Lenovo In Denial: Insists There's No Security Problem With Superfish — Which Is Very, Very Wrong.
from the so-long-and-thanks-for-all-the-superfish dept
Late last night, people started buzzing on Twitter about the fact that Lenovo, makers of the famous Thinkpad laptops, had been installing a really nasty form of adware on those machines called Superfish. Many news stories started popping up about this, again, focusing on the adware. But putting adware on a computer, while ethically questionable and a general pain in the ass, is not the real problem here. The problem is that the adware in question, Superfish, has an astoundingly stupid way of working that effectively allows for a very easy man in the middle attack on any computer with the software installed, making it a massive security hole that is insanely dangerous.
Lenovo’s response? Basically to shrug its shoulders and say it doesn’t understand why anyone’s that upset. This is because whoever wrote Lenovo’s statement on this is completely clueless about computer security.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
Bullshit. That’s really the only response that should be said to that line. Lenovo focuses on the reasons why many people normally hate adware: that it tracks what you’re doing and sends info back to third parties. That’s not what Superfish does, so Lenovo doesn’t see what the big deal is. Superfish, which was just recently ranked 64th by Forbes in its list of “Most Promising American Companies,” tries to watch what you’re surfing, and when you see certain images, the service injects other offerings for similar (or the same) products. In theory, if one chose to use such a product, you could see why it could be useful. But automatically putting it on computers is a different thing all together.
The real problem is in how Superfish deals with HTTPS protected sites. Since, in theory, it shouldn’t be able to see the images on those sites, it appears that Superfish came up with what it must have believed was a clever workaround: it just installs a root HTTPS certificate, that it signs itself, to pretend that any HTTPS page you’re visiting is perfectly legitimate. For many years, we’ve pointed out why the HTTPS system with certificate authorities is open to a giant man in the middle attack via any certificate authority willing to grant a fake certificate — and here we basically have Lenovo enabling this questionable company to go hogwild with this exact kind of MITM attack. Basically, EVERY SINGLE HTTPS SITE that you visit was a victim of this kind of MITM attack — solely for the purpose of interjecting Superfish ads. In fact, some have suggested it could apply to VPNs as well. Basically this is a massively dangerous security hole with wide ranging implications. And Lenovo says they don’t see why.
And, even beyond that, it’s implemented incredibly stupidly — in a way that is ridiculously dangerous. That’s because it appears that the private key use for the Superfish certificate is the same on basically every install of this software. And it didn’t take very long at all for security folks, such as Robert Graham, to crack the password, meaning that it’s now incredibly easy to get access to information someone thinks is encrypted. As Graham notes, the password is “komodia” which just so happens to also be the name of a company that “redirects” HTTPS traffic (for spying on kids and such).
This is a massive and ridiculous security threat, and Lenovo is completely brushing it off as nothing big. As many have noted, people have been complaining about the adware components of the software for months now, and Lenovo announced that it was stopping installs, because some people didn’t like the way the software created popups and such — but with no mention of the massive security problems. And, even now, the company doesn’t seem willing to admit to them.
Furthermore, the company doesn’t even seem willing to say what machines it installed them on, or provide people with instructions on how to protect themselves (simply uninstalling Superfish won’t do it). This is a huge mess. I’ve personally been a very loyal Lenovo Thinkpad customer for years, having bought many, many laptops. In fact, just a couple months ago — right in the middle of the period of when Superfish was being preloaded — I bought a new Thinkpad laptop, though it appears that mine is not one that includes Superfish. Still, Lenovo created a huge and dangerous mess, and they don’t seem to recognize it at all. This kind of fuck up is much worse than the whole Sony rootkit thing from a decade or so ago, and as with Sony then, Lenovo doesn’t seem to have the slightest clue of just how badly it has put people at risk.
It doesn’t take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it’s pitiful reaction here. It’s one thing for Lenovo to have made the stupid decision to install this kind of adware/bloatware. It’s a second thing to not realize the security implications of it. However, it’s another thing entirely, once it’s been pointed out to Lenovo to then deny that this is a security risk. Lenovo screwed up big time here, and mostly in the way it’s responded to the mess it created.
Filed Under: adware, certificate authority, concerns, https, man in the middle, privacy, security, superfish, tls
Companies: komodia, lenovo, superfish
Comments on “Lenovo In Denial: Insists There's No Security Problem With Superfish — Which Is Very, Very Wrong.”
