The $3.5 Million Check Comes Due for Lenovo And Its Security-Compromising Superfish Adware

from the what-security-and-privacy-problem? dept

You might recall that back in 2015, Lenovo was busted for installing a nasty bit of snoopware made by a company named Superfish on select models of the company's Thinkpad laptops. Superfish's VisualDiscovery wasn't just annoying adware however; it was so poorly designed that it effectively made all of Lenovo's customers vulnerable to HTTPS man-in-the-middle attacks that were relatively trivial for an attacker to carry out. More specifically, it installed a self-signed root HTTPS certificate that could intercept encrypted traffic for every website a user visits -- one that falsely represented itself as the official website certificate.

That's hugely problematic for what should be obvious reasons, but Lenovo doubled down on dumb by issuing a statement initially claiming it didn't see what all the fuss was about and that it was just trying to "improve the shopping experience":

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

Security researchers didn't agree. Neither, apparently, did the FTC, which this week gave Lenovo what amounts to a stern talking to after the company settled allegations it had turned a blind eye to customer security concerns:

"Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen K. Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

The full FTC complaint (pdf) against Lenovo makes it clear the Superfish adware used the same bunk security certificate for every user of the stealthware -- every time it covertly interupted secure traffic. And, of course, the complaint notes that Lenovo really couldn't be bothered to explain how any of this was happening to the company's customers:

"Respondent did not make any disclosures about VisualDiscovery to consumers prior to purchase. It did not disclose the name of the program; the fact that the program would act as a man-in-the-middle between consumers and all websites with which they communicated, including sensitive communications with encrypted https:// websites; or the fact that the program would collect and transmit consumer Internet browsing data to Superfish."

Yeah, whoops. One complaint exhibit highlights that while users had the option of opting out of this security-compromising, behavioral advertising effort, Superfish and Lenovo made doing so notably hard to spot:

But again, nowhere was the encryption-compromising aspect of this software disclosed to the end user, even in the finest of fine print in the company's privacy policy. And opting out only prevented users seeing ads dictated by their previous browsing habits; doing so didn't stop the software from faking security certificates and compromising the end user's security.

Lenovo won't be required to pay a dime to impacted users; FTC boss Ohlhausen (who downplayed the severity of the deception in her own statement (pdf)), claims the agency lacks the legal authority to obtain civil penalties for first-time violators under the FTC Act. As part of the settlement Lenovo is prohibited from misrepresenting "features of software preloaded on laptops that will inject advertising into consumers' Internet browsing sessions or transmit sensitive consumer information to third parties." Lenovo must also get explicit consumer opt-in consent before installing similar software in the future, and must implement -- for the next 20 years -- a software security program to more dutifully analyze the security impact of such programs.

A day after Lenovo's settlement with the FTC, the company also struck a $3.5 million settlement (pdf) with a coalition of 32 states for violating user privacy and failing utterly to disclose the dangerous nature of the company's laptop bloatware. In a statement Lenovo proclaimed it had seen the error of its ways, and that "security, privacy and quality are top priorities at Lenovo." Of course this is the same company that shortly after the Superfish fiasco was caught stealthily installing bloatware via laptop BIOS, so hopefully Lenovo won't mind if people wait a little while before declaring the company truly reformed.

Filed Under: adware, ftc, malware, superfish, tracking
Companies: lenovo

Lenovo Accused Of Locking Linux Out Of Certain Laptops At Microsoft's Request

from the that-would-be-dumb dept

A thread on Reddit is getting a fair bit of attention today, claiming that Lenovo has set up some of its Yoga laptops to block anyone from installing Linux -- and a Lenovo representative then pointed the finger at Microsoft, saying that it's part of what Lenovo was required to do as part of the Microsoft "Signature Edition" Windows 10 program, though there are reasons to doubt this is true. What is clearly true is that there's a problem installing Linux on a bunch of Lenovo machines. Here's a giant thread on the problems (which apparently disappeared for a while, but is back as I write this). And here's another. And here's another. Some of these threads go back many months. But the issue that has suddenly made it big news is a comment supposedly from a Lenovo "product expert" that the company is forced to block it as a part of the Signature Edition program: If you haven't heard of the Windows "Signature Edition," it's a program from Microsoft to offer a "clean" (read: no annoying bloatware) version of Windows. Think of it like a Google Nexus phone with a clean Android install, as compared to one from a carrier or handset maker stuffed with annoying bloatware you'll never use. The Signature Edition PCs have received some fairly glowing reviews -- and many (ironically given this story today) of the news stories about the Signature Edition program use the Lenovo Superfish malware fiasco as a reason for why people should look at a Signature Edition computer if they want to run Windows.

