Lenovo bundled adware on some laptops, leaves users with staggering security vulnerabilities
Chinese PC maker Lenovo has found itself in the middle of a public relations disaster, following revelations that it sold a number of notebook computers with pre-installed software that hijacks users' browser sessions to inject customized advertisements and seriously degrades the security of encrypted connections.
Bank of America's website being signed with a Superfish certificate, as noticed by Google security engineer Chris Palmer
The adware, from a visual search firm named Superfish, is a contextual search platform that has been shown to act as a transparent proxy for requests flowing through browsers on Lenovo machines. It analyzes the content of websites, inserting advertisements that it considers relevant.
In order to access HTTPS requests, Superfish also comes loaded with a self-signed root certificate. Pages loaded over HTTPS are signed with this certificate, rather than the actual certificate of the site owner, allowing Superfish to decrypt the contents.
This creates a serious security problem. Anyone with the encryption password for the certificate -- which was easily found by Robert Graham of Errata Security -- can extract the private key and perform a man in the middle attack to intercept the communications of any computer with the certificate installed, or to craft legitimate-seeming fake phishing websites.
In a statement, Lenovo acknowledged that it had installed Superfish on "some consumer notebook products shipped in a short window between September and December." The company promised that the backend services powering the ad injection technology have been disabled, and that it would not include Superfish on any future products.
Unfortunately, that does nothing to alleviate the security concerns caused by allowing the installation of a self-signed root certificate in the first place. Despite the clear implications, Lenovo does not appear worried.
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in the same statement.
Bank of America's website being signed with a Superfish certificate, as noticed by Google security engineer Chris Palmer
The adware, from a visual search firm named Superfish, is a contextual search platform that has been shown to act as a transparent proxy for requests flowing through browsers on Lenovo machines. It analyzes the content of websites, inserting advertisements that it considers relevant.
In order to access HTTPS requests, Superfish also comes loaded with a self-signed root certificate. Pages loaded over HTTPS are signed with this certificate, rather than the actual certificate of the site owner, allowing Superfish to decrypt the contents.
This creates a serious security problem. Anyone with the encryption password for the certificate -- which was easily found by Robert Graham of Errata Security -- can extract the private key and perform a man in the middle attack to intercept the communications of any computer with the certificate installed, or to craft legitimate-seeming fake phishing websites.
In a statement, Lenovo acknowledged that it had installed Superfish on "some consumer notebook products shipped in a short window between September and December." The company promised that the backend services powering the ad injection technology have been disabled, and that it would not include Superfish on any future products.
Unfortunately, that does nothing to alleviate the security concerns caused by allowing the installation of a self-signed root certificate in the first place. Despite the clear implications, Lenovo does not appear worried.
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in the same statement.
Comments
So...don't trust Red China companies. Got it.
The company promised that the backend services powering the ad injection technology have been disabled, and that it would not include Superfish on any future products.
Google: "Dang. Can we buy Superfish? We need to inject ads wherever we can."
And the rhetoric coming out from the Chinese government about US tech spying on them? Well, I guess it's okay for China to do it.
Hypocrisy. There should be a class-action lawsuit against Lenovo NOW!
This is barely news.
Mostly true.
People who are concerned about security, don't buy Dell, HP, Toshiba, etc in the first place and build their own equipment. Unfortunately that is not an option for laptops.
For laptops getting a "naked" system is generally impossible, but the "it violates the letter of the license but not the spirit of it" work-around is to use a vanilla OEM version of the operating system from a desktop, but still use the key that belongs to the laptop.
But generally people who are concerned about security or privacy are the same people who deal with questionable software (pirated software, malware, etc) as part of their job or hobby in the first place. The average person who buys a name-brand system shouldn't have to do all this just to get a working system.
Lenovo was already a security problem: Made not just in China but by China.
This is what happens when you buy POS stuff.
I can only imagine the adware/malware on those $99 tablets they sell at walmart
I'd rather take a flame to that $99. At least it would produce a few seconds of entertainment.
Questionable default software has been common practice among PC makers for years. Dell, Gateway, HP, Sony....everyone of them have done similar things to the point that most people that are concerned with security immediate wipe a new PC and load a clean version of windows from a source other than the recovery media/partition.
