Lenovo bundled adware on some laptops, leaves users with staggering security vulnerabilities

Posted:
in General Discussion edited February 2015
Chinese PC maker Lenovo has found itself in the middle of a public relations disaster, following revelations that it sold a number of notebook computers with pre-installed software that hijacks users' browser sessions to inject customized advertisements and seriously degrades the security of encrypted connections.


Bank of America's website being signed with a Superfish certificate, as noticed by Google security engineer Chris Palmer


The adware, from a visual search firm named Superfish, is a contextual search platform that has been shown to act as a transparent proxy for requests flowing through browsers on Lenovo machines. It analyzes the content of websites, inserting advertisements that it considers relevant.

In order to access HTTPS requests, Superfish also comes loaded with a self-signed root certificate. Pages loaded over HTTPS are signed with this certificate, rather than the actual certificate of the site owner, allowing Superfish to decrypt the contents.

This creates a serious security problem. Anyone with the encryption password for the certificate -- which was easily found by Robert Graham of Errata Security -- can extract the private key and perform a man in the middle attack to intercept the communications of any computer with the certificate installed, or to craft legitimate-seeming fake phishing websites.

In a statement, Lenovo acknowledged that it had installed Superfish on "some consumer notebook products shipped in a short window between September and December." The company promised that the backend services powering the ad injection technology have been disabled, and that it would not include Superfish on any future products.

Unfortunately, that does nothing to alleviate the security concerns caused by allowing the installation of a self-signed root certificate in the first place. Despite the clear implications, Lenovo does not appear worried.

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in the same statement.
«13

Comments

  • Reply 1 of 46

    So...don't trust Red China companies. Got it.

  • Reply 2 of 46
    sockrolidsockrolid Posts: 2,789member

    Originally Posted by AppleInsider View Post

    The company promised that the backend services powering the ad injection technology have been disabled, and that it would not include Superfish on any future products.

     

    Google: "Dang.  Can we buy Superfish?  We need to inject ads wherever we can."

  • Reply 3 of 46
    sflocalsflocal Posts: 5,945member
    If Apple were caught doing this, it would be sued into oblivion.

    And the rhetoric coming out from the Chinese government about US tech spying on them? Well, I guess it's okay for China to do it.

    Hypocrisy. There should be a class-action lawsuit against Lenovo NOW!
  • Reply 4 of 46
    Questionable default software has been common practice among PC makers for years. Dell, Gateway, HP, Sony....everyone of them have done similar things to the point that most people that are concerned with security immediate wipe a new PC and load a clean version of windows from a source other than the recovery media/partition.

    This is barely news.
  • Reply 5 of 46
    misamisa Posts: 827member
    Questionable default software has been common practice among PC makers for years. Dell, Gateway, HP, Sony....everyone of them have done similar things to the point that most people that are concerned with security immediate wipe a new PC and load a clean version of windows from a source other than the recovery media/partition.

    This is barely news.

    Mostly true.

    People who are concerned about security, don't buy Dell, HP, Toshiba, etc in the first place and build their own equipment. Unfortunately that is not an option for laptops.

    For laptops getting a "naked" system is generally impossible, but the "it violates the letter of the license but not the spirit of it" work-around is to use a vanilla OEM version of the operating system from a desktop, but still use the key that belongs to the laptop.

    But generally people who are concerned about security or privacy are the same people who deal with questionable software (pirated software, malware, etc) as part of their job or hobby in the first place. The average person who buys a name-brand system shouldn't have to do all this just to get a working system.
  • Reply 6 of 46
    cpsrocpsro Posts: 2,984member

    Lenovo was already a security problem: Made not just in China but by China.

  • Reply 7 of 46
    slurpyslurpy Posts: 5,347member
    Quote:

    Originally Posted by sog35 View Post

     

    This is what happens when you buy POS stuff.

     

    I can only imagine the adware/malware on those $99 tablets they sell at walmart


     

    I'd rather take a flame to that $99. At least it would produce a few seconds of entertainment. 

  • Reply 8 of 46
    slurpyslurpy Posts: 5,347member
    Quote:

    Originally Posted by woodycurmudgeon View Post



    Questionable default software has been common practice among PC makers for years. Dell, Gateway, HP, Sony....everyone of them have done similar things to the point that most people that are concerned with security immediate wipe a new PC and load a clean version of windows from a source other than the recovery media/partition.



    This is barely news.

     

    Ive done that tons of time. But often it's a fucking pain in the ass, because the drivers that the machine uses CANNOT be easily found online or even on the manufacture's site, which results is non-functional hardware or instability.  Many times I've given up and restored the damn thing from the partition or recovery CD, and then manually uninstalled as much junk as I could. Hellish experience. 

  • Reply 9 of 46
    Quote:

    Originally Posted by SockRolid View Post

     

    Originally Posted by AppleInsider View Post

    The company promised that the backend services powering the ad injection technology have been disabled, and that it would not include Superfish on any future products.

     

    Google: "Dang.  Can we buy Superfish?  We need to inject ads wherever we can."


     

    Exactly. This is Google driving down the value of Superfish so they can acquire it on the cheap. :)

  • Reply 10 of 46
    Quote:

    Originally Posted by Phone-UI-Guy View Post

     

     

    Exactly. This is Google driving down the value of Superfish so they can acquire it on the cheap. :)


     

    Quote:

    Originally Posted by SockRolid View Post

     

     

    Google: "Dang.  Can we buy Superfish?  We need to inject ads wherever we can."




