Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Lenovo Superfish: malware intentionally installed by Lenovo on their laptops
Congratulations, Lenovo laptop users. You've got malware on your laptop. Installed by Lenovo. Intentionally. Not simple bloatware, but a man-in-the-middle attack on all "secure" browser connections, rendering them trivially insecure. Seriously.
For a number of months now, Lenovo has been shipping laptops with Superfish malware pre-installed. You're probably used to laptop vendors installing random junk on their laptops to bother the end user. But Superfish isn't just random junk.
The idea of Superfish is to replace the ads on web sites with Lenovo's own ads. For example, if it attacks this site, then the ads you'd see if you don't disable them would be ads served by Lenovo so that Lenovo gets paid for the ads, rather than ads served by this site so that this site gets paid. That's bad, but perhaps not exceptionally bad as bloatware goes.
The problem comes with encrypted sites. If a site is encrypted, Superfish normally wouldn't be able to see what's an ad and what isn't, so it wouldn't be able to replace a web site's ads with its own. Superfish's solution to that is a man-in-the-middle attack on your browser connection.
For example, you want to buy something off of a site with ads and give them your credit card information. Superfish intercepts all browser communication so that, instead of the web site sending information to your browser, it sends the information to Superfish, which decrypts the page, replaces ads, encrypts the connection again, and passes it along to your browser.
It gets worse. Superfish apparently didn't lock itself down very well, so that all "secure" browser connections on infected machines are intrinsically insecure. If you do online banking via a Superfish-infected computer, your connection is insecure and there's nothing your bank can do about it.
The only thing you can do about it is to remove the Superfish certificate authority from your computer; merely uninstalling the Superfish software doesn't suffice. That's because Superfish installed a self-signed root certificate in order to enable its man-in-the-middle attack, and apparently used the same private key for all computers and made the private key easy to find. If you don't know what that means, that's kind of the point. Installing certificate authorities is the sort of thing that browser vendors are supposed to worry about, not end users.
The problem here isn't that Lenovo installed man-in-the-middle malware on their laptops and then didn't lock it down very well, leaving the laptops vulnerable. The problem is that Lenovo installed ma-in-the-middle malware on their laptops. Period. End of sentence.
This is not the sort of security glitch that an incompetent company can do accidentally. It's not like a buffer overflow error or some such, where a well-intentioned company accidentally made its software vulnerable somehow. You don't accidentally create a man-in-the-middle attack. This is malware that was knowingly and intentionally installed by Lenovo on millions of laptops.
And then when people complained, Lenovo brushed it off for months. Only in the last few days, when security researchers demonstrated just how bad the problem really was, did Lenovo take it seriously. Even so, Lenovo claims that the security holes haven't been abused by anyone, other than Lenovo and its malicious adware, of course. That's unknowable, but even if it's true, having a huge security hole published like this means that it surely will get abused quickly if people don't remove it.
This isn't just the sort of thing that a reputable company simply wouldn't do. Most disreputable companies wouldn't do it, either, perhaps due to concerns over prison time or at least class action lawsuits. It is shocking that Lenovo, which might be the company that sells more laptops than any other in the world, thought this was a good idea.
Is it too harsh to say, don't buy anything Lenovo ever again? Maybe. But given the intentional and malicious nature of the attack, I would say, don't buy anything Lenovo ever again unless you're willing to, at minimum, wipe all storage media and do a clean install of whatever OS you want using media that Lenovo hasn't touched.
If you want some media sources for this, then here you go:
http://www.anandtech.com/show/8993/lenovo-superfish-and-security
http://www.cnet.com/news/superfish-torments-lenovo-owners-with-more-than-adware/
http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/
Comments
Isn't the first thing you do upon purchasing a laptop wipe the harddrive, establish preferable partitions, and install the OS freshly with an OEM disc? Then use your proper and main machine to download the required drivers at their most updated state and go along with your setup?
Isn't that what everyone does?
--Custom Rig: Pyraxis---
NZXT Phantom 410 Case
Intel Core i5-4690 Processor - Quad Core, 6MB Smart Cache, 3.5GHz
Asus Sabertooth Z87 Motherboard
Asus GeForce GTX 760 Video Card - 2GB GDDR5, PCI-Express 3.0
Kingston HyperX Fury Blue 16GB
I would say most people don't know how. And of that small percentage that do know how, most of those build their own desktops and wouldn't have bought a Lenovo (or any other brand) to begin with.
Nope, it is what hardly anyone does. People generally buy a laptop for convenience and that is just not convenient.
That's kind of like asking, isn't building your own desktop what everyone does? It is what many (most?) tech-savvy users do, but it's far from what most computer buyers in general do.
In this case, yes, wiping the hard drive and doing a clean install of Windows would have protected you from Lenovo's malware. But that shouldn't be necessary. Merely tracking down and uninstalling the bloatware--which is what some people do with new laptops--wouldn't have been enough here unless you knew to track down and remove the Superfish certificate authority. And there's no good reason for bloatware to mess with certificate authorities, which is why most people wouldn't check that.
