Lenovo In Denial: Insists There's No Security Problem With Superfish -- Which Is Very, Very Wrong.
from the so-long-and-thanks-for-all-the-superfish dept
Late last night, people started buzzing on Twitter about the fact that Lenovo, makers of the famous Thinkpad laptops, had been installing a really nasty form of adware on those machines called Superfish. Many news stories started popping up about this, again, focusing on the adware. But putting adware on a computer, while ethically questionable and a general pain in the ass, is not the real problem here. The problem is that the adware in question, Superfish, has an astoundingly stupid way of working that effectively allows for a very easy man in the middle attack on any computer with the software installed, making it a massive security hole that is insanely dangerous.Lenovo's response? Basically to shrug its shoulders and say it doesn't understand why anyone's that upset. This is because whoever wrote Lenovo's statement on this is completely clueless about computer security.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.Bullshit. That's really the only response that should be said to that line. Lenovo focuses on the reasons why many people normally hate adware: that it tracks what you're doing and sends info back to third parties. That's not what Superfish does, so Lenovo doesn't see what the big deal is. Superfish, which was just recently ranked 64th by Forbes in its list of "Most Promising American Companies," tries to watch what you're surfing, and when you see certain images, the service injects other offerings for similar (or the same) products. In theory, if one chose to use such a product, you could see why it could be useful. But automatically putting it on computers is a different thing all together.
The real problem is in how Superfish deals with HTTPS protected sites. Since, in theory, it shouldn't be able to see the images on those sites, it appears that Superfish came up with what it must have believed was a clever workaround: it just installs a root HTTPS certificate, that it signs itself, to pretend that any HTTPS page you're visiting is perfectly legitimate. For many years, we've pointed out why the HTTPS system with certificate authorities is open to a giant man in the middle attack via any certificate authority willing to grant a fake certificate -- and here we basically have Lenovo enabling this questionable company to go hogwild with this exact kind of MITM attack. Basically, EVERY SINGLE HTTPS SITE that you visit was a victim of this kind of MITM attack -- solely for the purpose of interjecting Superfish ads. In fact, some have suggested it could apply to VPNs as well. Basically this is a massively dangerous security hole with wide ranging implications. And Lenovo says they don't see why.
And, even beyond that, it's implemented incredibly stupidly -- in a way that is ridiculously dangerous. That's because it appears that the private key use for the Superfish certificate is the same on basically every install of this software. And it didn't take very long at all for security folks, such as Robert Graham, to crack the password, meaning that it's now incredibly easy to get access to information someone thinks is encrypted. As Graham notes, the password is "komodia" which just so happens to also be the name of a company that "redirects" HTTPS traffic (for spying on kids and such).
This is a massive and ridiculous security threat, and Lenovo is completely brushing it off as nothing big. As many have noted, people have been complaining about the adware components of the software for months now, and Lenovo announced that it was stopping installs, because some people didn't like the way the software created popups and such -- but with no mention of the massive security problems. And, even now, the company doesn't seem willing to admit to them.
Furthermore, the company doesn't even seem willing to say what machines it installed them on, or provide people with instructions on how to protect themselves (simply uninstalling Superfish won't do it). This is a huge mess. I've personally been a very loyal Lenovo Thinkpad customer for years, having bought many, many laptops. In fact, just a couple months ago -- right in the middle of the period of when Superfish was being preloaded -- I bought a new Thinkpad laptop, though it appears that mine is not one that includes Superfish. Still, Lenovo created a huge and dangerous mess, and they don't seem to recognize it at all. This kind of fuck up is much worse than the whole Sony rootkit thing from a decade or so ago, and as with Sony then, Lenovo doesn't seem to have the slightest clue of just how badly it has put people at risk.
It doesn't take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it's pitiful reaction here. It's one thing for Lenovo to have made the stupid decision to install this kind of adware/bloatware. It's a second thing to not realize the security implications of it. However, it's another thing entirely, once it's been pointed out to Lenovo to then deny that this is a security risk. Lenovo screwed up big time here, and mostly in the way it's responded to the mess it created.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: adware, certificate authority, concerns, https, man in the middle, privacy, security, superfish, tls
Companies: komodia, lenovo, superfish
Reader Comments
Subscribe: RSS
View by: Time | Thread
It did for me
Including Superfish and the bogus certificate was a terrible thing to do in the first place, but what convinced me to never buy another Lenovo machine in the future was this exact response by them. It indicates either an insane level of incompetence or a deliberate effort to deceive everyone. Either way, that's enough to put them on my "never do business with" list.