It did for me
Including Superfish and the bogus certificate was a terrible thing to do in the first place, but what convinced me to never buy another Lenovo machine in the future was this exact response by them. It indicates either an insane level of incompetence or a deliberate effort to deceive everyone. Either way, that’s enough to put them on my “never do business with” list.
Re: It did for me
I’ll start them off with a 1-year ban. If I need a laptop this year, it definitely won’t be a Lenovo.
Re: Re: It did for me
Only a one-year ban? I’ve not bought a single Sony product of any kind since the Rootkit Scandal a decade ago.
Re: Re: Re: It did for me
Me neither.
Re: It did for me
Me too.
I was just about to pull the trigger on a X1 Carbon.
Not now …. OK, back to days of researching the next alternative.
Lenovo - Motorola
Are Lenovo (and now Motorola) tablets and smartphones free of this crap ?
I hope that Techdirt does not let this story die. Lenovo needs to have its feet held to the fire.
Links to other coverage of Superfish
EFF: Lenovo is breaking HTTPS security on its recent laptops (by way of Linux Weekly News)
Superfish key (thanks to EFF for the link).
Test site to check if a system accepts the Superfish super-CA (also thanks to EFF/LWN for the link).
Maybe their security staff (think plants working for others) told them it was a harmless thing to do. Never ascribe to incompetence what may be a deliberate act. Gone to buy more tin foil.
Re: Re:
The problem is more likely that the security people answer to the marketing department. When a tech company puts its financial and legal staff in charge of its engineers, it’s time to say goodbye.
Re: Re:
I think it more likely that their security staff are actually plants. The potted kind that need daily watering.
Never Lenovo or Thinkpad
Honestly, I’ve never been a fan of Lenovo or Thinkpad and this just reconfirms my decisions in the first place. This is absolutely ridiculous for any company to not realize exactly what they are doing to a customers computer. They are either ignorant, incompetent or just liars. Either way, stay away.
So when the government warns us that Chinese hardware manufacturers are selling stuff that will make us vulnerable to being spied on, we shouldn’t listen. But when Ars Technica and Robert Graham pass along such a warning, then it’s finally time to listen? 😉
Re: Re:
When Ars and Robert Graham provide the documented evidence and the government doesn’t… yes.
Re: Re:
Did the government specifically warn us about this vulnerability? No. How about the 14 year pwn of HDDs? No. Recent and ongoing revelations teach us that the government is far more interested in hacking our systems than it is in warning us. The government is the last place I expect honest, realtime information to come from.
Re: Re: Re:
To what are you referring? Sounds interesting…
Re: Re: Re: Re:
Go to “The Intercept” for the full story.
Re: Re:
One word: credibility
When the gov says it then you never know if they just try to blame someone else for something they implanted in the first place. If tech sides post something then well… they aren’t spying themselves so it is possibly true and I believe them.
btw. Techsite owners: if the NSA visits you the next days and tries to make you post stuff because people believe you more than them… you’re welcome!
Re: Re:
If I am not mistaken the government warning was general for all chinese products without providing evidence (except indicating routers). Those kinds of non-specific warnings are overbroad and bordering on nationalistic state propaganda since it will hurt innocent companies from the country!
The more specific warning seems to be relatively well investigated and documented from fall 2014 to now.
The problem for Lenovo is their insistance that the program people have documented as a potential backdoor, should not be seen as any “security concern”. For people who know a bit about computers that is scary ignorance or malicious intend since history has taught us that potential vulnerability has to be assumed a potential future exploit if you have any respect for your customers.
Re: Re:
Ars Technica and Robert Graham presented actual evidence. The government never has.
Hmm. I think you named the software wrong. Shouldn’t it be Superphish?
Re: Re:
With a name like that it almost feels like they were trying to tell us they were up to no good and daring some one to call them on it.
It reminds me of the Reacher Gilt character from the Discworld novel “Going Postal”, who had the appearance pirate as he used business deals to steal as much money as he could.
Settle down, Chinese government just wanted to map out a few networks, that’s all. It was either add it or watch 3 generations of your family go to “work farms”.
Still shocked by the password. Not even a 123 or -123… nothing. How can you ship a product that uses a lowercase only pass for something the consumer isn’t supposed to touch?