--Custom Rig: Pyraxis---
NZXT Phantom 410 Case
Intel Core i5-4690 Processor - Quad Core, 6MB Smart Cache, 3.5GHz
Asus Sabertooth Z87 Motherboard
Asus GeForce GTX 760 Video Card - 2GB GDDR5, PCI-Express 3.0
Kingston HyperX Fury Blue 16GB
That's the first thing I do as well.
Provide me with a installation disc for the operating system and the rest I can do on my own. And I will look up the latest drivers with the manufacturers of built-in hardware components. Nothing worse than using outdated drivers.
I don't know you makes the preinstall images and doing such a horrible job of installing junk software.
I want to set up the partitions as I want and have my own requirements to managing users and software. Installation doesn't take that long anyways.
http://support.lenovo.com/us/en/product_security/superfish_uninstall
Simply uninstall it.
Nice find Quizz.
I'm using a Lenovo laptop but it's 3 years old and I installed win7 on it myself. I wouldn't get a laptop with a pre-installed OS cause that always means at least 100 bucks extra.
That isn't meant to say that people buying ready-made laptops are at fault.
I don't even find words for what I am thinking about Lenovo right now.
This is just utterly staggering, in what country, is what they have done, not considered a criminal act?
Do they consider themselves above the law or something, its just crazy that they could think to get away with something like that
Tend to agree, who in their right mind is going to buy a laptop now if they can't be sure its 'clean'. I'll stick to my desktop, built it myself and i know its clean, i do a complete scan every week to be sure. Seriously though, its crap like that, that hurts the PC industry in general.
This has actually been happening a lot lately ,getting adware from sites i would not expect it from,so i wouldn't just blame Lenovo.
ALL businesses are after a buck and free buck they can get,so likely they did not do any homework,simply got a request,were told it's harmless and got paid for doing so.
I find the whole Malware business to be quite corrupt.Malware bytes at one time were the criminals,well now they run several divisions of so called software suites that do NOTHING.These are million dollar operations,i wouldn't put it past them that they are the ones feeding malware onto systems to make it look like their software is warranted.
I have seen some serious malware doing that advertising switch that is not detected by some of the best software out there,so something is severely wrong out there.
Never forget 3 mile Island and never trust a government official or company spokesman.
This isn't primarily about adware. This is primarily about making all of your encrypted browser traffic trivial for someone to decrypt. And Lenovo doing that intentionally, so they could decrypt your encrypted browser traffic in order to insert ads. That's much worse than ordinary adware.
I'd like to point out that they totally tried to pull a "Oh gee?! But we didn't know! How bad!" And bat their eyelashes whilst doing so.
--Custom Rig: Pyraxis---
NZXT Phantom 410 Case
Intel Core i5-4690 Processor - Quad Core, 6MB Smart Cache, 3.5GHz
Asus Sabertooth Z87 Motherboard
Asus GeForce GTX 760 Video Card - 2GB GDDR5, PCI-Express 3.0
Kingston HyperX Fury Blue 16GB
More info on the developer/publisher of Superfish (main culprit):
https://en.wikipedia.org/wiki/Superfish
I own two Lenovo laptops and another one from ASUS. Better pricing was why I considered Lenovo before - but my preference is for ASUS now
"A game is fun if it is learnable but not trivial" -- Togelius & Schmidhuber
These days it can be hard to know if you computer is ever really secure.
http://www.bloomberg.com/news/articles/2015-02-17/spying-campaign-bearing-nsa-hallmark-found-infecting-computers
http://www.theverge.com/2013/12/29/5253226/nsa-cia-fbi-laptop-usb-plant-spy
In their defense (sort of), everyone involved with the project had no clue what they were doing. Just having the root certificate have a different private key on each laptop rather than the same one would have closed the glaringly obvious way to attack a laptop with Superfish installed.
Certificate authorities are how web sites authenticate themselves. There are a handful of root certificates in the world that are generally accepted by browsers, and their private keys are among the most closely guarded secrets in the world. Anyone who knows the private key to a root certificate that your browser accepts as valid can send you data claiming to be any site in the world and your browser will believe him. To broadly distribute a private key for a root certificate that many millions of laptops will accept as valid is such an insanely stupid thing to do that the mere fact that Lenovo/Superfish did it is compelling evidence that everyone involved was clueless.
"On February 20, 2015, the United States Department of Homeland Security advised uninstalling it and its associated root certificate, "
This part made me lol because the USA is doing this shit all the time.
Didn't Snowden just reveal that the NSA hacked SIM cards right inside the production facilities?
No matter what kind of service provider you picked later on - several thousand SIM cards had this root kit applied to them and if you were one of the lucky winners in this lottery then the NSA could listen to your calls all they wanted.
Apparently the way that some security researcher found the Superfish root certificate private key was guessing a password. The password was apparently the name of some software associated with the whole project. Which is incredibly stupid, but not quite as bad as distributing the certificate private key in the clear, which is what I previously had the impression had happened. Still, for a root certificate accepted by millions of computers, a password consisting of anything other than randomly generated bits is incredibly stupid.
Apparently this is how the root certificate private key was obtained:
http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
As any MMORPG developer should know: don't trust the client. The client is in the hands of the enemy. And that enemy will take the client apart to extract and defeat any security information that is present. So of course Lenovo/Superfish/Komodia put everything to get control of a root certificate into the client.