[ link to this | view in chronology ]
Re: It did for me
[ link to this | view in chronology ]
Re: Re: It did for me
[ link to this | view in chronology ]
Re: Re: Re: It did for me
[ link to this | view in chronology ]
Re: It did for me
I was just about to pull the trigger on a X1 Carbon.
Not now .... OK, back to days of researching the next alternative.
[ link to this | view in chronology ]
Lenovo - Motorola
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Links to other coverage of Superfish
Superfish key (thanks to EFF for the link).
Test site to check if a system accepts the Superfish super-CA (also thanks to EFF/LWN for the link).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Never Lenovo or Thinkpad
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
To what are you referring? Sounds interesting...
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
When the gov says it then you never know if they just try to blame someone else for something they implanted in the first place. If tech sides post something then well... they aren't spying themselves so it is possibly true and I believe them.
btw. Techsite owners: if the NSA visits you the next days and tries to make you post stuff because people believe you more than them... you're welcome!
[ link to this | view in chronology ]
Re:
The more specific warning seems to be relatively well investigated and documented from fall 2014 to now.
The problem for Lenovo is their insistance that the program people have documented as a potential backdoor, should not be seen as any "security concern". For people who know a bit about computers that is scary ignorance or malicious intend since history has taught us that potential vulnerability has to be assumed a potential future exploit if you have any respect for your customers.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
It reminds me of the Reacher Gilt character from the Discworld novel "Going Postal", who had the appearance pirate as he used business deals to steal as much money as he could.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
FTFY and now yes you do.
[ link to this | view in chronology ]
Re:
I believe only some models, not all.
[ link to this | view in chronology ]
Re: Re:
Yes, only a subset of "consumer" models. My T-series isn't effected, since that's a "business" model, apparently.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Lenovo preloaded software
[ link to this | view in chronology ]
Culture
[ link to this | view in chronology ]
Why do people think this is a big deal.
I mean that is what I have been doing for years.
[ link to this | view in chronology ]
Re: Why do people think this is a big deal.
Even if you can smugly say you aren't directly affected, this is a concerning vulnerability.
(I mean, I'm a smug Linux user, all my machines run Linux, but a Windows-specific vulnerability like this one still concerns me.)
[ link to this | view in chronology ]
Re: Re: Why do people think this is a big deal.
While it would be a more difficult task, this could be done on Linux if you buy a pre-built computer with a distro already installed. It just needs to come with a repository URL pointing to the manufacturer and, for example, have openssl-superfish and gnutls-superfish patched libraries installed instead of the upstream libraries.
There is an inherit trust relationship when using a pre-imaged machine, and Lenovo has violated that trust.
[ link to this | view in chronology ]
Re: Why do people think this is a big deal.
How many of the thousands (millions?) of non-technical end users only see a new computer to do research/email/school/etc. and just care that it "just works?"
Those are the people who will be served websites that "require an update" and download a file "signed" by microsoft.
So what if YOU nuke and pave once a month and wipe every new machine. Does your mom do that? Your siblings? Even your coworkers who should know better?
[ link to this | view in chronology ]
Re: Re: Why do people think this is a big deal.
That's assuming that it's still easy to install and run non-authorized Windows OS's (though probably not as easy as the time when half the computers in the world were using the same "FCKGW-" XP key).
[ link to this | view in chronology ]
Re: Re: Re: Why do people think this is a big deal.
As long as you have a valid key, and know which product it is for it's very simple. Just test it in vbox before doing it on real hardware.
[ link to this | view in chronology ]
Isn't it time to cue the prosecutors?
This is a systematic, malicious, intentional large-scale attack, with serious adverse consequences for those affected...unlike, let's say, mass downloading of academic journal articles. So where are those who like to wield the CFAA like a club? When can we expect to see Lenovo executives being dragged out of their offices? How about the indictments, where are those? And can we expect aggressive prosecution with the threat of long prison sentences?
[ link to this | view in chronology ]
Re: Isn't it time to cue the prosecutors?
Those with the gold make the rules
Lenovo has too much money to be punished over this.
[ link to this | view in chronology ]
Re: Isn't it time to cue the prosecutors?
[ link to this | view in chronology ]
Re: Isn't it time to cue the prosecutors?
[ link to this | view in chronology ]
Hooray Websense for a change
[ link to this | view in chronology ]
Some Credit
That said, there's still a lot of product out on store shelves that will take the better part of a year to clear out. Lenovo ought to recall this merchandise and re-image the machines. They could even resell them as refurbished (I for one would look forward to a glut of near-perfect refurbished laptops hitting the market).