So, yeah, based on this storyline so far, you have Microsoft making a clean install of its operating system without bloatware (good idea!), but then being accused of making Lenovo design its BIOS to block the installation of Linux (bad idea!). There is at least some reasonable skepticism that the problem here is really because of the Microsoft Signature Edition program. First of all, Signature Edition computers are supposed to only be available directly via Microsoft's stores -- and the laptop that kicked this off was purchased at Best Buy. Also it wasn't labeled as a Signature Edition PC. And it's certainly not unheard of for low level employees in forums to post incorrect information -- and there is even some question as to whether or not the "Lenovo Product Expert" in the forum post above is even a Lenovo employee or a third-party contractor anyway.

So whether Microsoft is truly to blame here is still an open question. At the very least, it does seem like Lenovo has some questions to answer -- and one hopes that the company will be more forthright and honest than it was back during the Superfish episode when it basically lied through its teeth until it couldn't lie any more.

Filed Under: bios, blocked, competition, linux, locked, secure boot, signature edition, windows
Companies: lenovo, microsoft

Former Patent Troll Admits That Patent Trolls Are Bad For Business And Innovation

from the speak-up dept

I've spoken to a few patent attorneys who have fought against patent trolls who have admitted to me that, at times, it's quite tempting to give up and join the other side, since patent trolling is fairly easy and incredibly lucrative. You just have to sell your soul and give up the idea that you're doing anything productive or good in the world, and instead become a pure bottom feeder. Someone who did exactly that is apparently Ira Blumberg, who is now speaking out about his experiences working on "the dark side" of patent trolling. Blumberg didn't end up going to one of those tiny patent trolls, but rather left a job at Intel to go work for Rambus, a company not everyone considers to be a patent troll, but which certainly has a history of being an aggressive patent litigant. From Rambus, Blumberg then joined the world's largest patent troll, Intellectual Ventures. He eventually left IV and is now at Lenovo. So he's been actively on both sides of the patent troll situation -- as an active participant in suing operating companies while working for companies that did nothing but license, and at companies that are relentlessly pursued by patent trolls.

And he's now willing to speak out and say that patent trolling is just bad. He mostly uses the more politically correct "PAE" or "patent assertion entity" rather than patent troll throughout the article.

It is now abundantly clear to me that PAEs are, in net, detrimental to business and innovation. Despite what they say, trolls are not making the world a better place for anyone. It is time they lay down their arms and allow companies to use the patent system in the way in which it was intended.

He also has no problem admitting the reality of most patent trolling: that it's not about quality patents. In fact, crappy patents are pretty good for trolling:

The sad reality is that the patents used by trolls do not need to be good for IV, or any PAE, to make money. Quality is not an issue when it costs $2-$3 million to find out whether a patent claim has merit, whereas settling costs “just” $500,000-$1 million. Trolls often aggressively push for extortionate settlements that far surpass the value of the IP because they know many companies will choose to settle rather than get embroiled in an expensive and drawn-out lawsuit. Their actions can wreak havoc on tech companies of all sizes.

Blumberg does note that patent trolls and their supporters claim that such companies are the only way to get independent inventors paid, but notes that this is not what's happening in reality:

In theory, there is some validity to this argument. It is true that individual inventors and smaller companies are not always well-compensated for their inventions. But in reality, the harm businesses suffer on this front is significantly outweighed by the harm caused by the exorbitant costs of patent litigation lawsuits. The settlements IV gains from tens of thousands of patents is vastly out of proportion with the value of the innovation being licensed.

Of course, he could go much further than that. First off, there are lots of ways for inventors to make money other than selling out to trolls. If their invention is really good, they can work with a company (or build one) to produce it. Some respond that some people don't want to do that, and to some extent the response is "too bad." There are lots of people who don't want to work for a living, and we don't necessarily say that companies have an obligation to pay them anyway. But, even if someone just wants to invent, they could easily team up with another entity to pass off their ideas and let that other company build them with a contractual agreement for royalties or some similar arrangement. The idea that you need patent trolls to provide liquidity is greatly exaggerated.

