Vendor entitlement run amok

My main issue with vendors turning us into instrumented data sources isn’t the data so much as the lack of consent. My Fitbit knows a lot about me but it’s an add-on that I self-selected and it provides value to me. The tracking in my browser is not something I can easily avoid since the browser is now an integral part of my life. Between those extremes there are lots of IoT devices that you can currently choose a private version but where that choice is rapidly disappearing. You can still buy a dumb light switch but not a dumb car, for example. Your shiny new GT phones home.

Among the vendors who seem to feel an entitlement to our data is Microsoft, whose Windows 10 is basically a box of spyware disguised as a user-productivity-gaming-and-cat-video-watching platform. I’ve already written about the issues there, how to mitigate them, and the disheartening number of those “features” that can’t be disabled. Yet as bad as all that is, this latest revelation still managed to surprise me across several metrics: the lack of consent, the extent of the invasion, the degree of exposure, the fact that it’s already been exploited to infect user devices, the fact that the entity who exploited it is a “legitimate” vendor, and the fact that said “legitimate” vendor egregiously exposed the exploit to the Internet.

Ars Technica is reporting that Microsoft has included in Windows 8 and above the ability to load executables from the device firmware. This means that even a clean install of Windows on wiped hard drives will run the executables from the firmware. This is intended for anti-theft protection which is generally exposed to the user in the BIOS and can be disabled. However, Lenovo used it to load software that reports information about the device, downloads executables over the Internet and installs them into Windows, overlays some of Microsoft’s system files, is riddled with bugs such as buffer overflow, updates itself unsecurely, and does all this over plaintext HTTP connections.

The design of the firmware executable injection features to support anti-theft has always been a compromise. We give up some security in the OS and firmware to get the ability to retrieve/wipe the PC if it is stolen or lost. However, it opens the possibility of malware taking up residence in the hardware and there are examples of this being exploited. The delta in difficulty between stealing a laptop versus exploiting the firmware bootloader injection results in this feature being a net security benefit but not by a very big margin. Should it become easier to exploit the firmware bootloader injection, this could turn very bad, very fast.

Microsoft and Lenovo, in stunning examples of the pervasive attitude of vendor entitlement, significantly reduced the degree of difficulty for exploiting firmware bootloader injection to where any script kiddie can root the device. Worse, it was done without the ability for the user to disable it. The patch released by Lenovo reportedly disabled the function but even people comfortable using the BIOS setup will have difficulty disabling it.

Microsoft has effectively weaponized firmware bootloader injection.

Lenovo has not only exploited it, but their code is so incompetent as to make a new class of vulnerability available remotely, anonymously, and with almost no skill requirement whatsoever.

In terms of privacy invasion, this is not a difference in degree. It’s a difference in kind. It’s a new line that has been crossed and which, due to the technical complexity of explaining the risk to regular folks, will fly completely under the radar. It’s custom-designed to root your device without knowledge, consent, or recourse, so functional that “legitimate” vendors apparently find malicious uses irresistible, and impossible to constrain to “legitimate” vendors. If you have a Lenovo PC today and haven’t disabled this “feature”, all sorts of uninvited guests can come camping out in your firmware and you won’t be able to kick them out. If you have any other brand of device running Windows, well it’s just a matter of time now.

But try telling any vendor – or your representative – that just because we can doesn’t mean we should. Nobody treats this as a privilege. Access to our data and the internals of our devices is assumed to be an entitlement, even when the implementations are clearly incompetent and capable of causing significant emotional, financial, and even physical harm to the owner of the device or user of the service.

So let’s say there’s a vendor with retail customers who wants to improve their profitability. Do they consult with the merry band of VRM minstrels? Why should any vendor treat unlimited and intimate access to us as a privilege when the competition sees it as a right, capably exploits it, and the current regulatory regime fully supports that approach? VRM doesn’t become mainstream until there’s a line imposed by the market such that vendors need a way to remain competitive without crossing it. Not only are vendors crossing that line today, they are having long jump competitions to see who can go the furthest, and then advancing the line while we aren’t looking.


  1. I think there is a line between this and your next post (re:javascript)


  1. […] T.Rob puts it in Vendor Entitlement Run Amok, “My main issue with vendors turning us into instrumented data sources isn’t the data so […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.