So, every Lenovo laptop is easily attacked using MITM attacks using the Superfish CA? Which is now widely available? And Sony doesn’t see a problem? Am I really reading this right?
Re: Re:
“And LENOVO doesn’t see a problem? Am I really reading this right?”
FTFY and now yes you do.
Re: Re:
“So, every Lenovo laptop is easily attacked using MITM attacks using the Superfish CA? “
I believe only some models, not all.
Re: Re: Re:
I believe only some models, not all.
Yes, only a subset of “consumer” models. My T-series isn’t effected, since that’s a “business” model, apparently.
Re: Re: Re: Re:
FWIW, it’s not that they don’t want to “sell” this stuff to business customers. It’s that the scammy software distributors don’t want to pay for it on the business lines, because so many business customers replace the stock image with their own.
Re: Re: Re: Re:
“affected”, not effected, and I hope you mean because you wiped the included image. Yes, this is a security problem, but running the included software is a security problem in and of itself (even the firmware, these days, but the difficulty of replacing it gives you an excuse not to do it; there’s no good reason not to blow away the vendor OS image though).
Lenovo preloaded software
Not too concerned, having installed Linux/BSD on my Lenovo laptops. The hardware used to be good, but one had a keyboard die within the first year, and the other has flaky USB & camera issues. Sigh. Not doing Lenovo again for multiple reasons. Please don’t make me go back to Dell.
Culture
It probably has to do with the culture they are living in in that country.
Why do people think this is a big deal.
Wait, people’s first step in any pre-built machine ISN’T to instantly wipe and build the install themselves to get rid of all the BS on the image?
I mean that is what I have been doing for years.
Re: Why do people think this is a big deal.
You’re the 1%. You might have avoided this yourself, but think of all the non-technical (or even technical-but-with-little-free-time) people around you. Your family. Your friends. The employees of businesses you frequent.
Even if you can smugly say you aren’t directly affected, this is a concerning vulnerability.
(I mean, I’m a smug Linux user, all my machines run Linux, but a Windows-specific vulnerability like this one still concerns me.)
Re: Re: Why do people think this is a big deal.
This isn’t a Windows-specific vulnerability.
While it would be a more difficult task, this could be done on Linux if you buy a pre-built computer with a distro already installed. It just needs to come with a repository URL pointing to the manufacturer and, for example, have openssl-superfish and gnutls-superfish patched libraries installed instead of the upstream libraries.
There is an inherit trust relationship when using a pre-imaged machine, and Lenovo has violated that trust.
Re: Why do people think this is a big deal.
Main problem, is most of these were christmas season laptops. When your mom buys her partner a laptop for christmas, when a parent buys their child a laptop for school, how many of those random customers will think “I need to image this laptop before I use it?”
How many of the thousands (millions?) of non-technical end users only see a new computer to do research/email/school/etc. and just care that it “just works?”
Those are the people who will be served websites that “require an update” and download a file “signed” by microsoft.
So what if YOU nuke and pave once a month and wipe every new machine. Does your mom do that? Your siblings? Even your coworkers who should know better?
Re: Re: Why do people think this is a big deal.
Because pre-built computers started coming with so much factory-installed crapware on them, the easiest way to avoid all that was to partition the drive and install a clean bootleg copy of Windows, which you basically paid for anyway (as the installed OEM copy which you won’t be getting a refund on if you prefer to use Linux)
That’s assuming that it’s still easy to install and run non-authorized Windows OS’s (though probably not as easy as the time when half the computers in the world were using the same “FCKGW-” XP key).
Re: Re: Re: Why do people think this is a big deal.
Just grab a legit ISO from here http://www.mydigitallife.info/official-windows-7-sp1-iso-from-digital-river/ use your favorite software to get your windows key, and then roll your own ISO with the new key, and any drivers you might need using these instructions; http://dellwindowsreinstallationguide.com/download-microsoft-windows-and-office/download-microsoft-windows/download-windows-8-1-retail-and-oem-iso/download-windows-8-1-iso/creating-a-bootable-iso-with-an-ei-cfg-and-pid-txt-file/
As long as you have a valid key, and know which product it is for it’s very simple. Just test it in vbox before doing it on real hardware.
Isn't it time to cue the prosecutors?
I mean, if they’re not too busy harassing journalists and activists and bullying hackers and researchers, maybe, just this once, they could find the time to go after a corporation that deliberately broke the security of tens of thousands of people (and quite possibly many more: that figure is based on the EFF’s report about what their SSL observatory has seen).
