Forgot your password?
typodupeerror

Lenovo Banned by U.S. State Department 474

Posted by Zonk
from the somebody's-watching-me dept.
chrplace writes "The BBC is reporting that the Chinese-made Lenovo PCs are not allowed inside secure US networks." From the article: "Assistant Secretary of State Richard Griffin said the department would also alter its procurement process to ensure US information security was guaranteed. His comments came after Rep Frank Wolf expressed national security concerns. The company Lenovo insisted such concerns were unwarranted and said the computers posed no security risk."
This discussion has been archived. No new comments can be posted.

Lenovo Banned by U.S. State Department

Comments Filter:
  • Protectionism? Why? (Score:5, Interesting)

    by denissmith (31123) * on Friday May 19, 2006 @10:17AM (#15365254)
    While Levono insists that their computers pose no security risk, we need to remember that they do run the Windows OS which is a significant hole:-) On a more serious note, this is obviously a purely political step - but why? No one with any technical savvy is going to believe that these systems pose a greater security risk, unless someone independently confirms this and demonstrates how a backdoor exists. Is a mere accusation enough to get a company dumped from secure contracts, if so I have dirt on Halliburton, KBR, CACI and a host of companies who are defrauding government agencies. Isolationism doesn't score political points the way it used to, and these are the same people that will happily defend moving jobs off shore. Who are they trying to appeal to here? There can't be that many blindly stupis people in the country ( 29%, or so, it seems)...
  • Dumb (Score:5, Interesting)

    by homer_ca (144738) on Friday May 19, 2006 @10:18AM (#15365263)
    It's not like the PCs weren't made in China when the division was owned by IBM.
  • That's interesting (Score:1, Interesting)

    by Anonymous Coward on Friday May 19, 2006 @10:24AM (#15365302)
    Proprietry software is banned from our network for similar (more valid) reasons.
  • by BrianRoach (614397) on Friday May 19, 2006 @10:26AM (#15365318)
    By buying Dells ... assembled from components made in Taiwan. ::rollseyes::

    I wonder if it's actually possible to construct a PC at this point without using at least one component that originated in China, given that everyone is now shifting manufacturing there.

    - Roach
  • by Spiked_Three (626260) on Friday May 19, 2006 @10:29AM (#15365343)
    "No one with any technical savvy is going to believe that these systems pose a greater security risk, unless someone independently confirms this and demonstrates how a backdoor exists."

    Why would you think this has not already happened? Add to that the fact the the government buys these things in bulk and even IF a sample posessed no backdoor, how hard would it be to put a backdoor in 1 out of 1000 and hope it gets by?

    Paranoid? I think not, you haven't had night shift cleaning crews hired by the chinese into your business have you? It happens.

    If Windows has US government demanded backdoors as so many Slahdotters insist, why would ANYONE think the Chinese (or the Russians or the French or the Germans or the English or the Japanese or the Koreans ....) wouldn't do the same on their hardware?
  • by blueZhift (652272) on Friday May 19, 2006 @10:30AM (#15365355) Homepage Journal
    There's definitely a lot of politics and money in play here. Practically speaking, it would be difficult to impossible to exclude products made by any country that may be a present or future enemy of the US from use in govt agencies. And ironically the US govt has aided and abetted the rise of Chinese economic and political power that now they suddenly fear. If they really cared so much, they should have said something before IBM sold its PC division to Lenovo. So given that everyone spies on everyone else, the real trick is not to stop the spying, but to make sure that your enemy (and sometimes your friends) only get inaccurate or junk info.

    For the current matter, I would guess that some domestic PC maker is trying to take advantage of the situation, *cough*Dell*cough*HP*cough, pardon me!
  • Re:Cry Wolf (Score:2, Interesting)

    by Anonymous Coward on Friday May 19, 2006 @10:30AM (#15365356)
    A simple fact makes Mr. Wolf's statements non-sensical:

    Pretty much all laptops are made in China by the Chinese.
  • by forgotten_my_nick (802929) on Friday May 19, 2006 @10:31AM (#15365360)
    While I may not agree with it the US government has a point.

    Does anyone remember the US Jet that was sold to the Chinese President? More then 20 bugging devices found in it. Some of them built into the jets framework itself (so they weren't casually put there).

    http://news.bbc.co.uk/2/hi/asia-pacific/1771238.st m [bbc.co.uk]

    Although there is so much Chinese tech in the US these days even just avoiding the chinese company isn't going to avoid China.
  • by JanneM (7445) on Friday May 19, 2006 @10:41AM (#15365442) Homepage
    Now, tell a government inspector to take apart a Lenovo and verify that there are no spychips in it. They'll simply laugh and say, "It has spent time outside of this country, it cannot be used to store or process sensitive information." This isn't saying "Chinese bad," it's simply a fail safe security measure for them.