And this doesn't even get into the issue of how valuable patents are, really. It's quite rare that patents are actually disclosing true inventions in the tech space. Almost all patent disuptes are ones involving totally independent invention, where it's not the invention that's important, but the execution. And yet, patent holders and patent trolls like to pretend the idea is much more valuable than the execution.

Either way, it's good to see people like Blumberg recognize how dangerous his former employers have been to the world of innovation and to speak out about it. He's asking more people to speak out as well.

As someone who has spent time on both sides, I feel a call to speak out against frivolous and overpriced patent litigation. The work I did for both PAEs and corporations was certainly legal, but not the same: While I was always on the right side of the law, I prefer being on the right side of innovation.

Companies want to create technologies that matter five years from now and beyond, so patents continue to matter. Frivolous lawsuits and those demanding damages far in excess of the value of the allegedly infringed patent detract from our ability to push innovation and better products forward. I hope that many more voices in tech will join mine in decrying the harmful effects of needless patent litigation — our future depends on it.

Filed Under: harm, innovation, ira blumberg, patent troll, patents
Companies: intellectual ventures, lenovo, rambus

Study Shows Lenovo, Other OEM Bloatware Still Poses Huge Security Risk

from the history-repeats-itself-history-repeats-itself dept

Lenovo hasn't had what you'd call a great track record over the last few years in terms of installing insecure crapware on the company's products. You'll recall that early last year, the company was busted for installing Superfish adware that opened all of its customers up to dangerous man-in-the-middle attacks, then tried to claim they didn't see what all the fuss was about. Not too long after that, the company was busted for using a BiOS trick to reinstall its bloatware on consumer laptops upon reboot -- even if the user had installed a fresh copy of the OS.

Now Lenovo and its bloatware are making headlines once again, with the news that the company's "Accelerator Application" software makes customers vulnerable to hackers. The application is supposed to make the company's other bloatware, software, and pre-loaded tools run more quickly, but Lenovo was forced to issue a security advisory urging customers to uninstall it because it -- you guessed it -- opened them up to man-in-the-middle attacks.

The vulnerability was discovered by Duo Labs as part of a larger report on the security of pre-installed OEM software (pdf). The study found consistent security problems specifically in the software used by OEMs to keep all the other bloatware updated. Such software pretty consistently failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents, leaving consumers at consistent risk of remote attack. It also found that some companies even had multiple software updaters that occasionally served duplicate purposes, most of which were trivial to exploit:

"Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right? Spoiler: we broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy."

And again, to be clear, Lenovo wasn't alone in being incompetent here. In fact, the firm tried to find any vendor whose bloatware didn't pose a security risk, and they couldn't actually do so: Here's a novel idea: if OEMs can't actually learn from past mistakes and secure their bloatware, how about they do us all a favor and stop installing such crapware in the first place?

Filed Under: adware, bloatware, computers, spyware
Companies: lenovo

Learning From Lenovo's Compounded Failures, Dell Apologizes For Its Own HTTPS Certificate Screw Up

from the yeah,-whoops dept

Dell this week found itself under fire for embedding a certificate in some PCs that makes it relatively easy for attackers to cryptographically impersonate HTTPS-protected websites. First discovered by a programmer named Joe Nord, Dell's eDellRoot certificate appears to have been preinstalled as a root certificate on several Dell laptop and desktop models. As Nord notes, it's relatively simple to extract the locally-stored key, sign fraudulent TLS certificates for any HTTPS-protected website on the Internet, and trick user browsers to accept these encrypted Web sessions with no security warnings whatsoever.This is, of course, reminiscent of the Superfish fiasco that plagued Lenovo earlier this year. But in that case the culprit was third-party adware, while Dell's eDellRoot is the company's own abomination. Duo Labs Security says it discovered the same problem, noting that it had even found evidence of the root certificate on some SCADA systems, typically used in places like factories, dams and power stations. Like Nord, Duo's researchers note that it's rather incredible that Dell wouldn't have discovered and fixed this problem after what happened to Lenovo:

"This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk. Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."

