Lenovo Quietly Deletes That Bit About 'No Security Concerns' To Superfish... While Superfish Says 'No Consumers Vulnerable'
from the own-it dept
Wednesday night, the security world blew up with the news (which had actually been out there for a while), that the adware/malware Superfish that Lenovo had been installing by default on many laptops included a massive and dangerous security vulnerability by installing its own, self-signed root HTTPS certificate, and then basically mounting a man in the middle attack on every single HTTPS connection -- and doing so with an easily hacked certificate, creating a giant vulnerability for anyone owning one of those laptops. We were shocked at the tone-deafness of Lenovo's initial response, which didn't even name which laptops Superfish was installed on, and made this blatantly bullshit statement:We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.However, within hours, Lenovo had quietly updated its statement to remove that line. The company is now also (finally) admitting which laptops were infected and put together a page about how to remove the software and the rogue certificate. That's better, but Lenovo should at least apologize, which it has not done, and admit that it was completely full of shit in insisting that there was no security concern.
Speaking of which, Superfish has remained remarkably quiet as well. At the time I write this, there is nothing about this on its website, and it's only given a ridiculously misleading statement to reporters:
Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement: http://news.lenovo.com/article_display.cfm?article_id=1929.First of all, at the time it "stood by" the Lenovo statement, that statement was blatantly false in claiming that there were no security concerns. Similarly, it's simply not at all true that Superfish is "completely transparent" because no one knew that it was inserting its own self-signed certificate and using it on every HTTPS connection. Furthermore, consumers absolutely were vulnerable.
It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrongdoing on our end.
Finally, there's Komodia. As Robert Graham discovered when he hacked the Superfish certificate, the password is "komodia" which just happens to be a company that sells a product for... creating these kinds of man in the middle attacks on HTTPS connections, mainly for parental spyware. The company is also entirely silent on this stuff. Its website looks like it hasn't been updated recently. It has various blogs and a Facebook page, none of which appear to have been updated since 2013.
However, as security researchers are discovering, Komodia's tool is being used in other crappy spyware/malware and always in the same terrible manner -- all using the password "komodia." As Marc Rogers notes:
What does this mean? Well, this means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.The software known to use Komodia are Komidia's own "Keep My Family Secure," Qustodio's parental control software and the Kurupira Webfiler -- all of which likely are very vulnerable thanks to this idiotic implementation.
This problem is MUCH bigger than we thought it was.
Lenovo, Superfish and Komodia all have done a piss poor job taking responsibility for the massive security vulnerability they created.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: privacy, security, superfish, vulnerability
Companies: komodia, lenovo, superfish
Reader Comments
Subscribe: RSS
View by: Time | Thread
The fun never ends
But there are two different ways to match a domain name to a certificate, and they forgot the other one. So anyone can create an invalid certificate which, when passed through any of these Komodia proxies, will be treated as valid by the browser. The attacker doesn't even have to use the Superfish key.
[ link to this | view in chronology ]
Re: The fun never ends
It makes more sense if you spell it as "SuperPhish."
[ link to this | view in chronology ]
More telling was poking around on the Lenovo forums I found an older thread where it appears this product was screwing up peoples net access and downloads, and they went ahead to patch it to make it work better. One wonders if the solution was the cert.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
You know who owns Lenovo know, right?
[ link to this | view in chronology ]
Re: You know who owns Lenovo know, right?
I know what you are thinking, much of our tech is made there and that is true. But with a fully owned company, they are free to put whatever spyware software or hardware they want. With other companies, they would have get past their engineers with that stuff. Could the do it? Sometimes, but get caught once and they are done.
[ link to this | view in chronology ]
Not free to put spyware on computers
My bank can not advertise my balances in the local paper. My computer can not knowingly have spyware installed by the manufacturer that sends my passwords to a third party. A car manufacturer can not legally sell a car whose brakes will fail one time in a thousand.
The we are a private company mantra, and can do as we like, is nothing but fabrication. Products of companies must meet implicit warranties of merchantability and fitness. Failure to meet those legal criteria open a company to civil and criminal liability. I don't know if Lenovo committed the actions described above or not. But any company that did so, would almost certainly be in breech of implied warranties.
[ link to this | view in chronology ]
Re: Not free to put spyware on computers
[ link to this | view in chronology ]
Re: Not free to put spyware on computers
[ link to this | view in chronology ]
I wouldn't be surprised if Lenovo and/or Superfish continued to deny it until someone actually has an account cracked there's a sworn deposition, from a security expert, showing their software was to blame.
This doesn't matter at all. They could use a unique strong password on each computer, and it would make no difference because that password must be stored on the computer so it can decrypt the certificate... which is the same on every computer anyway.
[ link to this | view in chronology ]
Lenovo's statement is such BS
"we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security"
So what you are saying is that either you have no one in your corporation that knows jack shit about security and moral responsibility OR you have the wrong people working above them with the authority to over ride them. In either case, time will not fix the problem. I take that back, time will fix the problem but only because you are banking on the consumer forgetting your past.
As far as Lenovo's and just about any other manufacturer stance on pre-installing shit software on machines... Just stop it all together. If I buy a machine with Win7 Pro, that is all I want. If they insist on doing it, then there should be a full disclaimer about every single piece of other software pre-installed.
[ link to this | view in chronology ]
Re: Lenovo's statement is such BS
They all seem to follow the same playbook:
First you lie outright. When that doesn't work, then you start mixing in half-truths and taking back some of the lies. Repeat as needed. Never admit to more than you're forced to.
A full admission of the truth -- if it ever comes -- will be the result of a long process of dragging it out of them piece by piece by debunking all their lies and distortions.
Of course, a few will prefer to be a Dick Cheney and deny everything to the bitter end.
[ link to this | view in chronology ]
Superfish *is* Transparent
Were you confused into thinking Superfish meant it was transparent to the person (who paid!) to be spied on?
[ link to this | view in chronology ]
Re: Superfish *is* Transparent
[ link to this | view in chronology ]
Inevitability You Can Trust
[ link to this | view in chronology ]
As for the claims that users were never vulnerable, the only ways they could possibly believe that is either extreme incompetence or NSA-style redefinition. If by "vulnerable" they mean that their software never actively sent your plaintext around, then yes, users were never vulnerable - as long as they never talk to anyone untrustworthy who sends a certificate that exploits the great gaping hole in the product. That's about as useful as saying that "This window provides great privacy, as long as you don't let any peeping toms get within a mile of it."
[ link to this | view in chronology ]
Re:
True. But I think the more likely explanation is that they don't believe it at all and are simply lying their asses off.
[ link to this | view in chronology ]
They did...
They did:
https://twitter.com/lenovoUS/status/568578319681257472
[ link to this | view in chronology ]
Re: They did...
[ link to this | view in chronology ]
Re: Re: They did...
[ link to this | view in chronology ]
Re: Re: Re: They did...
Umm, no, they're going to have to try a little harder than that if they want people to believe that they're sincere. Contacting the WSJ and making a public retraction of their previous claims would be a good start, but given how utterly dismissive they've been during the whole thing, they've got a lot to make up for.
[ link to this | view in chronology ]
Re: Re: Re: Re: They did...
Indeed. I think their underlying problem here is that they genuinely aren't sincere. They're just trying to find the proper mouth-noises that will make the whole thing vanish from the public consciousness.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Removal link update
https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Removal-Instructions-for-VisualDiscovery-Sup erfish-application/ta-p/2029206
That page does not itself actually explain how to remove Superfish, but it does link to two separate pages for that purpose, one of which provides a dedicated removal tool.
[ link to this | view in chronology ]