The following breaks my heart, as I love the ThinkPad keyboard, but it's just not worth it.
If your work is sensitive in any way, this is what you can expect from Lenovo:
> In February 2021, Bloomberg Businessweek reported that U.S. investigators found in 2008 that military units in Iraq were using Lenovo laptops in which the hardware had been altered. According to a testimony from the case in 2010, "A large amount of Lenovo laptops were sold to the U.S. military that had a chip encrypted on the motherboard that would record all the data that was being inputted into that laptop and send it back to China." [0]
How is this company still allowed to do business in the USA? There are ThinkPads in the most important of places. Not just in government, but in research...
There are apparently no adults in the room, so make your own decisions.
The Bloomberg story referenced in your [0] was refuted by pretty much everyone and independently confirmed by no one. See [1]. It was not retracted by the authors but the consensus seems to be it is intelligent speculation rather than confirmed fact. In particular the quote you pulled seems like a garbled and further exaggerated secondary source based on the unvalidated Bloomber article. Note the incorrect technical word usage ("encrypted" is not a correct verb to describe how a chip could be integrated into a motherboard design) and the implausible scope of the allegations (sending literally all data inputted to the laptop to China would be a large obvious datastream that would be quickly noticed and independently confirmed, which has not happened).
That refutation was written two years before Bloomberg's story, and it's in fact referencing a different Bloomberg story.
On top of that, being in the security industry, the very vocal parts were very adamant that something like this could never happen, while also starting to fubd better supply chain verification. The less vocal parts noticed that the refutations boiled down to "why wouldn't people break their NDAs to show us hardware that probably got the NSA involved" and "the NSA wouldn't lie to us".
Not the person you’re replying to, but things like the Intel Management Engine and the AMD equivalent are very powerful software on pretty much any laptop, that people consider close to back doors.
If you really need secure hardware, a librem laptop (iirc the right name) with openboot is the best.
However if you aren’t dealing with state secrets, any average computer is likely good enough. Just steer clear of unheard brands that sometimes have shady installers (there was a recent incident but it was an unheard brand name).
That is of course assuming that the CCP didn't reverse engineer or crack it or hack NSA and also have access.
I think you will be better served by articles/blogs by the likes of librem and amnesty (I'm thinking of the group that found pegasus, I think it was some other human rights org from Canda?)/eff. Those guys will have better suggestions to harden your device. Also - ask your IT guy, or the IT guy of the US govt dept where you're working for their best practices.
Hacking risks can either be specific (eg Bezos being personally targeted) or a catch-all (eg stuxnet) where they target your entire department. If you're just one of hundreds of contractors you're likely in the second category which is relatively easier to protect yourself from.
If you’re the one quoting Wikipedia and have knowledge that the data you quoted is incorrect, with source and everything, it’s kind of on you to update the article.
I was in the general IT space for Superfish and remember only models found at big box stores were affected. Not the typical "business-grade" machines typically bought by government, industrial, and enterprise. This article confirms my memory https://www.welivesecurity.com/2015/02/20/lenovo-superfish-d...
I believe that we all suffer from normalcy bias.[0] I also just want my awesome five year old ThinkPad to be trustworthy.
However, I know that trusting the CCP is not a great idea. Everyone, including the USA and the CCP, invest so much money in Advanced Persistent Threat actors. So on the side, buying the ThinkPad line would be the equivalent of the NSA's Tailored Access Operations, wouldn't it?
Why wouldn't they take advantage of this? Why take the chance if you work on anything that is gov or commercially sensitive?
EC (embedded controller) in thinkpads is somewhat encrypted. EC among other things takes role of keyboard controller, and has access to big flash chip. Lenovo software does stuff behind your back all the time
"Beginning with Windows 8, a PC manufacturer can embed a program -- a Windows .exe file, essentially -- in the PC's UEFI firmware. This is stored in the "Windows Platform Binary Table" (WPBT) section of the UEFI firmware. Whenever Windows boots, it looks at the UEFI firmware for this program, copies it from the firmware to the operating system drive, and runs it. "
" Lenovo shipped a variety of PCs with something called the "Lenovo Service Engine" (LSE) enabled. "
“Encrypted” means a set of data is processed with a password so to make it garbled, to both humans and computers. If data doesn’t involve a password of some shape or form to process, it isn’t “encrypted”, no matter how complicated of a state it might be in.