However Dell did appear to learn something in terms of their PR response to the vulnerability. Unlike Lenovo, which originally tried to deny any security problem whatsoever, Dell has issued a relatively straight forward blog post addressing the issue. In it, Dell does something downright kooky: it admits that the vulnerability is a vulnerability, and publicly thanks the security researchers that discovered it. According to Dell, the certificate was implemented as part of a support tool "intended to make it faster and easier" for users to service their system.

Dell's quick to remind readers that at least it wasn't adware, and unlike Lenovo's snoopvertising, it won't stealthily hide in the BiOS to reinstall itself at a later date:

"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."

Dell's also posted a word document outlining how to spot and remove the certificate here for those interested. It remains unclear just how many computers are at risk, but given that Dell is expected to ship 10 million computers worldwide in the third quarter of 2015, the footprint likely isn't modest. And while Dell managed the problem better on the PR front than their predecessors, the fact that this keeps happening is no less disturbing.

Filed Under: certificates, https, self-signed certificate, superfish
Companies: dell, lenovo

Lenovo Busted For Stealthily Installing Crapware Via BIOS On Fresh Windows Installs

from the not-learning-any-lessons dept

It looks like Lenovo may not have learned much from February's Superfish shenanigans. If you recall, Lenovo was busted for stealthily installing adware on consumer laptops. Worse, the Superfish adware in question opened up all Lenovo customers to man-in-the-middle attacks by faking the encryption certificate for every HTTPS-protected site customers visited. When pressed, Lenovo idiotically denied there was any security threat introduced by faking encryption certs solely for the sake of pushing ads.

Lenovo's now under fire this week for reinstalling the company's bloatware on Lenovo laptops, even if customers have completed a fresh install of Windows. First noticed by an Ars Technica forum regular and confirmed by readers at Hacker News, as well as users over at Reddit, Lenovo appears to be hiding its crapware install in the laptop BIOS, so it gets installed even after fresh Windows installs:

"I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn't understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot. I've never seen anything like this before. Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months.

Apparently, Lenovo's using a Windows function called Microsoft Windows Platform Binary Table (WPBT), originally designed to help simplify the installation of proprietary drivers and anti-theft software (obviously since any smart thief would do a clean install relatively quickly after theft). Except in this case, Lenovo's using it as a method to force the laptop to phone home to Lenovo servers so adware can be installed.

Basically, before booting Windows, the Lenovo Service Engine (LSE) built into the laptop's firmware replaces Microsoft's copy of autochk.exe with Lenovo's version. Lenovo's version then ensures that LenovoUpdate.exe and LenovoCheck.exe are present in Windows' system32 directory, with full administrative rights. Lo and behold, you then get Lenovo crapware -- and a machine that phones home to Lenovo servers -- even if you think you've avoided such practices via what you incorrectly assumed was a truly clean OS install.

You'll be shocked to learn that this practice isn't particularly secure. Back in April, Security researcher Roel Schouwenberg found and reported that a buffer-overflow vulnerability in the LSE (not to mention insecure network transmission) could easily be exploited by hackers. Once Lenovo learned of the security risk, and likely received a wrist slap from Redmond for running afoul of Microsoft's security standards regarding WBPT, Lenovo very quietly backed away from the practice last June, then released tools for laptops and desktops to aid in the removal of the LSE.

Clearly, since users are only just in August realizing this problem exists, Lenovo did a wonderful job communicating the issue to its customers. Lenovo now says that any computer sold since June should not include this stealth crapware install mechanism, but somehow it still thought it was a great idea to employ this technology from between October 2014 and April of this year. While Microsoft's WPBT may be well-intentioned, it's also hard to see how it couldn't foresee the potential pitfalls of letting third parties use the BIOS to inject additional software into a fresh install (regardless of whatever "guidelines" they've belatedly attached).

Meanwhile, on the heels of the Superfish scandal, it's becoming pretty clear that customers who want actual control of the hardware they own might just want to steer clear of Lenovo until the company wises up.

Filed Under: adware, bios, crapware, fresh install, malware, reinstall, thinkpads, windows
Companies: lenovo

DailyDirt: No More Secrets...

from the urls-we-dig-up dept

The past year has been pretty rough for security -- with Heartbleed, Superfish, remotely hacked cars and all sorts of personal information getting into the wrong hands. Encryption and security are quickly becoming mainstream topics, as it's harder and harder to keep your head in the sand about technology risks. However, perfect security doesn't really exist, but I'm sure we'll have some folks demanding it soon.

