Lenovo says it only collects anonymous, non-personal data to improve its software. But in 2015, Lenovo was caught secretly installing software that spied on ALL your encrypted web browsing — including banking and medical websites — and sold that data to advertisers. They had to pay over $10 million in fines and settlements. Lenovo says you can choose what data to share. But they embedded code in the laptop's hardware (BIOS) that automatically reinstalled their tracking software every time the computer started — even if you completely wiped the hard drive and reinstalled Windows from scratch. There was no setting to turn this off because it ran before Windows even loaded.
What they claim: Lenovo privacy statement describes data collection as "anonymous statistical information" and "basic (non-personally identifiable) device information" to "make more meaningful improvements to our software."
What we found: FTC settlement (2017) proved Lenovo pre-installed Superfish VisualDiscovery that performed man-in-the-middle interception of ALL encrypted HTTPS traffic — banking, medical, email — and sold captured browsing data to third parties. The root CA certificate used the trivially guessable password "komodia." This was not disclosed to consumers. CISA issued emergency alert TA15-051A. Lenovo paid $3.5M FTC fine and $7.3M class action settlement.
What they claim: Lenovo Vantage is described as a device management tool for driver updates, system diagnostics, and hardware settings optimization.
What we found: The Lenovo Vantage companion app (com.tblenovo.center) requests 31 permissions including: ACCESS_FINE_LOCATION (precise GPS), CAMERA, READ_PHONE_STATE (device identifiers, call status), PACKAGE_USAGE_STATS (monitor all app usage), QUERY_ALL_PACKAGES (enumerate all installed apps), WRITE_SECURE_SETTINGS (modify system security settings), and RECEIVE_BOOT_COMPLETED (auto-start on boot). A laptop management tool does not need GPS location, camera access, phone state, or the ability to monitor which apps you use on your phone.
What they claim: Lenovo's current privacy statement (March 2025) positions the company as privacy-conscious, offering user controls and anonymized data collection.
What we found: The FTC consent order (September 2017) prohibits Lenovo from misrepresenting pre-installed software features for 20 YEARS (until 2037) and requires third-party security audits. This means Lenovo is still under active federal oversight for deceptive privacy practices. The consent order exists because Lenovo actively deceived consumers — the Superfish software was designed to be hidden "within each computer's operating system to impede detection" while it intercepted encrypted traffic and sold user data.
What they claim: Lenovo privacy statement describes collecting "device identifiers" and "usage information" as part of normal product support and improvement.
What we found: Lenovo collects: device serial numbers, device IDs, IMEI numbers, IP addresses, MAC addresses, BIOS version, firmware version, embedded controller version, device driver versions, Windows build number, power consumption data, pages printed, applications used, features accessed, and phone numbers. The Lenovo Customer Feedback Program uploads event logs recording tool usage. The CISA alert (TA15-051A) confirmed that Lenovo's data collection infrastructure has historically been weaponized for surveillance-grade interception, and the 20-year FTC consent order reflects the severity of this abuse.
What they claim: Lenovo Vantage is marketed as a single-purpose tool: "Your one-stop customization center. Manage your device's settings from one place."
What we found: Lenovo Vantage requests WRITE_SECURE_SETTINGS (ability to modify Android system security settings), PACKAGE_USAGE_STATS (monitor all app usage patterns), QUERY_ALL_PACKAGES (enumerate every installed application), and includes Google Firebase Analytics and Google CrashLytics trackers. For a desktop laptop management companion, these permissions indicate data collection capabilities far beyond device management. The PACKAGE_USAGE_STATS permission allows profiling the user's entire app usage behavior on their phone — this data has no relationship to managing a laptop.
What they claim: Lenovo privacy policy positions data collection as optional and controllable: "Most data collection is optional and controllable in settings" and users can "turn off analytics, Help Improve, and Share usage data."
What we found: Lenovo Service Engine (CVE-2015-3324) was BIOS-level code that used Windows Platform Binary Table (WPBT) to automatically download and install Lenovo software on EVERY boot — even after a complete OS reinstall or hard drive replacement. The firmware overwrote the Windows system file autochk.exe. Users had no way to opt out because the injection occurred before the operating system loaded. This was firmware-level persistence that survived any user action within the OS.
What they claim: Lenovo ThinkShield security platform markets enterprise-grade firmware security and UEFI Secure Boot protection for ThinkPad laptops.
What we found: ESET discovered manufacturing drivers named "SecureBackDoor" (CVE-2021-3971) and unnamed debug drivers (CVE-2021-3972) that were left active in production BIOS images across millions of consumer notebooks. These drivers allowed disabling SPI flash protection and UEFI Secure Boot. CVE-2021-3970 allowed arbitrary SMRAM read/write — code execution at the highest x86 privilege level. Seven months later, CVE-2022-3430 and CVE-2022-3431 revealed the SAME class of vulnerability: manufacturing drivers left in production firmware. Binarly found Lenovo's patches failed to fix underlying issues.
What they claim: Lenovo markets ThinkPad laptops with Intel vPro and ThinkShield as enterprise security platforms with hardware-level protections.
What we found: CVE-2025-4422 (CVSS 8.2, reported by Binarly April 2025): Buffer overflow in SMI handler allows SMM memory corruption and firmware-level persistent malware implantation. CVE-2022-3430/3431: Recurring pattern of UEFI Secure Boot bypass vulnerabilities. The same class of vulnerability (manufacturing drivers in production firmware) appeared in April 2022 (CVE-2021-3971/3972) and again in November 2022 (CVE-2022-3430/3431) — Lenovo failed to systematically audit for this vulnerability class after the first discovery.
What they claim: Lenovo ships laptops with locked-down BIOS and prohibits users from replacing pre-installed wireless modules, citing security and regulatory compliance.
What we found: FCC filing for Intel AX211 (PD9AX211NG) shows the wireless module is certified by Intel, not Lenovo. Lenovo's regulatory notice states: "The wireless LAN and Bluetooth module in your computer is preinstalled by Lenovo and you are prohibited to replace with other wireless adapter nor remove it." Yet Lenovo has shipped production BIOS with multiple Secure Boot bypass vulnerabilities (CVE-2021-3971, CVE-2021-3972, CVE-2022-3430, CVE-2022-3431) that undermine the very firmware security Lenovo cites as justification for locking down hardware modifications.
What they claim: Lenovo privacy statement says data collection begins with user setup and implies user initiation: "Lenovo Welcome initiates within approximately 24 hours after setting up certain Lenovo Products."
What we found: The Lenovo Customer Feedback Program runs Lenovo.TVT.CustomerFeedback.Agent.exe as a scheduled task that uploads usage logs from the "Lenovo-Customer Feedback" Windows event log, recording tool starts and system update installations. This runs automatically without explicit user consent during setup. Combined with Lenovo Vantage's RECEIVE_BOOT_COMPLETED permission (auto-start on every boot) and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS (persistent background operation), telemetry collection begins immediately and runs continuously.