Quantcast

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Lenovo Superfish: malware intentionally installed by Lenovo on their laptops

QuizzicalQuizzical Member LegendaryPosts: 22,626

Congratulations, Lenovo laptop users.  You've got malware on your laptop.  Installed by Lenovo.  Intentionally.  Not simple bloatware, but a man-in-the-middle attack on all "secure" browser connections, rendering them trivially insecure.  Seriously.

For a number of months now, Lenovo has been shipping laptops with Superfish malware pre-installed.  You're probably used to laptop vendors installing random junk on their laptops to bother the end user.  But Superfish isn't just random junk.

The idea of Superfish is to replace the ads on web sites with Lenovo's own ads.  For example, if it attacks this site, then the ads you'd see if you don't disable them would be ads served by Lenovo so that Lenovo gets paid for the ads, rather than ads served by this site so that this site gets paid.  That's bad, but perhaps not exceptionally bad as bloatware goes.

The problem comes with encrypted sites.  If a site is encrypted, Superfish normally wouldn't be able to see what's an ad and what isn't, so it wouldn't be able to replace a web site's ads with its own.  Superfish's solution to that is a man-in-the-middle attack on your browser connection.

For example, you want to buy something off of a site with ads and give them your credit card information.  Superfish intercepts all browser communication so that, instead of the web site sending information to your browser, it sends the information to Superfish, which decrypts the page, replaces ads, encrypts the connection again, and passes it along to your browser.

It gets worse.  Superfish apparently didn't lock itself down very well, so that all "secure" browser connections on infected machines are intrinsically insecure.  If you do online banking via a Superfish-infected computer, your connection is insecure and there's nothing your bank can do about it.

The only thing you can do about it is to remove the Superfish certificate authority from your computer; merely uninstalling the Superfish software doesn't suffice.  That's because Superfish installed a self-signed root certificate in order to enable its man-in-the-middle attack, and apparently used the same private key for all computers and made the private key easy to find.  If you don't know what that means, that's kind of the point.  Installing certificate authorities is the sort of thing that browser vendors are supposed to worry about, not end users.

The problem here isn't that Lenovo installed man-in-the-middle malware on their laptops and then didn't lock it down very well, leaving the laptops vulnerable.  The problem is that Lenovo installed ma-in-the-middle malware on their laptops.  Period.  End of sentence.

This is not the sort of security glitch that an incompetent company can do accidentally.  It's not like a buffer overflow error or some such, where a well-intentioned company accidentally made its software vulnerable somehow.  You don't accidentally create a man-in-the-middle attack.  This is malware that was knowingly and intentionally installed by Lenovo on millions of laptops.

And then when people complained, Lenovo brushed it off for months.  Only in the last few days, when security researchers demonstrated just how bad the problem really was, did Lenovo take it seriously.  Even so, Lenovo claims that the security holes haven't been abused by anyone, other than Lenovo and its malicious adware, of course.  That's unknowable, but even if it's true, having a huge security hole published like this means that it surely will get abused quickly if people don't remove it.

This isn't just the sort of thing that a reputable company simply wouldn't do.  Most disreputable companies wouldn't do it, either, perhaps due to concerns over prison time or at least class action lawsuits.  It is shocking that Lenovo, which might be the company that sells more laptops than any other in the world, thought this was a good idea.

Is it too harsh to say, don't buy anything Lenovo ever again?  Maybe.  But given the intentional and malicious nature of the attack, I would say, don't buy anything Lenovo ever again unless you're willing to, at minimum, wipe all storage media and do a clean install of whatever OS you want using media that Lenovo hasn't touched.

If you want some media sources for this, then here you go:

http://www.anandtech.com/show/8993/lenovo-superfish-and-security

http://www.cnet.com/news/superfish-torments-lenovo-owners-with-more-than-adware/

http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/

http://www.engadget.com/2015/02/20/lenovo-superfish-cto/

Comments

  • Electro057Electro057 Member UncommonPosts: 683

    Isn't the first thing you do upon purchasing a laptop wipe the harddrive, establish preferable partitions, and install the OS freshly with an OEM disc? Then use your proper and main machine to download the required drivers at their most updated state and go along with your setup?

     

    Isn't that what everyone does?

    --Custom Rig: Pyraxis---
    NZXT Phantom 410 Case
    Intel Core i5-4690 Processor - Quad Core, 6MB Smart Cache, 3.5GHz
    Asus Sabertooth Z87 Motherboard
    Asus GeForce GTX 760 Video Card - 2GB GDDR5, PCI-Express 3.0
    Kingston HyperX Fury Blue 16GB

  • RidelynnRidelynn Member EpicPosts: 7,142


    Originally posted by Electro057
    Isn't the first thing you do upon purchasing a laptop wipe the harddrive, establish preferable partitions, and install the OS freshly with an OEM disc? Then use your proper and main machine to download the required drivers at their most updated state and go along with your setup?