There's also the issue of what to do for customers who already purchased these machines. There is, at this point, no evidence of active abuse for this vulnerability. A simple patch the merely removes the entry from the trusted certificates store would be adequate to protect consumers. However, that would leave many of them feeling that their machines are broken (their browser would show every https site they visit as fake), and so completely removing the service will be necessary. This is a harder patch, but just making the patch available and notifying customers would be adequate. At least, it's the bare minimum.
Unfortunately, Lenovo has not yet taken either of these steps. Instead, they published a response that demonstrates a complete lack of understanding of the issue.
[ link to this | view in chronology ]
Re: Some Credit
Which means nothing.
Think about it for a minute: what, exactly, would that evidence look like? And how would one make a definitive connection from it to Superfish?
That circumstance isn't an accident. It's called "plausible deniability" and it will enable Lenovo, during the inevitable class-action lawsuit, to claim that observed symptoms X and Y and Z were not caused or enabled by Superfish, but by some other security issue on the affected systems.
[ link to this | view in chronology ]
Re: Re: Some Credit
Yes, there is. They impersonated 1000's of websites. That is called abuse.
[ link to this | view in chronology ]
No credit
Although not exactly appropriate, a product recall notice occurs to me as one way to notify consumers. Not everyone is guaranteed to read that either, but at least users who worry about physical defects in their purchases will be periodically reading recall announcements. It will help that some vendors have shipped laptops that later were recalled as fire hazards, so monitoring recall notices on one's laptop has practical value.
[ link to this | view in chronology ]
http://news.lenovo.com/article_display.cfm?article_id=1929
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Mint my own certs
[ link to this | view in chronology ]
Re: Mint my own certs
So, basically, yes, it'll work, but your certificates will only be recognized by those who have chosen to install Superfish, and those who have the affected Lenovo laptops.
[ link to this | view in chronology ]
Consumer line only?
From the descriptions I've read, this sounds like the kind of product that I might expect to find installed on lenovo's consumer line products. Does anyone know if this was occurring in "Think" branded products, or only in "idea" branded products?
[ link to this | view in chronology ]
Re: Consumer line only?
-Go to Trusted Root Certificate Authorities\Certificates
-Look for a certificate issued to Superfish, Inc. by Superfish, Inc.
Alternatively, use Superfish CA test
[ link to this | view in chronology ]
Re: Consumer line only?
That "may have" bugs me, since it implies that the list is not complete.
[ link to this | view in chronology ]
http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
[ link to this | view in chronology ]
Tinfoil hat time
Add tailored access (QUANTUMINSERT) and even superfish need not know that their attackware has been compromised.
[ link to this | view in chronology ]
Re: Tinfoil hat time
/tinfoilhat
[ link to this | view in chronology ]
Re: Re: Tinfoil hat time
So, while speculation about Superfish being an intel front isn't ridiculous, it's also not necessary. I don't think that the company would do anything differently at all if they are or are not, and the intel agencies would derive just as much of a benefit either way.
[ link to this | view in chronology ]
What Is This "Bad Guys Can Use It Too" Bullshit?
[ link to this | view in chronology ]
Re: What Is This "Bad Guys Can Use It Too" Bullshit?
[ link to this | view in chronology ]
Now it is a severe security warning on their website.
[ link to this | view in chronology ]
Why do you so hate capitalism? Lenovo was just trying to maximize profits, as any good capitalist should. Sure, they may have made a mistake, but their heart was in the right place.
[ link to this | view in chronology ]
I'm certainly never going to buy a Lenovo computer ever again now that I've seen this story. I've got a Lenovo Android device, which has been fine up until now but honestly I don't think I want it any more, given the power manufacturers have over what gets installed remotely onto "their" hardware...
I'm absolutely disgusted.
[ link to this | view in chronology ]
Article above should be amended to correct this. What they've done is indefensible, but get the facts right.
[ link to this | view in chronology ]
Hang 'em High!
[ link to this | view in chronology ]
Re: Hang 'em High!
If you want justice, you have to join the 1% of the US population, by whatever means - fair or foul - or suffer the consequences of the laws, according to the new Corporate Constitution of the United States of America.
---
[ link to this | view in chronology ]
Lenovo (internally) decided to wait a few months for 'the stupids [quote]' to focus on something else and then re-introduced superfish but now with chameleon name-randomizing capability.
Of course its 100% coincidental that 'someone' within 12hours of the update going live started siphoning data to chinese government-owned servers....
[ link to this | view in chronology ]
Nice
[ link to this | view in chronology ]