China Economy Forum

[BoQ77]

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated] | Ars Technica

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.

[Update: Rob Graham, CEO of security firm Errata Security, has cracked the cryptographic key encrypting the Superfish certificate. That means anyone can now use the private key to launch man-in-the-middle HTTPS attacks that won't be detected by machines that have the certificate installed. It took Graham just three hours to figure out that the password was "komodia" (minus the quotes). He told Ars the certificate works against Google even when an end-user is using Chrome. That confirms earlier statements that certificate pinning in the browser is not a defense against this attack (more about that below). Graham has a detailed explanation how he did it here.]

The adware and its effect on Web encryption has been discussed since at least September in Lenovo customer forum threads such as those here and here. In the latter post, dated January 21, a user showed a root certificate titled Superfish was installed:

Such a Disgusting thing they could do!!!

 

[Hamartia Antidote]

See if your computer is affected

Check if you trust the Superfish CA

 

[SipahSalar]

If you own a lenovo go to this link: Check if you trust the Superfish CA

it will tell you if you are infected.

Secondly, i use lenovo myself. Great laptop. Still it's a disgusting thing to do.

 

[BoQ77]

I guess the sale volume of Lenovo would reduce.

 

[Hamartia Antidote]

Lenovo's Response to Its Dangerous Adware Is Astonishingly Clueless | WIRED

Lenovo’s Response to Its Dangerous Adware Is Astonishingly Clueless

If you’ve bought a Lenovo laptop anytime since August, it may have shipped with a dangerous bit of adware known as Visual Discovery by Superfish. It’s the kind of software add-on that computer makers are often paid to include with their hardware. Superfish exists to serve up ads, but it does so in such a maddeningly dangerous way that it creates a real security problem for Lenovo users.

Worse, Lenovo appears completely clueless about the problem. The company issued a statement shortly after security experts raised the issue, saying it stopped shipping the adware last month and customers need not worry about the thing compromising their security. “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” Lenovo said.

Robert Graham, the CEO of internet security firm called Errata Security, doesn’t mince words in assessing the situation. “This is a bald-face lie,” he says of Lenovo’s statement. “It’s obvious that there is a security problem here.” And Graham knows what he’s talking about. He runs a security consultancy and has documented very real security problems with Superfish.

 

[SipahSalar]

“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” Lenovo said.

Well they shouldn't at least blatantly lie. If they want to compete with Apple and Google they should learn some PR skills. Lying while technically not lying.

 

[Okemos]

When did Zhejiang have such large population? Damn, we are crowded, lol. Zhejiang is second smallest province in China. Does the population include migrate workers?

 

[Götterdämmerung]

Superfish Inc. is a US company with one other office in Israel.

Interesting, indeed!

 

[SipahSalar]

Superfish Inc. is a US company with one other office in Israel.

Interesting, indeed!

Somethings very "fishy"

 

[Hamartia Antidote]

Superfish Inc. is a US company with one other office in Israel.

Interesting, indeed!

Its a known hijacker software...this is from 2013:
How to Remove www.superfish.com? | Spyware removers

 

[Aepsilons]

See if your computer is affected

Check if you trust the Superfish CA

Why would i buy Lenovo? LOL.

Its a known hijacker software...this is from 2013:
How to Remove www.superfish.com? | Spyware removers

Thanks buddy.

I don't have to worry about this tho, I just got this --- this month.

My new SONY VAIO Pro 13.

$1700 + some change, but i'm sure it will serve me well. Last lap top i had was a Sony Vaio , which i got back in 2008. Literally served me for 7 years.

 

[takeiteasy]

why did they killed BIOS? because UEFI is better to intrude into your privacy?

 

[SipahSalar]

Why would i buy Lenovo? LOL.

Lenovo makes some great laptops that punch way above their weight.
I myself got a $1300 Y510p last year. Allows me to run any demanding video game at high settings. If you want the same bang for your buck then your only choice is either crappy clevo or some $2500 laptop.

 

[Aepsilons]

Lenovo makes some great laptops that punch way above their weight.
I myself got a $1300 Y510p last year. Allows me to run any demanding video game at high settings. If you want the same bang for your buck then usually you have to go for a $2500 laptop or crappy clevo.

I'm sure they're good. But for me I have 2 laptops :

a) for work , i stick to my Sony Vaio
b) for gaming, i can't complain with my ASUS Republic of Gamer

 

[BoQ77]

I'm sure they're good. But for me I have 2 laptops :

a) for work , i stick to my Sony Vaio
b) for gaming, i can't complain with my ASUS Republic of Gamer

never have to say Sorry