Tuesday, April 7, 2015

Security update issue on Lenovo tablet

Few days ago, I spend some of my free time checking what my chinese android tablet (Lenovo Yoga 2) was sending on the Internet. I quickly identify some interesting HTTP requests.

As most of the manufacturers, Lenovo ships their tablets with additional software developped by Lenovo or others.
The GameStore app is one of them. That application is checking if updates are available on HTTP and if it find one, downloads it on HTTP too:


The APK file is also available on HTTPS but not used!

The GameStore app can be used to buy new (unknown) games, and seems to be vulnerable to price tampering (not fully tested because stealing is as bad as games on this store). After an update, they remove the payment method which was previously easily vulnerable.

Some Lenovo apps seem to have a similar behavior. They check for updates over HTTP, but I have not been able to trigger any update download :/
Update requests looks like that:


Hey Lenovo, why do you need to know my (private) IP address ?

Other update requests are sent to http://susapi.lenovomm.com/adpserver/GetVIByPNUser with different parameters.

The most interesting HTTP requests I saw was those relating to firmware update! 
The query update looks like that (as my tablet was already up-to-date, I changed my firmware version in the request):

And the answer is:

So Lenovo applications and firmware update on HTTP. Come on guys, we are in 2015!

NB: Tests have been done on YT2-830F_USR_S000143_1501051826_WW21_ROW firmware. Few days after I notice Lenovo Security team, they publish a new firmware (YT2-830F_USR_S000184_1503241129_WW21_ROW) which do not fix that issue... 

No comments:

Post a Comment