a just political measure - but why? No one with any technical understanding will consider that these systems present a greater security threat, unless someone shows a backdoor exists and alone supports this. Isolationism does not score political points the way and these are the same folks that will defend moving jobs. Who are the attempting to appeal to here? There can not be that many blindly individuals in the state.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?