“Obfuscated” is another word, that is used to describe a thing that, while requiring no password, intentionally made complicated to achieve similar effect.
Hollywood style “the system is encrypted” is not real. That’s total technobabble, I’d say like “soft boiling a dinner plate”, nobody knows what it even amounts to.
It warms my heart to see people still taking about the X201’s faulty WiFi switch. I loved that laptop but ended up mothballing it over the switch. It remains a perfect example of how cheaping out on an extremely minor component (a plastic slide-switch) can sabotage an otherwise fantastic product.
Yes I used to run into these cards all the time in the past (maybe ancestors of the one from the article) but they were always a pain to deal with. I usually just recommended new wi-fi card if the card was showing these symptoms and i cannot recall anyone ever coming back with wi-fi complaints after that. but definitely if this trick
would have worked i would have used it.
Wi-Fi cards do wear out and needs replacement, especially old ones. There was also a widespread manufacturing issue in some Wi-Fi/Bluetooth chipsets around 2007-2012, which had to do with amplifier SAW/BAW filter(?) that lead to rapid and thorough degradation in radio performance. I think at least Qualcomm did notify rather silently on B2B news channels but it wasn't communicated to the public.
a larger hardware fix for the x200/x201 is the x2100 upgrade (intel comet lake motherboard, nvme, up to 64gb ddr4, 13" 3000x2000 ips panel).
see https://www.xyte.ch/mods/x210-x2100/ for an overview, although sadly the availability is diminishing (and the hardware is far from bleeding edge four years later) -- the above linked vendor is awol.
i've got myself 2.5 x2100s, hoping that will tide me over until something new becomes available.
Buying a new motherboard to replace the Thinkpad is hardly a fix. Otherwise I could 'fix' my Thinkpad x200 by buying a x230. You could make a case for the ship of Theseus but it's more like you are taking off the captains wheel and replacing the whole thing and calling it the same ship.
I never got the appeal of those laptops either. It's not a Thinkpad, its an Chinese motherboard that is overpriced to get it working with a nice keyboard, and yet you'll still have to bend your neck to use it unless you're using the dock.
I was going to say you'd also lose out on the Libreboot compatibility, but apparently X201 support was urgently removed from LB: https://libreboot.org/news/x201.html
even though i have the x2100 as a 'fix for x201', which would make sense in the context of the original post, for me it was just a new laptop purchase, and i have considered the x2100 on its own merits as a laptop i could get -- for me it was decent (i.e. non-chiclet) keyboard, trackpoint, good screen, and autonomy (plenty of disk, ram and battery).
On linux you can enable most radio cards regardless of the hardware disable status by running "rfkill unblock all". This is the correct behavior according to the spec as otherwise systems using a software button + permanent hardware lockout won't work.
There's softblock and hardblock, rfkill shouldn't be able to unblock hardblocks. "unblock all" just attempts to soft unblock all devices. Maybe it could also operate some special software operable hardblock hardware but that doesn't count.
Also/IIRC, the old webcam issue was some cameras had ~1s delay between first image to LED on, and zero for last frame to LED off, so initialization or configuration change commands could be mashed to allow LED to light in user unhelpful ways: e.g. only lit for imperceptible length of time or intermittently lit as shown. Apple and few other vendors modified this behavior as well as added a minimum LED on duration while after this went on media. It's still "controlled by software", sure, not like tapped off of CMOS imager power supply, but not like implemented in /lib/modules/webcam_comforting_led.so.1, either.
I was able to use the rfkill command on a Dell and a Thinkpad with the hardware switch turned off. However I don't know how that was implemented internally, maybe the switch was not connected directly to the mini-pcie slot. I don't have these laptops anymore so I can't check it.