    And why does this not go for the subsystems in any computer, not just the assembled whole? How do you for a fact know that the IC in that ethernet board or video card really is bog standard and not a "special" version? How do you know that the motherboard does not have a few "extras" implemented, in hardware or in the BIOS? They've all been manufactured abroad, after all.

    With your logic, nothing that isn't built ground up within the US borders should be allowed - and good luck with that.

    No, to paraphrase Freud, sometimes a xenophobix knee-jerk reaction is just a xenophobic knee-jerk reaction.
  • Re:Cry Wolf (Score:3, Interesting)

    by networkBoy (774728) on Friday May 19, 2006 @10:49AM (#15365491) Homepage Journal
    My concern would be a compromised firmware &&|| microcode in the chipset.
    With a large enough flash memory you could log a lot of information, all this can happen at the BIOS level. Then you try to acquire the notebooks upon refresh. Doesn't matter that the HDD is crushed, you have it in flash. If you comprimise the network stack you could (in theory) do packet inspection and store interesting packets. If you comprimise the chipset you can do almost anything. NOR flash cells are a compatible process with logic cells (NAND is not). So there is no reason that you can't make chipsets with a gob of flash memory hidden on-die. You could even obfsucate the existance of the array by placing random metal lines on higher layers, thus hiding the orderly row and collumn arrangement of a memory array.

    None of these techniques require the machine to phone home, none are externally obvious, none are electrically obvious (sniffing the hardware would not yield a result as all the parsing and storage happens on the same die). The only way to be partly sure is to deprocess every die on the system, and that could take some time.

    Every single system could be compromised and you simply reclaim the ones from waste that you can, chances are even if the unit is crushed, some of the chips you are interested in retreiving are intact.
    -nB
  • Re:Old News (Score:2, Interesting)

    by superid (46543) on Friday May 19, 2006 @10:50AM (#15365504) Homepage
    Find me a reference, I don't believe you.

    I have at least 30 different classified computers and have been managing secure LANs for years. I have never ever seen or heard of such a requirement. "Rigorous investigation" of software? Nope, never seen that either.
  • by jandrese (485) <kensama@vt.edu> on Friday May 19, 2006 @10:51AM (#15365506) Homepage Journal
    Not to mention the US Embassy [bugsweeps.com] in Moscow built during the cold war.

    This is why there is legitimate concern about this sort of thing. It actually happens. It would make a great spying tool as well. Just add some keylogging logic as well as some storage (perhaps store it on unused sectors of the HDD) to the southbridge as well as a hook into the onboard NIC. When an attacker gets a machine on the network (these machines wouldn't be connected to the internet) somehow, they send out a specially formatted broadcast message (probably in the form of an apparently corrupt Ethernet frame) that causes all of the affected machines to dump the contents of their keylogs to the machine that sent the broadcast. It'd take just seconds and it'd be almost impossible to catch. It would work even if you don't have full access to the network and you wouldn't have to leave a machine conspicuously on the network for a long time. It could even be a PDA or some custom box that can be plugged and unplugged within seconds.

    What do I think about the feasability of this attack? Personally, I don't think it's likely that it's in use at the moment. Most laptops just use off of the shelf components. AFAIK, Lenovo doesn't actually manufacture the southbridge themselves, they use existing chips from other companies (like Intel). Adding another chip to the laptop (especially a lot of laptops) would be too risky since eventually some repair monkey is going to notice it, especially if the chip you add fails and causes problems with the laptop. There are still guys out there who know what chips do by their serial number and what they should look like. They'll also know if you have some mislabeled chip that shouldn't be there (Why is there an external UART chip on this laptop? It's a built in feature of the southbridge. Why is it wired to the keyboard lines on the Southbridge?) Thus, such a change would have to be installed strategically, which is difficult when selling in quantities of a thousand to the government.
  • by Anonymous Coward on Friday May 19, 2006 @10:54AM (#15365532)
    Acctually I consider that to be a very serious threat to national security. What happens if someday we do go to war with China, suddenly the shelves of Walmart are completley bare. We have no production base in the United States anymore, and it was that production base that won us the last World War. China doesn't have to embed gremlins in there products to take the USA down, they just have to stop selling their products to us and our economy/society would colapse.
  • by goombah99 (560566) on Friday May 19, 2006 @11:14AM (#15365697)
    Hardware and software backdoors are a reality. Look at the tiawanese Router maker that put a backdoor password in all the netgear routers. Consider that britain finally wised up and wont buy closed source software on their defense avionics. Consider the fact that slot machines get ripped off every year by programmrs putting in backdoors.

    Sure it's more difficult to imagine how commondity hardware would be rigged but it's not implausible if the target warrants it. There's been some pretty big efforts staged for security interests. For example, the NSA's recent efforts and the British enigma cracking computers.

