With the litany of free trial programs, adware, and other unwanted “features” that come with the factory images of Windows computers, it has become standard procedure for many users to wipe the system drive of a new PC and install Windows from the Microsoft-published media. However, these attempts by the user to have a clean installation are turning out to be less secure than they should be.
Windows Binary Platform Table
Windows 8 introduced a feature called Windows Binary Platform Table (WBPT), which allows OEMs to insert small executables into the Unified Extensible Firmware Interface (UEFI); these executables are copied into the filesystem and executed by Windows. There is no way to prevent this behavior in Windows using the Group Policy Editor or other obvious system management tools.
According to Microsoft’s documentation for WBPT (DOCX file):
“The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration. One use case for WPBT is to enable anti-theft software which is required to persist in case a device has been stolen, formatted, and reinstalled. In this scenario WPBT functionality provides the capability for the anti-theft software to reinstall itself into the operating system and continue to work as intended.”
In this intended use, this type of behavior is beneficial — an anti-theft system is vital to organizations that deal with sensitive data, and to end users concerned with personal property protection. An anti-theft system that can be overridden by a disk format and Windows reinstallation would not be useful. However, if an OEM were to use it for the installation of a system management utility that the user would ostensibly be trying to avoid by wiping the factory OS image, this would be a substantial problem for the user.
Lenovo is using this to install a system management utility
As if the public fallout from the Superfish debacle wasn’t enough of an issue, the only OEM known to be using WBPT improperly (so far, and I’m not optimistic) is Lenovo. Certain consumer-grade desktops and laptops have a WBPT entry that copies a small dropper executable to the filesystem called the Lenovo Service Engine; the executable replaces autochk.exe, which writes two additional files to the filesystem, which in turn creates a service that downloads the Lenovo OneKey Optimizer (PDF) through an unencrypted HTTP connection.
Lenovo Service Engine sends system data (machine type and model, system UUID, region and date), though Lenovo claims that personally identifiable information is not collected. The OneKey Optimizer doesn’t appear to be anything of value — it can update drivers, though having two competing systems modify system drivers has already caused problems for Windows 10 rollouts. It can clean “junk,” though this type of task is likely best left to utilities such as CCleaner.
Considering the method by which this is installed, and the difficulty with which it can be removed, Lenovo has instructions for disabling the WBPT entry in desktops and removes it entirely using a firmware update for laptops, this behavior is tantamount to installing a rootkit. The desktop version doesn’t install OneKey, though it does transmit information to Lenovo.
This is Microsoft’s fault too
This is actually what “working as designed” looks like — Microsoft provided a means in WBPT for OEMs to force the execution of a program in Windows without user consent. Concerns about Windows 10’s overreach on privacy settings have been high since it was released.
The move to UEFI was already controversial, as it was seen as a way to prevent the user from installing alternatives to Windows, such as Linux distributions. Having the option to disable UEFI Secure Boot was a requirement for OEMs with Windows 8, though Microsoft is allowing OEMs to enforce Secure Boot for Windows 10. There are plans to sign Linux in a way to be compatible with UEFI Secure Boot, but the search continues for a solution that is intelligent enough such that Linus Torvalds won’t go on a tirade.
When asked about Lenovo’s implementation of WPBT, a Microsoft representative provided a rather boilerplate statement: “The Windows Platform Binary Table (WPBT) was introduced in 2011 to support anti-theft software installed on the Basic Input/Output System (BIOS), which is required to persist in case a device has been stolen, formatted, and reinstalled. WPBT also provides the capability for independent software vendors (ISVs) and original equipment manufacturers (OEMs) to include their solutions.”
What’s your view?
Although this was not present on Lenovo’s professional Think-branded systems and Lenovo stopped including Lenovo Service Engine in Home systems after June 2015, does this incident make you less likely to buy a Lenovo system? Are you more likely to not use Windows because of WBPT? Share your thoughts.