What is Lenovo WiFi Security and should you enable or ignore it?

Lenovo laptop customers with the Lenovo Vantage app for Windows 10 (preinstalled by default) are being prompted to enable a new feature called Lenovo WiFi Security. Lenovo claims the feature will help protect its customers against “malicious WiFi networks”. But what does the feature actually do? and should you bother enabling it?

The promise of Lenovo WiFi Security is that it will, somehow, “help protect you from connecting to malicious WiFi networks” and “reduce the risk of having your computer and data exposed to attackers”.

However, there are very few details available about how Lenovo WiFi Security actually works and what it does once its enabled. It’s also really hard to get any concrete details about the feature out of Lenovo or Coronet Cyber Security; an Israeli company that provides the infrastructure that powers Lenovo WiFi Security.

Lenovo WiFi Security appears to be a branded distribution of Coronet SecureConnect; a product of which there is no specific information available on the web. Coronet hasn’t published much details about how any of their services work, but I’ve been able to dig up some hints here and there from historical product pages and news snippets.

So what does Lenovo WiFi Security protect against?

It’s unclear exactly what capabilities Coronet SecureConnect has and which have been incorporated into Lenovo WiFi Security as there is no documentation available about either. I’ve collected some of the most specific statements I’ve been able to find regarding Coronet’s claimed capabilities:

“Coronet can detect and evade unsafe wireless connections over both Wi-Fi and Cellular networks. It can also rate and keep record of popular network scores […].”

“Network-in-the-middle attacks (evil twin, PNL honeypots, compromised captive portals). Traffic interception, attempt to steal encryption keys and certificates.”

“Coronet’s SecureCloud, the platform that offers end to end outside the perimeter security, confirms that it is the first company to offer protection against KRACK.”

These statements are all made about Coronet SecureCloud product and not their SecureConnect product. I’ve asked Coronet and Lenovo multiple times to provide more specific details about Lenovo WiFi Security, but I’ve not received a reply from either companies.

Let’s put it to the test

I’ve setup a few different test networks that should seem suspicious, including one with WPAD/DHCP-PAC (proxy auto-configuration), a transparent proxy, and poisoned DNS responses. I even walked about Oslo city center and connected to more than 50 open WiFi access points. All of these networks were cleared by Lenovo WiFi Security as “compliant” with a green rating.

I only managed to trigger a warning from Lenovo WiFi Security after connecting to a WiFi access point that relayed all traffic through a Tor exit node in Russia using my InvizBox.

Lenovo WiFi Security notification

“Lenovo WiFi Security has detected potentially malicious activity on InvizBoz network.”

At least one of the Wi-Fi access points I connected to is known not have been patched against the KRACK Attack vulnerabilities. I also really doubt that all the networks and devices I connected to in the Oslo city center would have been patched and updated.

I’m frankly surprised more of my attempts weren’t detected as malicious. I thought a transparent proxy would trigger warnings for sure. It’s also notable that you only get one notification from the app informing you about a potential malicious network. You can’t get any more information about the potential risk than the rating (green, yellow, or red).

On one of my household’s three Lenovo laptops, Lenovo WiFi Security will go into an infinite crash loop every minute or so when enabled.

Privacy and location data

Part of the information that Lenovo WiFi Security collects about wireless networks is the same information used to location-triangulate devices. You’re prompted to grant the Lenovo Vantage app access to your device’s location through the Windows.Devices.Geolocation service when you enable Lenovo WiFi Security. Read this article for an introduction to this broader topic.

Lenovo’s Product Privacy Statement doesn’t mention Lenovo WiFi Security, Coronet Cyber Security, or the collection of location data. I contacted Lenovo’s dedicated privacy contact and got the following statement:

“Coronet collects anonymized information about the wifi access points in the surroundings of the user device and communicates part of this information to the servers of Coronet Cyber Security. This information is used to generate aggregated knowledge about the wifi networks and is used to allow certain user protection capabilities provided by Coronet.”

― Email correspondence, , Lenovo Privacy Program

The following statement comes form Coronet Cyber Security’s own Privacy Policy. Importantly, this policy does not apply to Lenovo WiFi Security as Lenovo customers are never presented with the policy and are never told about the service’s use of Coronet’s infrastructure.

“[Coronet] also collect technical information transmitted by your device, including certain software and hardware information (e.g. your carrier, your operating system, your approximate location, etc.) and information regarding the behavior and usage of networks around and by your device in order to provide you and the License Holder with analysis, in respect to potential threats. Such information may include specific network configurations, but will not include any information that was transmitted through the networks (e.g. SMS; online browsing; phone calls, etc.).” “[…]”

“We will not share your e-mail address or any other personally identifiable information with online advertisers and advertising networks, without your explicit consent.”

Privacy Policy, Coronet

Marketing materials from Coronet shows the location of end-user devices plotted on a map, but this is probably related to Coronet’s other service offerings for enterprise customers. However, it does confirm and demonstrate their capabilities to track the location of customers. It’s worrying that Lenovo haven’t included more detailed information about their partnership with Coronet Cyber Security in their privacy policy, and that they don’t really talk about or promote the service except for the notification prompts they send to Lenovo Vantage app users.

Conclusions

I really don’t know what to make out of Lenovo WiFi Security. I can see the value proposition, but the service doesn’t seem to deliver on it. It doesn’t provide enough information to genuinely help people make good decisions about WiFi network security. It also doesn’t block you from connecting to malicious or suspicious networks. I expected it to abort the connection and prompt me for a confirmation before establishing the connection. All you get is one easily missed notification.

I’m also surprised by the lack of transparency in how the service works and its implications on your privacy. Do you want to send your device location data to an Israeli company?

The short and long of it is that you should never connect to a public Wi-Fi access point. Lenovo WiFi Security can only leave you with the false sense of security and make you trust networks you shouldn’t use.

If you absolutely have to connect to a public WiFi access point, then the only thing that can offer you some level of protection is a virtual network provider (VPN). Assuming of course that you can trust your VPN provider and you don’t end up putting them in a position where your VPN can intercept your traffic more easily than a compromised or malicious Wi-Fi network.