Risk
7/29/2013
12:37 PM
Connect Directly
RSS
E-Mail
50%
50%

Intelligence Agencies Banned Lenovo PCs After Chinese Acquisition

U.S. feared use of PCs built by Lenovo posed security threat long before spying concerns over Huaweii and ZTE surfaced.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Since at least 2006, personal computers manufactured by Lenovo have been banned from being used to access classified government networks in the United States, as well as in Australia, Britain, Canada and New Zealand.

That revelation was first reported by Australia's Financial Review (AFR), which said the blanket ban on using Lenovo's equipment to access "secret" or "top secret" government networks stemmed from fears that the Chinese government may have altered the equipment's firmware or added back doors to the hardware to allow it to be monitored by its own espionage agencies.

Those fears started after Beijing-based Lenovo acquired IBM's personal computing division for $1.25 billion in 2005.

In 2006, the U.S. State Department purchased 16,000 Lenovo PCs, at least 900 of which were to be used on classified networks. But after facing pressure from Congress, the State Department said that it would restrict the devices for use on "unclassified" networks and alter future procurement policies to reflect that change.

[ How far can the National Security Agency go in monitoring cellphone use? Read Can The NSA Really Track Turned-Off Cellphones?. ]

Today, the Lenovo ban is reportedly being practiced by multiple government agencies, including the intelligence agencies that participate in the "five eyes" electronic eavesdropping alliance, which comprises the U.S., U.K., Canada, Australia and New Zealand. According to AFR, the dominant suppliers of PCs used by the five countries' intelligence services that participate in the eavesdropping program are Dell and Hewlett-Packard.

Those five countries' intelligence agencies have reportedly configured their networks to handle classified data in similar ways. Notably, the agencies have connected parts of their top-secret and secret networks to allow for communication between them. Previously, access to each network was blocked, using an "air gap" model, which ensured that a single system could only access one particular confidential network. Now, however, intelligence agencies use a data diode, which allows a single system to access either network.

Despite the Lenovo ban, equipment sold by U.S. PC manufacturers is often built using chips produced in China. Accordingly, it's not clear if the ban would fully mitigate the risk of Chinese intelligence agencies sneaking firmware alterations or back doors into hardware. Prof. Farinaz Koushanfar at Rice University's Adaptive Computing and Embedded Systems Lab, notably, told AFR that the National Security Agency was "incredibly concerned about state-sponsored malicious circuitry and the counterfeit circuitry found on a widespread basis in U.S. defense systems."

"I've personally met with people inside the NSA who have told me that they've been working on numerous real-world cases of malicious implants for years," she said. "But these are all highly classified programs."

The revelation that intelligence agencies both in the U.S. and abroad have banned the use of Lenovo systems comes just one week after Michael Hayden told AFR he believed that Chinese telecom equipment maker Huawei actively spied for the Chinese government.

Fears of the Chinese government using equipment manufactured by Huawei or ZTE to spy on Western businesses and government agencies lead to the publication of a House of Representatives Permanent Select Committee on Intelligence report in October 2012 that prohibited U.S. government agencies from purchasing or using equipment from either vendor. It also strongly recommended that U.S. businesses rethink their use of equipment from either Huawei or ZTE.

UPDATE, 7/31/2013: In response to the AFR story, Australia's Department of Defense called the report of a ban on Lenovo "factually incorrect." It said in a statement: "There is no Department of Defense ban on the Lenovo Company or their products; either for classified or unclassified systems." Lenovo, meanwhile, declined to comment on the AFR report, except to reference the Australian government's statement.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon2776779135
50%
50%
anon2776779135,
User Rank: Apprentice
8/7/2014 | 6:30:49 AM
FotoDarek

Extremely educational post! There is a great deal of data here that can help any business begin with a fruitful informal communication fight!

FotoDarek
anon7665612341
50%
50%
anon7665612341,
User Rank: Apprentice
7/9/2014 | 9:28:06 PM
lenovo insists there is no security risk
While Lenovo insists that their computers present no security threat except some insufficient storage available problems , we must recall they do run the Windows OS that's an important hole:-) On a more serious note, this is clearly a just political measure - but why? No one with any technical understanding will consider that these systems present a greater security threat, unless someone shows a backdoor exists and alone supports this. Isolationism does not score political points the way and these are the same folks that will defend moving jobs. Who are the attempting to appeal to here? There can not be that many blindly individuals in the state.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.