• It turns out that Apple firmware isn't immune from worm malware (known as Thunderstrike 2), delivered via Thunderbolt peripherals. PCs have been vulnerable to this kind of attack, but some PC makers have taken steps to address it. Apple has a fix, but Apple isn't special when it comes to security. [url]
• Has an Israeli security startup called Morphisec created a version of Windows without zero-day exploits? Probably not, but it has likely put a giant bull's eye on its software... whenever it launches. [url]
• Apple keeps patching security flaws in its iPhones, but evidence of attacks are being discovered in the wild. If you get a prompt to download an app outside the App Store, don't do it. [url]
• Android devices have been vulnerable to an attack called Stagefright, but Google is trying to release a fix. The challenge is getting the update to nearly a billion devices -- with manufacturers and carriers cooperation. [url]

After you've finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.

Filed Under: cybersecurity, hacks, heartbleed, malware, security, stagefright, superfish, thunderstrike 2, worm, zero day
Companies: apple, google, lenovo, morphisec

Did Lenovo/Superfish Break The Law?

from the certainly-can-make-an-argument-that-way dept

For many years, it's been something of an open question if creating a major security or privacy vulnerability was illegal. For the most part, courts have ruled that without actual proven harm, it's difficult to show real standing for the sake of a civil lawsuit. In practical terms, this has meant that if you just introduce a massive security risk, without it directly being abused (in a way that people know about), a company's liability is fairly limited. Obviously, that could change quickly if there was an actual abuse. Not surprisingly, class action law firms still love to file these kinds of lawsuits after a major privacy/security breach just in case. So it was totally expected to see a class action firm jump in and sue Lenovo over the Superfish malware that we've been discussing for the past few days.

The folks over at CDT, however, have a very good discussion over whether or not enabling such HTTPS hijacking really is illegal. The article compares the Superfish story to the other recent story about in-flight Wi-Fi provider GoGo doing something similar, and explores whether or not these man-in-the-middle attacks run afoul of Section 5 of the FTC Act, which is the broad rules under which the FTC "protects consumers." The rules basically say companies cannot do things that are "deceptive" or "unfair," but the definitions of both of those words matters quite a bit.

Here's the exploration of whether this kind of man-in-the-middle attack is "deceptive":

At a technical level, these SSL-breaking technologies trick your browser by forging SSL certificates, implying that their service operates encrypted websites like YouTube.com and BankofAmerica.com. In fact, instead of passing encrypted traffic on to the appropriate destination, these technologies enact the previously described “man-in-the-middle attack,” gaining access to potentially sensitive information that should rightly be kept between you and, for example, your bank or health care provider. Though these practices do not directly deceive the end user, they do effectively deceive the user’s software that acts as a “user agent.”  It’s not settled that this is prohibited by deceptive practices authority; in the past, the FTC has been reluctant to pursue deceptive practices cases merely on the grounds of tricking a browser: the FTC declined to pursue companies that issued bogus machine-readable P3P policies to get around Internet Explorer privacy restrictions or against companies that evaded Apple Safari’s default cookie settings in order to place third party cookies.^[3] On the other hand, six state Attorneys General did bring a deceptive practices claim under their own version of Section 5 against companies that tricked Safari browsers into accepting third-party cookies.

Alternatively, the FTC could argue that failure to disclose that encrypted transmissions were being intercepted constituted a material omission — that is, failure to explain the practice would be a deceptive means to prevent a consumer from meaningfully evaluating the product. The FTC has brought a number of cases arguing that failure to disclose highly invasive or controversial practices either in a privacy policy or in clear, upfront language could constitute a deceptive practice.  For instance, the FTC has found that failure to disclose access to your phone’s contact information or precise geolocation could constitute a material omission.

From what I can tell, neither Gogo nor Lenovo went out of their way to tell users about these practices. If anything, Gogo’s privacy policy would lead users to think that their SSL-protected communications were safe from eavesdropping.