This is a systematic, malicious, intentional large-scale attack, with serious adverse consequences for those affected…unlike, let’s say, mass downloading of academic journal articles. So where are those who like to wield the CFAA like a club? When can we expect to see Lenovo executives being dragged out of their offices? How about the indictments, where are those? And can we expect aggressive prosecution with the threat of long prison sentences?
Re: Isn't it time to cue the prosecutors?
Did you forget the golden rule?
Those with the gold make the rules
Lenovo has too much money to be punished over this.
Re: Isn't it time to cue the prosecutors?
The government probably doesn’t want to admit they’ve known about this and been using it all along.
Re: Isn't it time to cue the prosecutors?
The government doesn’t go after targets that might fight back, so I’m sure they’ll ignore this one in favor of going after some ‘malicious hacker’ who’ll be an easy win for them.
Hooray Websense for a change
I tried to check out Superfish’s home page to see if they’d made a statement and Websense blocked it as “Potentially Unwanted Software”.
Some Credit
You have to give them some credit: they stopped adding this stuff in January, well before the story broke.
That said, there’s still a lot of product out on store shelves that will take the better part of a year to clear out. Lenovo ought to recall this merchandise and re-image the machines. They could even resell them as refurbished (I for one would look forward to a glut of near-perfect refurbished laptops hitting the market).
There’s also the issue of what to do for customers who already purchased these machines. There is, at this point, no evidence of active abuse for this vulnerability. A simple patch the merely removes the entry from the trusted certificates store would be adequate to protect consumers. However, that would leave many of them feeling that their machines are broken (their browser would show every https site they visit as fake), and so completely removing the service will be necessary. This is a harder patch, but just making the patch available and notifying customers would be adequate. At least, it’s the bare minimum.
Unfortunately, Lenovo has not yet taken either of these steps. Instead, they published a response that demonstrates a complete lack of understanding of the issue.
Re: Some Credit
“There is, at this point, no evidence of active abuse for this vulnerability.”
Which means nothing.
Think about it for a minute: what, exactly, would that evidence look like? And how would one make a definitive connection from it to Superfish?
That circumstance isn’t an accident. It’s called “plausible deniability” and it will enable Lenovo, during the inevitable class-action lawsuit, to claim that observed symptoms X and Y and Z were not caused or enabled by Superfish, but by some other security issue on the affected systems.
Re: Re: Some Credit
“There is, at this point, no evidence of active abuse for this vulnerability.”
Yes, there is. They impersonated 1000’s of websites. That is called abuse.
Re: No credit
I would classify such a patch as a necessary, but insufficient, step. As I understand it, there is currently no mechanism to ensure that users discover the existence of the flaw, that they understand the severity of the flaw, or that they understand the need to install the fix proposed here. The extensive news coverage will probably help the first problem. Lenovo’s deceptive pseudo-disclosure will hurt with the second problem.
Although not exactly appropriate, a product recall notice occurs to me as one way to notify consumers. Not everyone is guaranteed to read that either, but at least users who worry about physical defects in their purchases will be periodically reading recall announcements. It will help that some vendors have shipped laptops that later were recalled as fire hazards, so monitoring recall notices on one’s laptop has practical value.
They have stated which hardware has Superfish
http://news.lenovo.com/article_display.cfm?article_id=1929
Can we hit Superfish with CFAA violations?
Re: Re:
why? Its not like they downloaded from Pacer or JStor.
Mint my own certs
So…if I can get my black hat hands on that cert, I can mint my own valid certificates? Cool!
Re: Mint my own certs
Yes, you can mint your own certificates, but the only people who will see them as valid certificates will be those who have Superfish’s root certificate as a Trusted Root certificate.
So, basically, yes, it’ll work, but your certificates will only be recognized by those who have chosen to install Superfish, and those who have the affected Lenovo laptops.
Consumer line only?
We pretty much use lenovo products exclusively in my company, but since we load a custom image on them I don’t know if any of ours originally shipped with this software. I do know though that their consumer models tends to come with lots of ‘free software’ that isn’t included (or wanted) on their business models.
From the descriptions I’ve read, this sounds like the kind of product that I might expect to find installed on lenovo’s consumer line products. Does anyone know if this was occurring in “Think” branded products, or only in “idea” branded products?
