Lenovo Smart Assistant Factory Test Mode - Lenovo Support US

Lenovo Security Advisory: LEN-22172

**Potential Impact:**Root access of the device

Severity: Medium

Scope of Impact: Lenovo Smart Assistant

CVE Identifier: CVE-2018-9070

Summary Description:

Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo. An attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code.

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo has updated the firmware automatically to version 12.1.82 through the usual OTA process (Over The Air). You can use the Lenovo Link App to confirm you have this version or later. In the app’s menu under “Settings,” the version is displayed as “Firmware automatic upgrade v12.1.82.”

Acknowledgement:

Lenovo thanks Wen Guanxing from Pangu Lab for reporting this issue.

For a complete list of all Lenovo Product Security Advisories, click here.

Revision History:

Revision

|

Date

|

Description

—|—|—

1

|

2018-07-12

|

Initial release.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.