     

    Isn't that what everyone does?


    I would say most people don't know how. And of that small percentage that do know how, most of those build their own desktops and wouldn't have bought a Lenovo (or any other brand) to begin with.

  • craftseekercraftseeker Member RarePosts: 1,740
    Originally posted by Electro057

    Isn't the first thing you do upon purchasing a laptop wipe the harddrive, establish preferable partitions, and install the OS freshly with an OEM disc? Then use your proper and main machine to download the required drivers at their most updated state and go along with your setup?

    Isn't that what everyone does?

    Nope, it is what hardly anyone does.  People generally buy a laptop for convenience and that is just not convenient.

  • QuizzicalQuizzical Member LegendaryPosts: 22,626
    Originally posted by Electro057

    Isn't the first thing you do upon purchasing a laptop wipe the harddrive, establish preferable partitions, and install the OS freshly with an OEM disc? Then use your proper and main machine to download the required drivers at their most updated state and go along with your setup?

     

    Isn't that what everyone does?

    That's kind of like asking, isn't building your own desktop what everyone does?  It is what many (most?) tech-savvy users do, but it's far from what most computer buyers in general do.

    In this case, yes, wiping the hard drive and doing a clean install of Windows would have protected you from Lenovo's malware.  But that shouldn't be necessary.  Merely tracking down and uninstalling the bloatware--which is what some people do with new laptops--wouldn't have been enough here unless you knew to track down and remove the Superfish certificate authority.  And there's no good reason for bloatware to mess with certificate authorities, which is why most people wouldn't check that.

  • Electro057Electro057 Member UncommonPosts: 683

    Originally posted by Ridelynn

    I would say most people don't know how. And of that small percentage that do know how, most of those build their own desktops and wouldn't have bought a Lenovo (or any other brand) to begin with.

    Surprising, I'm a proponent of desktop usage and superiority. (PC Master Race~Hair flip~) And I like to have a laptop mainly for travel means and so that I can allow guests to use it without touching my desktop with their filthy and unworthy hands. 

    Originally posted by craftseeker

    Nope, it is what hardly anyone does.  People generally buy a laptop for convenience and that is just not convenient.

    Odd, I find Sony rootkits and the likes to be highly inconvenient. 

     

    --Custom Rig: Pyraxis---
    NZXT Phantom 410 Case
    Intel Core i5-4690 Processor - Quad Core, 6MB Smart Cache, 3.5GHz
    Asus Sabertooth Z87 Motherboard
    Asus GeForce GTX 760 Video Card - 2GB GDDR5, PCI-Express 3.0
    Kingston HyperX Fury Blue 16GB

  • theAsnatheAsna Member UncommonPosts: 324
    Originally posted by Electro057

    Isn't the first thing you do upon purchasing a laptop wipe the harddrive, establish preferable partitions, and install the OS freshly with an OEM disc? Then use your proper and main machine to download the required drivers at their most updated state and go along with your setup?

     

    Isn't that what everyone does?

     

    That's the first thing I do as well.

     

    Provide me with a installation disc for the operating system and the rest I can do on my own. And I will look up the latest drivers with the manufacturers of built-in hardware components. Nothing worse than using outdated drivers.

    I don't know you makes the preinstall images and doing such a horrible job of installing junk software.

    I want to set up the partitions as I want and have my own requirements to managing users and software. Installation doesn't take that long anyways.

  • DakeruDakeru Member EpicPosts: 3,797

    Nice find Quizz.

    I'm using a Lenovo laptop but it's 3 years old and I installed win7 on it myself. I wouldn't get a laptop with a pre-installed OS cause that always means at least 100 bucks extra.

    That isn't meant to say that people buying ready-made laptops are at fault.

     

    I don't even find words for what I am thinking about Lenovo right now.

    Harbinger of Fools
  • PhryPhry Member LegendaryPosts: 11,004

    This is just utterly  staggering, in what country, is what they have done, not considered a criminal act?

    Do they consider themselves above the law or something, its just crazy that they could think to get away with something like that image

  • TorvalTorval Member LegendaryPosts: 20,620
    Originally posted by Phry

    This is just utterly  staggering, in what country, is what they have done, not considered a criminal act?

    Do they consider themselves above the law or something, its just crazy that they could think to get away with something like that image

    They're a Chinese company.

    This was a company I used to consider trustworthy. Now they're on the same par as Packard Bell.

    I do remove bloatware but if I buy a laptop from a reputable company then I don't do a complete nuke-n-pave. This is why I generally don't buy laptops from retailers that put their own crapware on the system.