Re: Consumer line only?
-Run certmgr.msc
-Go to Trusted Root Certificate AuthoritiesCertificates
-Look for a certificate issued to Superfish, Inc. by Superfish, Inc.
Alternatively, use Superfish CA test
Re: Consumer line only?
According to Lenovo:
That “may have” bugs me, since it implies that the list is not complete.
They are about to have a realllllly shitty day tomorrow morning:
http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
Tinfoil hat time
So… How long has the NSA known about this adware and been using it as cover for their own access to the machine? Have Lenovo deploy it widely enough to disguise any targetting metrics, use the superfish update mechanism as their C&C mode, and unless someone actually catches an example where they’ve tailored the superfish system, nobody is the wiser.
Add tailored access (QUANTUMINSERT) and even superfish need not know that their attackware has been compromised.
Re: Tinfoil hat time
Who’s to say that Superfish isn’t an NSA or CIA front?
/tinfoilhat
Re: Re: Tinfoil hat time
Superfish founder & CEO, Adi Pinhas, has a long history in the field of surveillance technology. He is also pretty famous for the fact the every project he has been involved with has been malware and spyware. He’s been a fairly reviled figure for over ten years.
So, while speculation about Superfish being an intel front isn’t ridiculous, it’s also not necessary. I don’t think that the company would do anything differently at all if they are or are not, and the intel agencies would derive just as much of a benefit either way.
What Is This "Bad Guys Can Use It Too" Bullshit?
If we banned everything just because bad guys can take advantage of it too, we’d never have guns.
Re: What Is This "Bad Guys Can Use It Too" Bullshit?
Or anything at all.
So they start the day with a press release saying it was no big deal, it was just to benefit consumers….
Now it is a severe security warning on their website.
Mike, Mike, Mike….
Why do you so hate capitalism? Lenovo was just trying to maximize profits, as any good capitalist should. Sure, they may have made a mistake, but their heart was in the right place.
My mother’s laptop got infected with Superfish a while ago. I ended up having to wipe the laptop, and it had still infected her Microsoft profile’s Internet Explorer settings, meaning it came back after she signed back into her fresh install, so I scrubbed that profile clean of it and reformatted again immediately, just to be sure.
I’m certainly never going to buy a Lenovo computer ever again now that I’ve seen this story. I’ve got a Lenovo Android device, which has been fine up until now but honestly I don’t think I want it any more, given the power manufacturers have over what gets installed remotely onto “their” hardware…
I’m absolutely disgusted.
At no point was Superfish installed on *any* Thinkpad laptops. This affects *only* the low end consumer Ideapad division. Lenovo has stated this also. See this article: http://thenextweb.com/insider/2015/02/19/lenovo-posts-superfish-removal-instructions-fails-acknowledge-severity-problem/
Article above should be amended to correct this. What they’ve done is indefensible, but get the facts right.
Hang 'em High!
This kind of crap will continue and get even worse. The bad guys know that NO ONE is doing anything about it. All they have to do is say, “Sorry” and all is forgiven. Bullshit! We need to start seeing CEO’s going to prison. This is a violation on an epic scale and the consequences should fit the crime. Not only should the CEO of Lenovo go to prison, but so should the people that made the software in the first place. If we start throwing these despicable people in prison others might start to think that this kind of tactic isn’t all that great of an idea after all. But if we let it go, then every other prick in the world will be lining up to screw the public as well. As a citizen of this country, I demand that we see these bastards in prison! And you should too!
Re: Hang 'em High!
We are very sorry, but the re-think version of the US Constitution – made possible by the wonderful 9/11 Crisis ™ – states plainly that nobody among the 1% can be held responsible for their crimes against the 99%, as this is simply business and thus perfectly legal.
If you want justice, you have to join the 1% of the US population, by whatever means – fair or foul – or suffer the consequences of the laws, according to the new Corporate Constitution of the United States of America.
—
Might wanna re-check those Lenovo machines, as recent updates have pushed out MORE hidden self-signed root certificates.
Lenovo (internally) decided to wait a few months for ‘the stupids [quote]’ to focus on something else and then re-introduced superfish but now with chameleon name-randomizing capability.
Of course its 100% coincidental that ‘someone’ within 12hours of the update going live started siphoning data to chinese government-owned servers….
Nice
Good post