Lenovo In Denial: Insists There's No Security Problem With Superfish -- Which Is Very, Very Wrong.

from the so-long-and-thanks-for-all-the-superfish dept

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Late last night, people started buzzing on Twitter about the fact that Lenovo, makers of the famous Thinkpad laptops, had been installing a really nasty form of adware on those machines called Superfish. Many news stories started popping up about this, again, focusing on the adware. But putting adware on a computer, while ethically questionable and a general pain in the ass, is not the real problem here. The problem is that the adware in question, Superfish, has an astoundingly stupid way of working that effectively allows for a very easy man in the middle attack on any computer with the software installed, making it asecurity hole that isLenovo's response? Basically to shrug its shoulders and say it doesn't understand why anyone's that upset. This is because whoever wrote Lenovo's statement on this is completely clueless about computer security.Bullshit. That's really the only response that should be said to that line. Lenovo focuses on the reasons why many people normally hate adware: that it tracks what you're doing and sends info back to third parties. That's not what Superfish does, so Lenovo doesn't see what the big deal is. Superfish, which was just recently ranked 64th by Forbes in its list of "Most Promising American Companies," tries to watch what you're surfing, and when you see certain images, the service injects other offerings for similar (or the same) products. In theory, if oneto use such a product, you could see why it could be useful. But automatically putting it on computers is a different thing all together.The realis in how Superfish deals with HTTPS protected sites. Since, in theory, it shouldn't be able to see the images on those sites, it appears that Superfish came up with what it must have believed was a clever workaround: it just installs a root HTTPS certificate, that it, to pretend that any HTTPS page you're visiting is perfectly legitimate. For many years, we've pointed out why the HTTPS system with certificate authorities is open to a giant man in the middle attack via any certificate authority willing to grant a fake certificate -- and here we basically have Lenovo enabling this questionable company to go hogwild with this exact kind of MITM attack. Basically,that you visit was a victim of this kind of MITM attack -- solely for the purpose of interjecting Superfish ads. In fact, some have suggested it could apply to VPNs as well. Basically this is a massively dangerous security hole with wide ranging implications. And Lenovo says they don't see why.And, even beyond that, it's implemented incredibly stupidly -- in a way that is ridiculously dangerous. That's because it appears that the private key use for the Superfish certificate is the same on basically every install of this software. And it didn't take very long at all for security folks, such as Robert Graham, to crack the password , meaning that it's now incredibly easy to get access to information someoneis encrypted. As Graham notes, the password is "komodia" which just so happens to be the name of a company that "redirects" HTTPS traffic (for spying on kids and such).This isand ridiculous security threat, and Lenovo isbrushing it off as nothing big. As many have noted, people have been complaining about the adware components of the software for months now, and Lenovo announced that it was stopping installs , because some people didn't like the way the software created popups and such -- but with no mention of the massive security problems. And, even now, the company doesn't seem willing to admit to them.Furthermore, the company doesn't even seem willing to say what machines it installed them on, or provide people with instructions on how to protect themselves (simply uninstalling Superfish won't do it). This is a huge mess. I've personally been aloyal Lenovo Thinkpad customer for years, having bought many, many laptops. In fact, just a couple months ago -- right in the middle of the period of when Superfish was being preloaded -- I bought a new Thinkpad laptop, though itthat mine is not one that includes Superfish. Still, Lenovo created a huge and dangerous mess, and they don't seem to recognize it at all. This kind of fuck up isthan the whole Sony rootkit thing from a decade or so ago, and as with Sony then, Lenovo doesn't seem to have the slightest clue of just how badly it has put people at risk.It doesn't take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it's pitiful reaction here. It's one thing for Lenovo to have made the stupid decision to install this kind of adware/bloatware. It's a second thing to not realize the security implications of it. However, it's another thing entirely, once it's been pointed out to Lenovo to then deny that this is a security risk. Lenovo screwed up big time here, and mostly in the way it's responded to the mess it created.

Filed Under: adware, certificate authority, concerns, https, man in the middle, privacy, security, superfish, tls

Companies: komodia, lenovo, superfish