    Why do they need to do that when people already install Chrome willingly?

  • Reply 11 of 46
    My business idea (which I'll never do so feel free to capitalize on it) is create a Consumer Reports-like service for consumer electronics. Namely, to measure and test, among other things, how much bloatware, backdoors/rootkits, and other crap is installed on your average consumer electronic. Customers should expect that a reputable store would be selling them products without severe vulnerabilities built-in, but as we increasingly see this is not the case.

    Not only do I think this could bring awareness to customers about the more reputable vendors, but also help decrease these egregious actions, just as it's done with AnandTech bringing to light and testing for cheating with CPU and GPU performance tests by Android-based vendors.

    [LIST][*] http://www.anandtech.com/show/7384/state-of-cheating-in-android-benchmarks
    [/LIST]

    Such a service shouldn't only look for the unethical behaviour, but also look at general inefficiencies and laziness from vendors. For example, how much usable space is available to the user out of the box when the standard bloatware and recovery partition usage is accounted for, as well as how long it takes for the system and certain standard apps to open up do to services running in the background.
  • Reply 12 of 46
    radarthekatradarthekat Posts: 3,492moderator
    Quote:

    Originally Posted by Misa View Post



    For laptops getting a "naked" system is generally impossible, ...

     

    Better check the name of the website you're on.  There is one company from which you can buy an untainted laptop computer.

  • Reply 13 of 46
    xixoxixo Posts: 431member
    slurpy wrote: »
    Ive done that tons of time. But often it's a fucking pain in the ass, because the drivers that the machine uses CANNOT be easily found online or even on the manufacture's site, which results is non-functional hardware or instability.  Many times I've given up and restored the damn thing from the partition or recovery CD, and then manually uninstalled as much junk as I could. Hellish experience. 

    (1) remove the original hard drive
    (2) install different hard drive
    (3) install OEM windows
    (4) place original hard drive in USB sled
    (5) install missing drivers from original hard drive

    (or)

    (1) buy a Mac
    (2) run VirtualBox
  • Reply 14 of 46
    This is why I switched to Mac's years ago, and continue to laugh in the face of those stupid enough to profess the superiority of the PC! It's a wretched platform wrath with pitfalls and black holes, that smart people should just steer clear of!!!
  • Reply 15 of 46
    sflocalsflocal Posts: 5,945member
    Quote:

    Originally Posted by RadarTheKat View Post

     

     

    Better check the name of the website you're on.  There is one company from which you can buy an untainted laptop computer.




    True... Like me and many others, we buy a retail version of Windows (i.e. "untainted") and install it as a virtual machine on their Macs.  So if you MUST run windows, at least it is as vanilla as it's going to get.

  • Reply 16 of 46
    bigpicsbigpics Posts: 1,397member

    Having given some consideration to a Lenovo to tide me over while waiting for Broadwell last year, the re-switcher in me is yelling yay! at my decision to buy a loaded Apple refurbed 13" 2013 MBA last November.... ...since the only diff with 2014 was a slight CPU bump....



    ...a (safer) bargain by contrast and will get me at least to Skylake.

  • Reply 17 of 46

    You want to talk about "staggering" security vulnerabilities?

     

    http://www.theverge.com/2015/2/19/8071453/nsa-gchq-snowden-sim-phone-security

  • Reply 18 of 46

    Um... I've had similar problems with visits to AI using Safari on my iPad: it ends up hijacking me repeatedly to a gamer's website. I'd think that I was navigating to the 'next' page of comments, but instead takes me somewhere else.

     

    It happens off and on. (For example, I haven't had the problem in the past couple of weeks).

     

    Anyone else have this issue?

  • Reply 19 of 46
    mnbob1mnbob1 Posts: 269member
    The only way to avoid this kind of preinstalled junk is to buy from a company that doesn't need to do it and avoids doing it. Loading up laptops became a problem when manufacturers realized that filling up phones was a huge profit maker. It actually started before smartphones when carriers added junk.

    Steve Jobs insisted that the original iPhone be untainted of carrier bloat ware. AT&T took a big chance and the rest is history. Android phones and tablets are filled with bloat ware that can't be removed by the average user. It's added by the manufacturer and the carrier in the name of profit. Samsung and Verizon are the biggest abusers. It can take a top of the line phone and slow it down to a crawl.

    Now that it's carrying over to Windows PC's and laptops and willfully installing spyware it's gone too far. Much of what has been said here is beyond the average user. Microsoft needs to step in with the OEMs and make sure it's not done in the future. Violations like this should be the removal of their OEM license. Will that happen? Probably not. The answer to the problem is just buy an iMac, MacBook, iPhone or iPad. Apple doesn't mess around with your personal information.
  • Reply 20 of 46
    Quote:
    Originally Posted by mnbob1 View Post



    The only way to avoid this kind of preinstalled junk is to buy from a company that doesn't need to do it and avoids doing it.  Apple doesn't mess around with your personal information.

    As far as I can recall, the person who started to bring up, and berate, PC makers on this issue was Walt Mossberg, the former tech reviewer for WSJ. I recall his fulminations on this from least a couple of decades ago. (He also used to praise Apple for not doing this, and as a result, would take much online abuse from the great unwashed....)

Sign In or Register to comment.