    Now I'm left wondering if there is a laptop company I can trust at all. In the past couple of years I've bought ASUS laptops and haven't had to remove much crapware if any at all. I've been thinking of buying an ASUS ROG portable desktop, but now I'm a little apprehensive. I certainly don't trust Dell or HP and I absolutely don't want to build a system. This sucks.

    Fedora - A modern, free, and open source Operating System. https://getfedora.org/

    traveller, interloper, anomaly, iteration


  • PhryPhry Member LegendaryPosts: 11,004
    Originally posted by Torval
    Originally posted by Phry

    This is just utterly  staggering, in what country, is what they have done, not considered a criminal act?

    Do they consider themselves above the law or something, its just crazy that they could think to get away with something like that image

    They're a Chinese company.

    This was a company I used to consider trustworthy. Now they're on the same par as Packard Bell.

    I do remove bloatware but if I buy a laptop from a reputable company then I don't do a complete nuke-n-pave. This is why I generally don't buy laptops from retailers that put their own crapware on the system.

    Now I'm left wondering if there is a laptop company I can trust at all. In the past couple of years I've bought ASUS laptops and haven't had to remove much crapware if any at all. I've been thinking of buying an ASUS ROG portable desktop, but now I'm a little apprehensive. I certainly don't trust Dell or HP and I absolutely don't want to build a system. This sucks.

    Tend to agree, who in their right mind is going to buy a laptop now if they can't be sure its 'clean'. I'll stick to my desktop, built it myself and i know its clean, i do a complete scan every week to be sure. Seriously though, its crap like that, that hurts the PC industry in general. image

  • WizardryWizardry Member LegendaryPosts: 18,343

    This has actually been happening a lot lately ,getting adware from sites i would not expect it from,so i wouldn't just blame Lenovo.

    ALL businesses are after a buck and free buck they can get,so likely they did not do any homework,simply got a request,were told it's harmless and got paid for doing so.

    I find the whole Malware business to be quite corrupt.Malware bytes at one time were the criminals,well now they run several divisions of so called software suites that  do NOTHING.These are million dollar operations,i wouldn't put it past them that they are the ones feeding malware onto systems to make it look like their software is warranted.

    I have seen some serious malware doing that advertising switch that is not detected by some of the best software out there,so something is severely wrong out there.

    Never forget 3 mile Island and never trust a government official or company spokesman.

  • QuizzicalQuizzical Member LegendaryPosts: 22,626
    Originally posted by Wizardry

    This has actually been happening a lot lately ,getting adware from sites i would not expect it from,so i wouldn't just blame Lenovo.

    ALL businesses are after a buck and free buck they can get,so likely they did not do any homework,simply got a request,were told it's harmless and got paid for doing so.

    I find the whole Malware business to be quite corrupt.Malware bytes at one time were the criminals,well now they run several divisions of so called software suites that  do NOTHING.These are million dollar operations,i wouldn't put it past them that they are the ones feeding malware onto systems to make it look like their software is warranted.

    I have seen some serious malware doing that advertising switch that is not detected by some of the best software out there,so something is severely wrong out there.

    This isn't primarily about adware.  This is primarily about making all of your encrypted browser traffic trivial for someone to decrypt.  And Lenovo doing that intentionally, so they could decrypt your encrypted browser traffic in order to insert ads.  That's much worse than ordinary adware.

  • Electro057Electro057 Member UncommonPosts: 683
    Originally posted by Quizzical
    Originally posted by Wizardry

    This has actually been happening a lot lately ,getting adware from sites i would not expect it from,so i wouldn't just blame Lenovo.

    ALL businesses are after a buck and free buck they can get,so likely they did not do any homework,simply got a request,were told it's harmless and got paid for doing so.

    I find the whole Malware business to be quite corrupt.Malware bytes at one time were the criminals,well now they run several divisions of so called software suites that  do NOTHING.These are million dollar operations,i wouldn't put it past them that they are the ones feeding malware onto systems to make it look like their software is warranted.

    I have seen some serious malware doing that advertising switch that is not detected by some of the best software out there,so something is severely wrong out there.

    This isn't primarily about adware.  This is primarily about making all of your encrypted browser traffic trivial for someone to decrypt.  And Lenovo doing that intentionally, so they could decrypt your encrypted browser traffic in order to insert ads.  That's much worse than ordinary adware.

    I'd like to point out that they totally tried to pull a "Oh gee?! But we didn't know! How bad!" And bat their eyelashes whilst doing so.

