Lenovo hunts BIOS backdoor bandits

PC giant Lenvo has launched an investigation with Intel to find out which of its suppliers introduced the recently-disclosed BIOS level "ThinkPwn" vulnerability that allows attackers to bypass hardware protections on the company's ThinkPad laptops and other computers.

Researcher Dmytro Oleksiuk discovered a flaw that allowed arbitrary code execution using the Intel system management mode (SMM) feature in processors.

The exploit is able to bypass the write protection in PCs' flash memory, and in turn disable the Unified Extensible Firmware Interface (UEFI) Secure Boot, and the Windows 10 Enterprise Credentials Guard security feature.

Oleksiuk also found suspicious SMM code in the basic input/output system (BIOS) code that runs when computers start up, which he said may be a backdoor providing unauthorised access to vulnerable systems.

Lenovo's product security incident response team is now working to ascertain how the SMM code was introduced into its PCs and by whom, the company said in a statement to iTnews.

"At this point, Lenovo knows that vulnerable SMM code was provided to Lenovo by at least one of our independent BIOS vendors (IBVs). The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel," a spokesperson said.

"Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose."

As part of the ongoing investigation, Lenovo is talking to its IBVs and Intel to find out if there are any additional instances of the vulnerability in the BIOS code.

The company is also trying to ascertain "the original purpose of the vulnerable code" in the BIOS it was provided with.

Lenovo said it had tried to contact Oleksiuk and collaborate with the researcher after he announced over social media that he would disclose the flaw, but was unsucccessful.

The company rated the vulnerability as high severity, and has asked its IBVs to develop a fix that eliminates it as rapidly as possible.

System Management Mode is a feature in Intel processors that offers a privileged environment transparent to the operating system and applications for managing hardware in PCs.

The feature has been targeted in the past, with former US NSA contractor Edward Snowden leaking top secret documents showing American spies developing exploits such as IRONCHEF for Hewlett-Packard Proliant servers, as well as the BULLDOZER "god-mode" rootkit.