Since 2014 Lenovo has been selling consumer laptops installed with an innocuously named program, Superfish. For those not in the habit of wiping their laptop and installing the OS fresh to avoid the bloatware generally present on consumer products, you have been sharing the exact same SSL certificate as every other Lenovo owner and the icing on the cake is that it is self signed by Superfish, not a certificate authority. This means any and all transmissions done on a browser (apparently other than Firefox) could have easily been unencrypted by anyone who captured your wireless transmissions since the SSL key you were using is well known seeing as it is present on every recent Lenovo machine.
Lenovo is downplaying the security issue and emphasizing that Superfish was just intended inject ads into your browser based on history and that it could be disabled manually or by not agreeing to the terms and conditions when you turn on your laptop for the first time. As the commentors on Slashdot rightly point out, that argument is disingenuous and exposing your customers to a man in the middle attack just so you can serve them up some targeted advertising is a gross oversight. Samsung has not seen much success with the argument that their monitoring software could be manually disabled either. The program is no longer bundled on Lenovo laptops, as of this year.
"… doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick."
Here is some more Tech News from around the web:
- Microsoft opens Office storage back end for iOS love @ The Register
- Qualcomm outs ARM Cortex A72-based Snapdragon 620 and 618 chips @ The Inquirer
- How to Zip, Stick, and Screw Stuff Together @ Hack a Day
- BlackBerry's money-making QNX unit touts virty dual-OS devices @ The Register
- Getting Data Out of the Cloud Before Disaster @ Benchmark Reviews
- New Android Trojan Fakes Device Shut Down, Spies On Users @ Slashdot
- Adobe Photoshop turns 25 @ The Inquirer
- 10 Highlights of Jon Corbet's Linux Kernel Report @ Linux.com
The SSL key to the city, and
The SSL key to the city, and everyone is PWNED, with Lenovo vacuuming up all those personal metrics, for Ad pushing, and such. All browsers should be made to change to the color red, when a self signed SSL certificate is detected, and let the user know, when some bloat-ware, non essential to the operating of the device is detected trying to sling ads, or other snooping. Lenovo is the man in the middle in this case, and bundling this spy-ware/ad ware with any laptop/other device should earn a big fat fine, or trade sanctions.
Man all these ad slingers, and companies, as well as the state security apparatus just want to J. Edgar Hoover up all your juicy metrics.
That is so not the picture I
That is so not the picture I wanted in my head today.
It’s a Superfish, Superfish,
It’s a Superfish, Superfish, it’s super sneaky.
Isn’t Lenovo partially owned
Isn’t Lenovo partially owned by the Chinese government? I wouldn’t be surprised if there is a back door in Chinese made hardware put there by the Chinese government, especially considering the lengths the nsa/cia/fbi seem to be willing to go to.
Yes, probably the Chinese
Yes, probably the Chinese government, and lots of others, as Lenovo is a publicly traded company. And the Spy-vs-Spy agencies are all up in people’s business! But the marketing folks, and their sponsors, do Lust after those juicy personal metrics, obtained from laptops, PC, TVs and toasters. Hell, even that WiFi Barbie may have a Superfish problem down there, lurking to circumvent the SSL key certificate system, and defeat the promised “Secure” communication. Those ad slingers will stop at nothing, won’t someone think of the children! Or for that matter the right to privacy.