Authorities in two northern Vietnamese localities have warned local state offices and agencies against using Lenovo computers, which contain preloaded software that the Chinese PC maker allegedly uses to steal data and information from users.

In a dispatch dated December 18, a committee in charge of safeguarding state secrets under the administration of Hai Phong City recommended that government agencies run security checks on their Lenovo computers as they contain spyware.

Spyware is software that aims to gather information about a person or organization without their knowledge and that may send such information to another entity.

The administration of Quang Ninh Province, in the meantime, has also ordered that local public bodies and organizations stop choosing Lenovo devices for their computer procurement for similar security concerns.

Both the Hai Phong and Quang Ninh authorities have issued the warnings following an announcement from the Ministry of Public Security last month, which provided a detailed account of the security risk posed by the Chinese-made computers.

Secretly run, impossible to disable

According to the ministry, between October 2014 and June 2016, some Lenovo computers were found being preinstalled with the firmware “Lenovo Service Engine” (LSE), which is added to the BIOS on the devices’ motherboard before leaving the factory.

BIOS, short for Basic Input/Output System, is the program a personal computer's microprocessor uses to get the computer system started after one turns it on.

The LSE will automatically, and secretly, download the software "Onkey Optimizer" to users’ computers immediately after they connect to the Internet for the first time.

The "Onkey Optimizer" will interfere with the computer system, replacing the original system file (in C:\Windows\system32\ directory) by a variant of that file made by Lenovo.

Lenovo's variant of the system file will then add two files, LenovoUpdate.exe and LenovoCheck.exe, to the system directory, and these files will run on startup, with full administrator access.

The Lenovo files will automatically and covertly download and install drivers, software or anything the PC maker wants to have on users’ computers.

“The LSE therefore has all the main properties of a spyware piece as it operates secretly right after the device is turned on and has deep intervention in the Windows system files,” the document issued by the Hai Phong People’s Committee reads.

What is most worrying is that the LSE is built into the firmware on the motherboard, so even when a new version of Windows is installed, the LSE is still there and will be executed before the Microsoft operating system is launched.

Moreover, even when users deliberately delete the LenovoUpdate.exe and LenovoCheck.exe files in the system directory, the files will be re-created during the next power-on or reboot.

This means it is impossible for users to get rid of the unwanted Lenovo files.

“With all activities carried out by the Lenovo files without users’ knowledge, worsened by the fact that they can never disable the files, the LSE firmware poses a security risk to the computer system,” the document reads.

The LSE exploits Microsoft's Windows Platform Binary Table (WPBT) feature, which allows PC manufacturers to inject drivers, programs and other files into the operating system from the motherboard firmware.

While Microsoft says that it is critical for WPBT-based solutions to be “as secure as possible and [not to] expose Windows users to exploitable conditions,” Lenovo’s making use of the feature is not as safe as recommended.

Do Huu Ca, director of the Hai Phong police department, said the announcement is an internal memo sent to all state agencies in the city to raise the alarm on the possible security threats coming from Lenovo computers.

“It is recommended that users of Lenovo computers check their devices and stop using any computers that have the LSE,” Ca told Tuoi Tre (Youth) newspaper on Monday.

Dang Huy Hau, deputy chairman of Quang Ninh Province, also toldTuoi Tre the same day that public agencies are reviewing the use of Lenovo computers.

In the immediate term, the spyware on Lenovo devices has yet to cause any huge impact on the management of state agencies as “confidential information and documents are stored either on other computers or in other forms [instead of being digitalized],” Hau said.

“It is necessary to recommend state agencies not to use Lenovo computers, for the sake of information security,” he said.

Keeping track of customer behavior?

A representative of Lenovo in Vietnam told Tuoi Tre that the LSE is preinstalled only to help the manufacturer know more about its customers.

“LSE automatically sends some specific system data to Lenovo servers to help us know clearly how customers use our products,” he said.

The representative asserted that the data retrieved secretly do not contain any personal information.

“They only include product names, users’ locations, devices’ configurations, such as RAM and HD storage, screen resolution, and operating system models,” he claimed.

“Such information is only collected once, when the computers are connected to the Internet for the first time.”

But such an explanation does not please security experts.

“While most hi-tech products do have a feature to collect operational and technical information to help manufacturers improve them and better serve their customers, it is crucial that the data collection be made known to users,” said Vo Van Khang, deputy chairman of the southern chapter of the Vietnam Information Security Association.

“The secret information gathering without the knowledge or consent of users is therefore against common practices, and can be seen as illegal software or spyware.”