    The total capitalization of Lenovo is a teeny teeny teeny fraction of the value of being able to have a backdoor to secret us government negotiating positions. teeny. it's would not only be truly worth the risk of exposure and loss of bussniess, it would be a dereliction of duty for the chinese not to try to rig the machines.
  • Re:28% a minority? (Score:4, Interesting)

    by Anonymous Meoward (665631) on Friday May 19, 2006 @11:14AM (#15365698)

    And if you want to be really paranoid, the "minority stakeholder" is in fact the People's Liberation Army.

    Y'see, the PLA, unlike the armed forces of every other country on the planet, doesn't get its funding from the central government. They have their own business ventures, be it a stake in Lenovo or agricultural exports produced with slave labor. (Oops, I mean "re-education camps", silly me.)

    If you want to know why this is so, read up on the Cultural Revolution, and how it almost tore China apart. Had the PLA not stepped in, China could have devolved into civil war yet again. The top general staff of the PLA obviously has every interest in maintaining control, so they would rather manage their own purse strings. It beats relying on the caprice of the leader of the People's Central Committee.

    Getting back to the original question: Is it possible that some "extra" circuitry is in every Lenovo laptop? Certainly. Is it likely? I don't think so. (One thing to consider is how the U.S. Government is buying these laptops. We're addicted to deficit spending, and selling bonds to the China's central bank.)

    Should every Lenovo laptop be inspected before use in government offices, just in case some enterprising intelligence officer in the PLA is really that stupid?

    Umm.... can't hurt.

  • by SmokedS (973779) on Friday May 19, 2006 @11:27AM (#15365788)
    I don't believe in Windows backdoors any more that I believe that the Lenovo people are able to pull this off without anyone detecting it.

    Agreed, for now, MS would most likely not be able to hide such things. But what about when Treacherous Computing [gnu.org] comes around?
    I don't know about you, but Microsoft having their own hardware encrypted little processing enclaves, communicating over an encrypted channel with Microsoft, on most of the computers in the world gives me the shivers in a bad way.
  • by WindBourne (631190) on Friday May 19, 2006 @11:35AM (#15365846) Journal
    It is easy to embed interesting code inside of special chips.

    And the USA should know. We have done it a number of times to many other countries. In fact, if the gov really wanted to make certain that it could not happen to us, they would not buy from a spcific company but from many companies esp. the white labels. As it is, when you buy all your systems from just one company, it is far easier to get inside the chips that make up these, then doing it to everybody.
  • by Steepe (114037) on Friday May 19, 2006 @12:08PM (#15366128) Homepage
    "That is FUD pure and simple. Unless I'm clueless, backdoors are software not hardware"

    Your clueless.

    Backdoors can be placed in firmware in a chip or hard coded into a chip. With millions of transistors in even the smallest chips, how hard would it be for them to put in a couple, in the bus path, or the network communications path, or any number of other places that kick back and listen for X. when X happens, open a link on an unsuspecting port encrypted and give full access to the box, or log keys and wait for something to happen or some set time and dump the data somewhere.

    there are many many many ways this can be done and hidden, and anyone with even a slight technical background could point this out.

    Why do clueless people bother to voice their uninformed opionions on something? The standard liberal montra. Scream louder than anyone else and the crap you are spewing becomes true?

  • by letxa2000 (215841) on Friday May 19, 2006 @12:22PM (#15366269)
    Unless I'm clueless, backdoors are software not hardware, and Levino makes hardware

    Backdoors can be anywhere and they could just as easily be placed in hardware. In fact, they'd be much harder to detect in hardware since "opening up" a chip is a heck of a lot harder than disassembling executable code that is fully visible. Chips have a bunch of input pins and output pins--what goes on inside may as well be "maigc" unless you have a lot of time and money available to try to reverse engineer the IC.

    Also, isn't almost all computers and electronics made in China today? What is unique about Levino besides they are an offshoot of an American designed piece of hardware (that odds are was fabed in China for years)?

    This is just speculation, but it's not unreasonable to imagine that a given backdoor could only work in a given configuration involving multiple ICs with backdoors--in fact, unless the backdoor is in the processor itself, any given backdoor in an IC would probably have to operate in conjunction with backdoors on other ICs on the motherboard. For a backdoor to be useful, it's either going to send a memory dump back "home" (which is doubtful because it'd be big enough that it'd be easily detected) or it's going to have to be able to "spy" on the CPU. If the backdoor isn't in the CPU, it's going to take multiple ICs with backdoors to build a picture of what the CPU is doing based on its interaction with other ICs on the motherboard. So while many ICs may come from China, any potential backdoored ICs are probably only going to be able to do their job when used in conjunction with other ICs with similar backdoors and used on a motherboard that connects those ICs in a way that is conducive to the functioning of the backdoor.