I made the video on the webcams, these are quite modern ones. Nearly all of them have special UVC commands that allow reading and writing the internal CPUs memory (a lot are 8051 based). You can find the register that controls the led GPIO and control it freely. Only on one of them I did not find a way to modify the led behavior without modifying the firmware to add an extra command.
The author taped the switch readout pin (mPCIe pin 20) at the card side, and the card was so designed that it assumes the switch is set to not-kill when the switch is not present at all.
We do not know how deep the mechanism goes within the card. It is only shown that the card do work if the pin is open.
"in the firmware" part is pure speculation. It's fair to assume worst as a security best practice, but pedantically we just don't know if a mal-firmware can in fact ignore it. There could be like, the kill switch input distributed to radio amplifier and such. A lot of analog components has on-off(usually not-enable) inputs.
We don't actually know that. It's possible that connecting that pin shorts some circuit on the card that prevents it from operating. I suspect you're right though.
It usually is not, most cards will allow software unlocking even if the hardware switch is off. You can run 'rfkill unblock all' on a Linux system to test it.
rfkill shouldn’t be able to unblock hardblocks, “all” means “all cards here”, not “all of those nonsense”. Is that your experience or are you just theorizing?
It's pretty much just a button, if it doesn't physically cuts power, I'd suggest.
I think with billion dollar budget year after year, you pretty much go for firmware level attacks thees days. 0click 0day as-a-service is private economy and.. cheap and very different from what they want: long term backdoor access to everything, without the possiblility to spot it in user space or OS.
That's probably the best thing we can do (for now) for a PCIe device. PCIe hotplug [1] is a thing, but your (badly-written) WiFi kernel driver is probably not designed for that.
You might enjoy a https://frame.work laptop. Camera and microphone are physical kill switches, and you'll see the device drop off USB when you toggle them.
(No wifi killswitch on Framework laptops at this time.)
> (No wifi killswitch on Framework laptops at this time.)
Because it is practically not possible with current hardware. Theoretically it is possible to design PCIe hot-plugging but no WiFi card/driver supports it.
Maybe it is possible to do over Thunderbolt but I wouldn't hold my breath.
Of course there are USB WiFi chips but they are much worse in every aspect than PCIe ones.
It's possible that thinner kapton tape would be easier to cut into a narrow sliver and place over a pin, while having the card still fit in the socket without being too thick?
There are issues with trusting a pci attached wifi device running a pile of closed firmware anyways.
If you're concerned about this type of thing discard the internal wifi card and use an usb-attached wifi dongle you can unplug to achieve a "wifi physically disconnected" state with certainty.
The other advantage is whatever firmware's running on the wifi dongle isn't going to be potentially accessing host memory over usb, which a pci bus master could theoretically do.
My experience with ACPI is limited to tinkering with it a bit for installing macOS on unsupported systems, but shouldn't it be possible to avoid any physical modification and do the same with an SSDT that disables the power to the kill switch?
No, the kill switch is a literal electronic connection to the pin on the WiFi card that tells the firmware on that card to disable itself. ACPI may provide an alternative mechanism to trigger the same pin, but that doesn't mean ACPI can be modified to disable the physical switch.
(What may actually be happening is that they switch is telling the embedded controller to toggle the WiFi card pin, in which case modifying the EC firmware might let you achieve the desired outcome, but that's still not an ACPI hack)
The author mentioned that but didn’t know how to solder, so they chose this method instead. If they knew how to solder this would have been a different fix.
If your work is sensitive in any way, this is what you can expect from Lenovo:
> In February 2021, Bloomberg Businessweek reported that U.S. investigators found in 2008 that military units in Iraq were using Lenovo laptops in which the hardware had been altered. According to a testimony from the case in 2010, "A large amount of Lenovo laptops were sold to the U.S. military that had a chip encrypted on the motherboard that would record all the data that was being inputted into that laptop and send it back to China." [0]
How is this company still allowed to do business in the USA? There are ThinkPads in the most important of places. Not just in government, but in research...
There are apparently no adults in the room, so make your own decisions.
[0] https://en.wikipedia.org/wiki/Lenovo#Security_and_privacy_in...