Spy agencies including the CIA and MI5 have refused to use PCs from Chinese-founded vendor Lenovo for most of the last decade over suspicions that its equipment has had back doors inserted to aid espionage, it has been alleged.
The reports come from Australian Financial Review which said it had spoken to unidentified sources citing the discovery of “back-door hardware and firmware vulnerabilities” in Lenovo’s chipsets and firmware dating back to the time Lenovo acquired IBM’s PC division in 2005.
The magazine said that Britain’s GCHQ had researched Lenovo’s products, discovering “malicious modifications” that could have allowed unspecified remote access to networks.
Countries named as having adopted the anti-Lenovo policy were the ‘five eyes’ alliance of the US, UK, Canada, Australia and New Zealand, which interconnect some of their systems. On that basis, a ban by one would have quickly extended to all.
Although the allegation remains just that, the notion that western spy agencies might not want to use suppliers such as Lenovo is not far-fetched. In 2006, the US State Department announced that it would not use 16,000 PCs it had bought from the firm for classified work.
Lenovo today is a global business, with headquarters in Morrisville, North Carolina and Beijing. A major shareholder is Legend Holdings, part owned by the Government-connected Chinese Academy of Sciences. Its supply chains are global, including in China.
What is highly likely is that Lenovo is not an authorised supplier to the spy agencies mentioned – only HP and Dell enjoy that privilege the magazine claims – but does that mean that suspected back doors are the explanation?
That is harder to say. Government PC and equipment contracts are hard for any newish firm such as Lenovo to crack and change happens very slowly. It could be that Lenovo is not being shunned but is simply not ‘good to go’.
What is significant is that the news of Lenovo’s alleged security exclusion comes at a time when another Chinese firm, Huawei, has found itself in the middle of a storm of suspicion despite building much of BT’s 21st Century network in the UK.
In June, the UK Parliamentary Intelligence and Security Committee expressed concern at the extent to which the country’s national communications infrastructure depended on Huawei’s equipment thank to BT’s decision to use the vendor in 2007.
Only two weeks ago, the UK Government was forced to say it was reviewing its Cyber Security Evaluation Centre set up to monitor Huawei's systems in the light of concerns about the firm.
Update: The Australian Department of Defence later issued a short statement denying the claims regarding Lenovo.
"This reporting is factually incorrect. There is no Department of Defence ban on the Lenovo Company or their computer products; either for classified or unclassified systems," it read.