This is barely news.
Ive done that tons of time. But often it's a fucking pain in the ass, because the drivers that the machine uses CANNOT be easily found online or even on the manufacture's site, which results is non-functional hardware or instability. Many times I've given up and restored the damn thing from the partition or recovery CD, and then manually uninstalled as much junk as I could. Hellish experience.
The company promised that the backend services powering the ad injection technology have been disabled, and that it would not include Superfish on any future products.
Google: "Dang. Can we buy Superfish? We need to inject ads wherever we can."
Exactly. This is Google driving down the value of Superfish so they can acquire it on the cheap.
Exactly. This is Google driving down the value of Superfish so they can acquire it on the cheap.
Google: "Dang. Can we buy Superfish? We need to inject ads wherever we can."
Why do they need to do that when people already install Chrome willingly?
Not only do I think this could bring awareness to customers about the more reputable vendors, but also help decrease these egregious actions, just as it's done with AnandTech bringing to light and testing for cheating with CPU and GPU performance tests by Android-based vendors.
[LIST][*] http://www.anandtech.com/show/7384/state-of-cheating-in-android-benchmarks
[/LIST]
Such a service shouldn't only look for the unethical behaviour, but also look at general inefficiencies and laziness from vendors. For example, how much usable space is available to the user out of the box when the standard bloatware and recovery partition usage is accounted for, as well as how long it takes for the system and certain standard apps to open up do to services running in the background.
For laptops getting a "naked" system is generally impossible, ...
Better check the name of the website you're on. There is one company from which you can buy an untainted laptop computer.
(1) remove the original hard drive
(2) install different hard drive
(3) install OEM windows
(4) place original hard drive in USB sled
(5) install missing drivers from original hard drive
(or)
(1) buy a Mac
(2) run VirtualBox
Better check the name of the website you're on. There is one company from which you can buy an untainted laptop computer.
True... Like me and many others, we buy a retail version of Windows (i.e. "untainted") and install it as a virtual machine on their Macs. So if you MUST run windows, at least it is as vanilla as it's going to get.
Having given some consideration to a Lenovo to tide me over while waiting for Broadwell last year, the re-switcher in me is yelling yay! at my decision to buy a loaded Apple refurbed 13" 2013 MBA last November.... ...since the only diff with 2014 was a slight CPU bump....
...a (safer) bargain by contrast and will get me at least to Skylake.
You want to talk about "staggering" security vulnerabilities?
http://www.theverge.com/2015/2/19/8071453/nsa-gchq-snowden-sim-phone-security
Um... I've had similar problems with visits to AI using Safari on my iPad: it ends up hijacking me repeatedly to a gamer's website. I'd think that I was navigating to the 'next' page of comments, but instead takes me somewhere else.
It happens off and on. (For example, I haven't had the problem in the past couple of weeks).
Anyone else have this issue?
Steve Jobs insisted that the original iPhone be untainted of carrier bloat ware. AT&T took a big chance and the rest is history. Android phones and tablets are filled with bloat ware that can't be removed by the average user. It's added by the manufacturer and the carrier in the name of profit. Samsung and Verizon are the biggest abusers. It can take a top of the line phone and slow it down to a crawl.
Now that it's carrying over to Windows PC's and laptops and willfully installing spyware it's gone too far. Much of what has been said here is beyond the average user. Microsoft needs to step in with the OEMs and make sure it's not done in the future. Violations like this should be the removal of their OEM license. Will that happen? Probably not. The answer to the problem is just buy an iMac, MacBook, iPhone or iPad. Apple doesn't mess around with your personal information.
The only way to avoid this kind of preinstalled junk is to buy from a company that doesn't need to do it and avoids doing it. Apple doesn't mess around with your personal information.
As far as I can recall, the person who started to bring up, and berate, PC makers on this issue was Walt Mossberg, the former tech reviewer for WSJ. I recall his fulminations on this from least a couple of decades ago. (He also used to praise Apple for not doing this, and as a result, would take much online abuse from the great unwashed....)