Lenovo and Security Lessons Learned

Updated on February 25, 2016 by UpGuard


Technology giant Lenovo has come under heavy criticism again for subjecting users to undue security risks– this time in the form of three vulnerabilities discovered by researchers at security firm IOActive. Flaws in Lenovo's System Update service– a feature that enables users to download updated drivers, software, and security patches from Lenovo-- enables hackers to surreptitiously slip malware onto user’s laptops and systems through a man-in-the-middle attack. Lenovo has since issued a patch for these vulnerabilities, but it’s doubtful the PC giant will regain consumer credibility any time soon.

As it turns out, it may not need to– at least for a while. Though still reeling from its massive Silverfish snafu in February, the tech behemoth continues to be the global leader in PC unit sales– even as customers are abandoning the brand in droves. And while few consumers are in a rush to buy a Moto X, Lenovo’s acquisition of Motorola Mobility from Google in 2014 for $2.91 billion gives the company 8% of the global smartphone market. On top of this, a myriad of IoT, wearables, and other connected consumer devices are also reportedly under development, giving the company more than ample runway for perhaps some much needed corporate introspection and realignment.

Several items of concern worth noting:

  • Lenovo was first informed of the vulnerabilities in February, though the findings were just made public this week. Unwitting users were or have been vulnerable and without recourse or knowledge of their compromised security posture for this extended period.

  • Lenovo classifies these vulnerabilities as a medium severity level risk, despite IOActive’s (the firm that made the initial discovery) high severity classification

One hopes some hard, important lessons will be learned by Lenovo– though at the end of the day, caveat emptor. The key takeaway for consumers is that proactivity is instrumental to maintaining a strong security posture. From a security perspective, overreliance on vendors to discover, announce, and remediate vulnerabilities in their own products can leave one perilously exposed. The proper adware/malware protection, IDS, and firewall products are bare essentials when it comes to bolstering one’s security posture. Resources such as MITRE’s Common Vulnerabilities and Exposures database provides users with a free, comprehensive database of up-to-date vulnerabilities. And for enterprises managing fleets of portable devices, UpGuard can provide automatic comprehensive vulnerability scanning for all types of nodes, including laptops and IoT products.

Top Windows 10 Vulnerabilities & How to Fix Them

More Blogs

The "Hacking" Of 000webhost—Or Why Free Should Never Be Synonymous With Unsecure

So how do events like 000webhost's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
Read Blog >

Why We Made Our Vulnerability Assessment Free for Everyone

Access to free vulnerability assessment should be a basic right in a world where computing is integral to social and economic life. For our part, we're offering our full product, including vulnerability assessment, free forever for a user's first ten machines.
Read Blog >

Understanding Risk in the 21st Century

Even today, the risk of data breaches in particular threaten to hamper business innovation. So what is cyber risk, and what can be done about it?
Read Blog >