Posted on Thursday, August 13 2015 @ 11:30 CEST by Thomas De Maesschalck
The feature is intended to be used for anti-theft software but unfortunately it seems Lenovo abused this feature to preinstall its "Lenovo Service Engine" bloatware onto certain of its desktop and laptop systems. To make things even worse, the preinstalled Lenovo software appeared to be insecure, with security researchers discovering buffer overflow issues and the use of insecure network connections. Fortunately, Lenovo reportedly stopped including LSE on new systems built since June. Full details at ARS Technica.
Lenovo's own description of what the software did differs depending on whether the affected system is a desktop or a laptop. On desktops, the company claims that the software only sends some basic information (the system model, region, date, and a system ID) to a Lenovo server. This doesn't include any personally identifying information, but the system ID should be unique to each device. Lenovo says that this is a one-time operation and that the information gets sent only on a machine's first connection to the Internet.
For laptops, however, the software does rather more. LSE on laptops installs the OneKey Optimizer (OKO) software that Lenovo bundles on many of its machines. OneKey Optimizer arguably falls into the "crapware" category. While OKO does do some somewhat useful system maintenance—it can update drivers, for example—it also offers to perform performance "optimizations" and cleaning "system junk files," which both seem to be of dubious value.
