Risk
7/29/2013
12:37 PM
Connect Directly
RSS
E-Mail
50%
50%

Intelligence Agencies Banned Lenovo PCs After Chinese Acquisition

U.S. feared use of PCs built by Lenovo posed security threat long before spying concerns over Huaweii and ZTE surfaced.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Since at least 2006, personal computers manufactured by Lenovo have been banned from being used to access classified government networks in the United States, as well as in Australia, Britain, Canada and New Zealand.

That revelation was first reported by Australia's Financial Review (AFR), which said the blanket ban on using Lenovo's equipment to access "secret" or "top secret" government networks stemmed from fears that the Chinese government may have altered the equipment's firmware or added back doors to the hardware to allow it to be monitored by its own espionage agencies.

Those fears started after Beijing-based Lenovo acquired IBM's personal computing division for $1.25 billion in 2005.

In 2006, the U.S. State Department purchased 16,000 Lenovo PCs, at least 900 of which were to be used on classified networks. But after facing pressure from Congress, the State Department said that it would restrict the devices for use on "unclassified" networks and alter future procurement policies to reflect that change.

[ How far can the National Security Agency go in monitoring cellphone use? Read Can The NSA Really Track Turned-Off Cellphones?. ]

Today, the Lenovo ban is reportedly being practiced by multiple government agencies, including the intelligence agencies that participate in the "five eyes" electronic eavesdropping alliance, which comprises the U.S., U.K., Canada, Australia and New Zealand. According to AFR, the dominant suppliers of PCs used by the five countries' intelligence services that participate in the eavesdropping program are Dell and Hewlett-Packard.

Those five countries' intelligence agencies have reportedly configured their networks to handle classified data in similar ways. Notably, the agencies have connected parts of their top-secret and secret networks to allow for communication between them. Previously, access to each network was blocked, using an "air gap" model, which ensured that a single system could only access one particular confidential network. Now, however, intelligence agencies use a data diode, which allows a single system to access either network.

Despite the Lenovo ban, equipment sold by U.S. PC manufacturers is often built using chips produced in China. Accordingly, it's not clear if the ban would fully mitigate the risk of Chinese intelligence agencies sneaking firmware alterations or back doors into hardware. Prof. Farinaz Koushanfar at Rice University's Adaptive Computing and Embedded Systems Lab, notably, told AFR that the National Security Agency was "incredibly concerned about state-sponsored malicious circuitry and the counterfeit circuitry found on a widespread basis in U.S. defense systems."

"I've personally met with people inside the NSA who have told me that they've been working on numerous real-world cases of malicious implants for years," she said. "But these are all highly classified programs."

The revelation that intelligence agencies both in the U.S. and abroad have banned the use of Lenovo systems comes just one week after Michael Hayden told AFR he believed that Chinese telecom equipment maker Huawei actively spied for the Chinese government.

Fears of the Chinese government using equipment manufactured by Huawei or ZTE to spy on Western businesses and government agencies lead to the publication of a House of Representatives Permanent Select Committee on Intelligence report in October 2012 that prohibited U.S. government agencies from purchasing or using equipment from either vendor. It also strongly recommended that U.S. businesses rethink their use of equipment from either Huawei or ZTE.

UPDATE, 7/31/2013: In response to the AFR story, Australia's Department of Defense called the report of a ban on Lenovo "factually incorrect." It said in a statement: "There is no Department of Defense ban on the Lenovo Company or their products; either for classified or unclassified systems." Lenovo, meanwhile, declined to comment on the AFR report, except to reference the Australian government's statement.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon7665612341
50%
50%
anon7665612341,
User Rank: Apprentice
7/9/2014 | 9:28:06 PM
lenovo insists there is no security risk
While Lenovo insists that their computers present no security threat except some insufficient storage available problems , we must recall they do run the Windows OS that's an important hole:-) On a more serious note, this is clearly a just political measure - but why? No one with any technical understanding will consider that these systems present a greater security threat, unless someone shows a backdoor exists and alone supports this. Isolationism does not score political points the way and these are the same folks that will defend moving jobs. Who are the attempting to appeal to here? There can not be that many blindly individuals in the state.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.