For Lenovo, a post to one of its user forums says that users had to agree to the Superfish privacy policy and terms of service. I don’t know what these documents said exactly, though the Superfish documents available on their website say nothing about these practices.  Even if Lenovo had disclosed in fine print what it does, regulators could make the case that SSL interception was so controversial that permission needed to be obtained outside of a boilerplate legal agreement. A service could certainly try to make a value proposition to consumers that some feature was worth the cost of breaking web encryption – but that’s not what happened here.

What about the question of "unfair"? Apparently, the FTC prefers to use "unfair" in the cases it brings, rather than deceptive, so that is the more likely option.

In order to be “unfair” under Section 5, a business practice has to meet three criteria – it must:

1. Cause significant consumer harm,
2. Not be reasonably avoidable by consumers, and
3. Not be offset by countervailing benefits to consumers.

If breaking encryption exposes consumers to significant security vulnerabilities, regulators will likely have a very strong case for an unfairness violation.

On causing significant harm, this seems fairly straightforward in Lenovo’s case: its partner Superfish configured its software to intercept all SSL requests — using the same decryption key across all devices. This key was easily reverse engineered soon after the story broke, meaning that any malicious attacker could use this key to intercept any encrypted communication. That’s a huge security vulnerability, and at least as concerning as several other vulnerabilities that the FTC has previously alleged to have harmed consumers. Gogo’s SSL interception also raised security concerns — it arguably inures users to security warnings and exposes them to attackers posing as Gogo’s network — but the risk is probably not as great as in the Lenovo case. The FTC has brought actions against device manufacturers in the past for weakening security; in its case against phone manufacturer HTC, the FTC alleged that badly designed software that let app developers piggyback on HTC’s access to certain phone functionality without user permission was an unfair business practice.

On the second part of the unfairness test, it’s hard to argue how these practices are avoidable by ordinary consumers. They may have clicked though legalistic agreements, but as far as we can tell, none of these documents made any disclosure about these sorts of tactics — or the vulnerabilities to which they exposed consumers. Certainly, neither Gogo nor Lenovo presented information outside of a legal document where consumers were likely to notice. As a result, consumers weren’t provided with actionable information that they could have used to avoid these problems.

Finally, it’s hard to see that the security vulnerabilities introduced by SSL-interception were outweighed by any benefits to the practice. Gogo used this tactic to block bandwidth-heavy video applications on planes with limited internet access — a worthy goal, but one better accomplished through less destructive means. Lenovo allowed its partner to break encryption in order to view private communications for targeted advertising.  It is doubtful that many consumers would find this trade-off beneficial, even if it lowered prices significantly; in any event, Lenovo claims that they didn’t make much money from its deal with Superfish, and the pre-installed adware was simply designed to improve the user experience. Since exposure of these practices, both companies have backtracked and ended use of the encryption-breaking technologies.

But there's a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo's initial reaction wasn't great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then. That may be enough reason for the FTC to think it's not necessary to go after the company. Of course, it may feel differently about Superfish itself -- since that company still denies there's any problem and basically refuses to admit its role in this whole mess. It's still standing by its bogus statement that it did nothing wrong and claiming that Lenovo will clear things up -- even as Lenovo has clearly said otherwise.

Filed Under: deceptive, ftc, https, malware, man in the middle, section 5, unfair
Companies: komodia, lenovo, superfish

A Bit Late, But Lenovo CTO Admits The Company Screwed Up

from the finally dept

We've had a bunch of posts today (and yesterday) about the "Superfish" debacle, with a few of them focusing on Lenovo failing to recognize what a problem it was -- first denying any serious security problem, and then calling it "theoretical." It appears that Lenovo has now realized it totally screwed up and is finally saying so. Speaking to Re/code, CTO Peter Hortensius has changed his tune from the "theoretical" problem he discussed earlier:

“We messed up,” CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a “man-in-the-middle,” or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one.

[....]

The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

“We should have known going in that that was the case,” Hortensius said. “We just flat-out missed it on this one, and did not appreciate the problem it was going to create.”

He later admits that the company "deserves" to take a beating for missing that. The company has also promised to publicly announce a plan for how it will make sure this sort of thing doesn't happen again.

While we called the company out for its initial terrible reaction, at least the company now seems to recognize the problems it caused and is owning up to it. It should have happened faster, but at least it's happening. Hopefully, the company is better off for it.