    --Custom Rig: Pyraxis---
    NZXT Phantom 410 Case
    Intel Core i5-4690 Processor - Quad Core, 6MB Smart Cache, 3.5GHz
    Asus Sabertooth Z87 Motherboard
    Asus GeForce GTX 760 Video Card - 2GB GDDR5, PCI-Express 3.0
    Kingston HyperX Fury Blue 16GB

  • CnameCname Member UncommonPosts: 211

    More info on the developer/publisher of Superfish (main culprit):

    https://en.wikipedia.org/wiki/Superfish

    I own two Lenovo laptops and another one from ASUS.  Better pricing was why I considered Lenovo before - but my preference is for ASUS now image

    "A game is fun if it is learnable but not trivial" -- Togelius & Schmidhuber

  • [Deleted User][Deleted User] UncommonPosts: 0
    The user and all related content has been deleted.
  • QuizzicalQuizzical Member LegendaryPosts: 22,626
    Originally posted by Electro057
    Originally posted by Quizzical
    Originally posted by Wizardry

    This has actually been happening a lot lately ,getting adware from sites i would not expect it from,so i wouldn't just blame Lenovo.

    ALL businesses are after a buck and free buck they can get,so likely they did not do any homework,simply got a request,were told it's harmless and got paid for doing so.

    I find the whole Malware business to be quite corrupt.Malware bytes at one time were the criminals,well now they run several divisions of so called software suites that  do NOTHING.These are million dollar operations,i wouldn't put it past them that they are the ones feeding malware onto systems to make it look like their software is warranted.

    I have seen some serious malware doing that advertising switch that is not detected by some of the best software out there,so something is severely wrong out there.

    This isn't primarily about adware.  This is primarily about making all of your encrypted browser traffic trivial for someone to decrypt.  And Lenovo doing that intentionally, so they could decrypt your encrypted browser traffic in order to insert ads.  That's much worse than ordinary adware.

    I'd like to point out that they totally tried to pull a "Oh gee?! But we didn't know! How bad!" And bat their eyelashes whilst doing so.

    In their defense (sort of), everyone involved with the project had no clue what they were doing.  Just having the root certificate have a different private key on each laptop rather than the same one would have closed the glaringly obvious way to attack a laptop with Superfish installed.

    Certificate authorities are how web sites authenticate themselves.  There are a handful of root certificates in the world that are generally accepted by browsers, and their private keys are among the most closely guarded secrets in the world.  Anyone who knows the private key to a root certificate that your browser accepts as valid can send you data claiming to be any site in the world and your browser will believe him.  To broadly distribute a private key for a root certificate that many millions of laptops will accept as valid is such an insanely stupid thing to do that the mere fact that Lenovo/Superfish did it is compelling evidence that everyone involved was clueless.

  • DakeruDakeru Member EpicPosts: 3,797
    Originally posted by Cname

    More info on the developer/publisher of Superfish (main culprit):

    https://en.wikipedia.org/wiki/Superfish

    I own two Lenovo laptops and another one from ASUS.  Better pricing was why I considered Lenovo before - but my preference is for ASUS now image

    "On February 20, 2015, the United States Department of Homeland Security advised uninstalling it and its associated root certificate, "

    This part made me lol because the USA is doing this shit all the time.

    Didn't Snowden just reveal that the NSA hacked SIM cards right inside the production facilities?

    No matter what kind of service provider you picked later on - several thousand SIM cards had this root kit applied to them and if you were one of the lucky winners in this lottery then the NSA could listen to your calls all they wanted.

    Harbinger of Fools
  • QuizzicalQuizzical Member LegendaryPosts: 22,626

    Apparently the way that some security researcher found the Superfish root certificate private key was guessing a password.  The password was apparently the name of some software associated with the whole project.  Which is incredibly stupid, but not quite as bad as distributing the certificate private key in the clear, which is what I previously had the impression had happened.  Still, for a root certificate accepted by millions of computers, a password consisting of anything other than randomly generated bits is incredibly stupid.

  • QuizzicalQuizzical Member LegendaryPosts: 22,626

    Apparently this is how the root certificate private key was obtained:

    http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

    As any MMORPG developer should know:  don't trust the client.  The client is in the hands of the enemy.  And that enemy will take the client apart to extract and defeat any security information that is present.  So of course Lenovo/Superfish/Komodia put everything to get control of a root certificate into the client.

  • TorvalTorval Member LegendaryPosts: 20,620

    I'm not going to give them the benefit of the doubt about being clueless on the certs. I think they knew exactly what they were doing with the mitm redirect, which in my opinion is way over the line. I'm not going to guess what reasoning or motivation they had in exposing the cert, but I'm not going to forgive that they were ignorant or clueless. I don't think this sort of action warrants that level of forgiveness.

    This company is dead to me for the foreseeable future, if not permanently. At some point if you can't trust your product manufacturer there is no point in doing business with them.

    It sucks that you pay so much for a piece of hardware and can't trust it at all. For now a nuke-n-pave may address these situations, but the next step is to embed this functionality in the hardware which we've already seen proofs of concept.

    Fedora - A modern, free, and open source Operating System. https://getfedora.org/

    traveller, interloper, anomaly, iteration


Sign In or Register to comment.