Lenovo’s “ThinkShield” protects ThinkPad in all directions
Lenovo Japan’s “ThinkPad” series is a notebook PC that features a comfortable keyboard and a unique “Track Point” installed at the center of the keyboard, and is gaining popularity due to its robustness of the housing .
But now you can’t just choose a laptop for performance or comfort. In a world where various information is handled in PCs, security must be considered.
In fact, Lenovo has been focusing on security for all its products under the concept of “ThinkShield” since 2018 under the concept that “security is the highest priority.”
Lenovo ThinkPad was one of the first brands to have a fingerprint sensor on its notebook PC
and recently it has been talked about with the ThinkShutter, which can physically cover the front camera.
Such security measures that can be understood at a glance are part of ThinkShield, but in addition to all the layers that make up the product from software to hardware, all the processes related to the product, such as the development and manufacturing processes and the response to theft or loss, are also performed Covering.
So what exactly does Lenovo offer with ThinkShield?
We interviewed Ryota Motojima (Product Manager, Product Planning Department) of the company.
What a hardware vendor can do
Speaking of security measures for PCs, what you usually imagine is the introduction of security software. However, it is not surprisingly recognized that there are risks that cannot be prevented by themselves.
“Hardware ingenuity. The ability to combine software and hardware is something we can do because we make hardware.” (Motoshima)
Device to prevent “social hack”
A social hack that leaks information by looking at a PC screen and peeping keystrokes. Lenovo, on the other hand, offers measures such as “PrivacyGuard”, “Match-on-Chip Fingerprint Authentication” and “Tamper Detection”.f
PrivacyGuard is a built-in privacy filter that prevents “snooping” from the side. It can be turned on and off manually, or it can be turned on automatically by detecting the “line of sight” from behind the user.
Peep detection uses the front camera, but the front camera itself has an attack that can be “peep”. In other words, it is a method that exploits the vulnerability of the target notebook PC to access the front camera and steal the user’s face, key input, privacy information, etc.
Some people are worried about such attacks and are worried, “Isn’t it being seen on the camera?”
Therefore, Lenovo dares to turn on the face authentication IR lamp while the front camera is operating. It also removes user anxiety by making the camera’s operation easier to understand visually, but for those who are still concerned, it also has a ThinkShutter that physically covers the camera lens.
The next risk after a peep is a keystroke. ThinkPad has fingerprint authentication, so you want to use fingerprint authentication rather than password for login.
However, the use rate of fingerprint authentication on PCs “is unfortunately not high even with the installed models,” says Motoshima. Some say that it is not used because it is “unreliable” more than “low recognition rate”.
To respond to this voice, Lenovo uses an authentication method called “Match-on-Chip fingerprint authentication.”
Only information on whether or not the fingerprint is correct is passed to the OS. Fingerprint data is placed on the OS. It is impossible to steal fingerprint information even if the OS can be intruded from the outside because it is not possible. “(Motoshima)
In addition to these, there is a risk that an unauthorized module may be installed in the main unit while away from the notebook PC.
This is addressed by a back lid open / close detection function called “tamper detection”. When the back lid is opened or closed, it detects when the power is turned on, and requests a supervisor password. By making it impossible to start up the OS without entering a password, it is possible to notice that someone has physically tried to touch the inside of the PC.
Clean OS and BIOS tampering detection
Lenovo also cares about the OS and BIOS.
Unused software puts pressure on storage. Some of them start up automatically at startup, which wastes PC resources.
Aside from the pressure on these resources, it is not surprising that leaving pre-installed apps a security risk isn’t.
“Operating systems and frequently used apps are often updated properly. However, unused pre-installed apps are not updated, which can be a security hole. Software vulnerabilities are inherent. By using only the minimum software, the risk is reduced as much as possible. “(Motoshima)
In addition, there is also a custom image that packages only the OS and drivers, excluding the function setting application. It is a system that can be prepared at the OS level according to the needs of the company.
Also, BIOS, which is lower layer than OS, is a part that can only be modified by hardware vendors.