Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Intelligence Agencies Banned Lenovo PCs After Chinese Acquisition

U.S. feared use of PCs built by Lenovo posed security threat long before spying concerns over Huaweii and ZTE surfaced.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Since at least 2006, personal computers manufactured by Lenovo have been banned from being used to access classified government networks in the United States, as well as in Australia, Britain, Canada and New Zealand.

That revelation was first reported by Australia's Financial Review (AFR), which said the blanket ban on using Lenovo's equipment to access "secret" or "top secret" government networks stemmed from fears that the Chinese government may have altered the equipment's firmware or added back doors to the hardware to allow it to be monitored by its own espionage agencies.

Those fears started after Beijing-based Lenovo acquired IBM's personal computing division for $1.25 billion in 2005.

In 2006, the U.S. State Department purchased 16,000 Lenovo PCs, at least 900 of which were to be used on classified networks. But after facing pressure from Congress, the State Department said that it would restrict the devices for use on "unclassified" networks and alter future procurement policies to reflect that change.

[ How far can the National Security Agency go in monitoring cellphone use? Read Can The NSA Really Track Turned-Off Cellphones?. ]

Today, the Lenovo ban is reportedly being practiced by multiple government agencies, including the intelligence agencies that participate in the "five eyes" electronic eavesdropping alliance, which comprises the U.S., U.K., Canada, Australia and New Zealand. According to AFR, the dominant suppliers of PCs used by the five countries' intelligence services that participate in the eavesdropping program are Dell and Hewlett-Packard.

Those five countries' intelligence agencies have reportedly configured their networks to handle classified data in similar ways. Notably, the agencies have connected parts of their top-secret and secret networks to allow for communication between them. Previously, access to each network was blocked, using an "air gap" model, which ensured that a single system could only access one particular confidential network. Now, however, intelligence agencies use a data diode, which allows a single system to access either network.

Despite the Lenovo ban, equipment sold by U.S. PC manufacturers is often built using chips produced in China. Accordingly, it's not clear if the ban would fully mitigate the risk of Chinese intelligence agencies sneaking firmware alterations or back doors into hardware. Prof. Farinaz Koushanfar at Rice University's Adaptive Computing and Embedded Systems Lab, notably, told AFR that the National Security Agency was "incredibly concerned about state-sponsored malicious circuitry and the counterfeit circuitry found on a widespread basis in U.S. defense systems."

"I've personally met with people inside the NSA who have told me that they've been working on numerous real-world cases of malicious implants for years," she said. "But these are all highly classified programs."

The revelation that intelligence agencies both in the U.S. and abroad have banned the use of Lenovo systems comes just one week after Michael Hayden told AFR he believed that Chinese telecom equipment maker Huawei actively spied for the Chinese government.

Fears of the Chinese government using equipment manufactured by Huawei or ZTE to spy on Western businesses and government agencies lead to the publication of a House of Representatives Permanent Select Committee on Intelligence report in October 2012 that prohibited U.S. government agencies from purchasing or using equipment from either vendor. It also strongly recommended that U.S. businesses rethink their use of equipment from either Huawei or ZTE.

UPDATE, 7/31/2013: In response to the AFR story, Australia's Department of Defense called the report of a ban on Lenovo "factually incorrect." It said in a statement: "There is no Department of Defense ban on the Lenovo Company or their products; either for classified or unclassified systems." Lenovo, meanwhile, declined to comment on the AFR report, except to reference the Australian government's statement.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
anon7665612341
50%
50%
anon7665612341,
User Rank: Apprentice
7/9/2014 | 9:28:06 PM
lenovo insists there is no security risk
While Lenovo insists that their computers present no security threat except some insufficient storage available problems , we must recall they do run the Windows OS that's an important hole:-) On a more serious note, this is clearly a just political measure - but why? No one with any technical understanding will consider that these systems present a greater security threat, unless someone shows a backdoor exists and alone supports this. Isolationism does not score political points the way and these are the same folks that will defend moving jobs. Who are the attempting to appeal to here? There can not be that many blindly individuals in the state.
anon2776779135
50%
50%
anon2776779135,
User Rank: Apprentice
8/7/2014 | 6:30:49 AM
FotoDarek

Extremely educational post! There is a great deal of data here that can help any business begin with a fruitful informal communication fight!

FotoDarek
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.