    Is this far-fetched? Maybe a little, but not much. Do NOT underestimate the value (perceived and real) that countries place on knowing thing about their military and economic competitors. If a company China had a stake in was known to have a contract for 16,000 computers at the U.S. State Department, it would be naive to believe that China wouldn't try to make the most of that as possible from an intelligence standpoint.

    And, as I've already said, it's not unreasonable to think that the U.S. Federal Government should have a "Buy American" policy on products and services.

  • by Watts Martin (3616) <layotlNO@SPAMgmail.com> on Friday May 19, 2006 @01:09PM (#15366737) Homepage
    how hard would it be for them to put in a couple, in the bus path, or the network communications path, or any number of other places that kick back and listen for X. when X happens, open a link on an unsuspecting port encrypted and give full access to the box, or log keys and wait for something to happen or some set time and dump the data somewhere.

    The first scenario is not a matter of "a few transistors"; to give "full access to the box," you need to be able to communicate with the box at an operating system level. The question you're really asking is, "How hard would it be to put the equivalent of VNC in hardware and have it transparently work with the OS on a laptop," and the answer is "very." The second scenario is more plausible, but exactly where is the "somewhere" the data is being dumped to? The laptop may not be on a network all the time, and most corporate networks are running firewalls these days, despite what the cynics will tell you. (I haven't been able to open a non-standard port out at any company I've worked at in the last four years, and when I've opened a standard SSH connection to my home machine I've gotten questioned more than once.) Do you propose that at midnight the computer is going to automatically FedEx a flash card to China?

    Go talk to a company that actually deals with classified technologies and export controls sometime. Business computers manufactured by a company that has a home office in China are not very high on the list of things they worry about. And you are aware that many laptops sold by non-Chinese companies are made in China anyway, right? If it were truly so easy to be hiding nefarious things on motherboards, they could be just as easily "bugged" by a subcontractor. The fact that we're worried about Lenovo and not about Dell shows this is more about making a political point than making the State Department safer.

    Why do clueless people bother to voice their uninformed opionions on something? The standard liberal montra.

    If only more Americans gave the careful, deliberate consideration to important matters that Rush Limbaugh and Bill O'Reilly do.
  • by tacokill (531275) on Friday May 19, 2006 @01:26PM (#15366903)
    Am I the only one that remembers when the CIA put defective chips into a pipeline system [msn.com] -- and blew it up on purpose?

    Jeez, you guys act like this is "just a product" and it's wayyyy more than that, when your national security infrastructure is being manufactured outside the US. There is nothing to prevent the Chinese from supplying the same thing to us and I am quite sure they have the technical competency to pull it off.

    So the remedy is simple: don't buy Lenovo.
  • by Anonymous Coward on Friday May 19, 2006 @01:44PM (#15367082)
    right, as opposed to where you have absolutely ZERO chance of knowing about and/or analyzing ANYTHING in proprietary software? Who is the bigger fool?
  • by timjdot (638909) on Friday May 19, 2006 @04:23PM (#15368438) Homepage
    Yeah, no sense to /dotters with no knowledge of the past. I'm trying to find the reference articles to educate these naive folks. Basically about 15 years ago a Scandanavian telco discovered switches being sold by American companies had backdoors to shut down the phone systems. Corporate world working for military. Also, it is fairly common knowledge printers sold by US companies to Iraq and others contained transmitters. "Export printers". I found an article reference on the Black Art of Electronic Warfare but cannot find articles on these yet. Too much noise on Google.

    I also worked with an engineer who'd worked on an undersea cable system where they had to revise the design so submarines could tap in every ten miles or so. Do you recall teh case a few years ago where US spies determined the Spanish government had unfairly awarded a business contract to a Spanish company and not the the company who technically should have won? Business and military are intertwined more than /dotters seem to realize. Finally, Carnivore is SW based so does not lend itself to the argument the espionage/military support would be in BIOS or chipset but does clearly show what goverments are willing to do in order to maintain complete control over communications.

    I'm very frustrated so many /dotters seem to believe Lenovo is innocent considering so many past instances of US companies being complicit with this exact sort of activity. Of course it is probably political as with Texas in office one would not be surprised to see DELL become the sole source; but the reality of electronic warfare and complicit companies is documented. Judging from history I believe the Chinese have no qualms about stealing trade secrets, military secrets, and even software from the USA.

    BTW, adding in rootkits is not necessarily the only ill which could be done. Consider transmission frequencies helpful in guiding missiles to data centers. Consider a command to have the system reboot into netboot. Consider ability to saveout or remotely read TLB or cache. With such large caches, this could be serious.

    TimJowers
    Enjoy Freedom

Never say you know a man until you have divided an inheritance with him.

Working...