Of course, the same can't be said for Superfish, who insisted yesterday that Lenovo would show that there was no security risk at all, and still seems to be standing by that ridiculously wrong statement.

Filed Under: adware, malware, peter hortensius, superfish, vulnerability
Companies: komodia, lenovo, superfish

Superfish Keeps Digging Deeper And Deeper Hole: Still Refuses To Acknowledge Seriousness Of What Its Software Did

from the first-rule-of-holes dept

I pointed out earlier that it was fairly astounding that Superfish was basically remaining mostly quiet on the whole controversy over its software. If you've been under a rock, earlier this week, the security community pointed out how Superfish's software (installed by default on certain Lenovo laptops) created a massive security vulnerability. Superfish itself is adware, but that's the least of the problems. The software doesn't track your behavior like other adware, but instead tries to insert other buying options when you're viewing images of certain products. It tries to find the same or similar products that you can buy for less and tell you about them. I could see how that might be interesting for some people on some shopping sites if they chose to use the software. But, by being a default bloatware install on Lenovo laptops, there was no choice. Furthermore, it apparently was trying to do this on every website. And that's where the real problem came in.

Because many websites these days are encrypted via HTTPS (to better protect privacy), Superfish teamed up with a sneaky company named Komodia, to install a really nasty and poorly implemented "trick." It installed its own, self-signed root certificate, and would then effectively offer up fake security certificates for ANY and EVERY HTTPS connection. And, of course, it used the same key on every install, and that key was easily cracked (password: komodia), meaning that anyone who had this installed, was basically open to a massive and hugely dangerous man-in-the-middle attack on any HTTPS connection. That's HUGE.

And Superfish still won't cop to it. Its website has nothing about this whole thing. Its Facebook page has nothing. Its Twitter feed only has that post from yesterday saying that Lenovo would soon be putting out a statement clarifying things -- but Lenovo's statement (which has changed over time) admits that there were problems and the company is working hard to remove all the damage that Superfish has done. And Superfish still doesn't get it. Its latest press statement shows that the company is in total denial about what kind of mess it helped create. It is still defending the whole "adware" thing, rather than the security hole. And, its only comment on the security hole is "some other company did that."

Superfish Statement from CEO

There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish's software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.

This is not the time for your marketing speak. This is the time you apologize for putting many, many, many people at serious risk. Stop with the PR-sanitized "enhance their shopping experience."

Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn't identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. The software was disabled on the server side (i.e., Superfish's search engine) in January 2015.

This statement is almost entirely pure bullshit. No one has complained about Superfish storing personal data, but it absolutely does present a security risk. A massive one. A incredibly humungous, cannot be overstated, sized-security risk. And Superfish says it "does not present a security risk"? Bullshit. And then to say "a vulnerability was introduced unintentionally by a 3rd party." That's passing the buck. Yes, it's Komodia (which Superfish doesn't name) who appears to have done this, but it's Superfish who decided to use Komodia's braindead stupid method of breaking HTTPS. Yes, you tested it, but your tests suck if you didn't spot this kind of security mess.

Finally, disabling the software isn't even the main part of the issue, since the dangerous root certificate still remained after that. And, yes, actions are now being taken to fix that, but no thanks to Supefish and its refusal to admit what happened.

Superfish takes great pride in the quality of its software, the transparency of its business practices, and its strong relationship with the Superfish user community. Superfish's visual search technology enables millions of people to explore and learn about the world in an engaging and highly intuitive manner. A positive user experience has been the cornerstone of Superfish's success.

Again, bullshit. If you took great pride in the quality of your software, you'd stop this marketing-speak and admit that you seriously screwed up and put many people at risk. Anyone with a modicum of understanding of how HTTPS and certificate systems work would recognize quickly what a dangerous situation this was, but neither Superfish nor Lenovo did. At least Lenovo now seems to be trying to make things right, while Superfish remains in total denial, hoping that a combination of mostly silence and bullshit "statements from the CEO" written by marketing are the way to solve this mess.

This is not how you solve a mess up of this size. You need to own it. You need to come clean and admit that you messed up, how you messed up, why you messed up and what you're going to do to make sure it never, ever happens again. Superfish didn't do that, and at this point it's probably too late to try to turn that around.

Filed Under: superfish, vulnerability
Companies: komodia, lenovo, superfish