Lenovo has owned up to the existence of a critical security vulnerability in the firmware of many of its laptops. After teasing it on Twitter on June 29, developer and self-described “unethical hacker” Dmytro Oleksiuk posted details of the vulnerability on GitHub. Commentators have quickly dubbed the issue ‘ThinkPwn’ although it now seems to be common to other hardware vendors.
According to Oleksiuk, the flaw affects a large number of Lenovo’s ThinkPad models going back several years. He claimed to have verified it on a ThinkPad X220, which launched in 2011. He has provided snippets of code and instructions on his GitHub post so that others can detect the vulnerability on systems they have access to.
The flaw allows remote attackers to disable write protection on a device’s firmware and gain access to the System Management Mode, which is intended to be a secure environment for approved code to be run in. This must be done by physically accessing the device, which at least limits the scope of the attack. However, once that is done, an attacker can remotely disable the Secure Boot feature found in most modern UEFI BIOSes which verifies the integrity of the OS. Rootkits can then be introduced into a compromised system, allowing attackers to spy on them and take control of them remotely. Software security features designed to protect a person or company’s credentials can also be compromised.