This is much worse than just installing adware. They install a web proxy which MITMs all web connections, including HTTPS by means of a pre-installed trusted root certificate.
Someone will extract the private key in the next few hours, and then HTTPS will be basically completely broken for all Lenovo users -- anyone will be able to spoof any site to them.
On the bright side, Firefox does not use the system certificates (it has its own list) and Chrome will no doubt push an update to block the certificate promptly.
I'm curious what legal stance Lenovo customers have here - their secure HTTPS connections are being MITMed intentionally - surely that's hacking, or some national security violation?
Remaining questions: Does the superfish proxy itself check the certificate of the site it's connecting to? One would hope, but that's also a pretty easy thing to screw up.
If it does, does it trust its own cert? Probably (certainly?), but if not, that would leave one in the curious (perverse?) position of being safer by using the proxy. superfish can mitm your connection, but nobody else with the key could.
Wow, there are tons of images on twitter about this [1]. There is one where they MITM https://www.bankofamerica.com/ too [2]. Why the hell would they do this. Brutal.
While it is akin to playing whack-a-mole, it's nice to see them seriously considering blocking this cert so users who get a theoretical update in Firefox would have it simply be removed. Granted Superfish could update and get around it but that would require effort and considering the PR nightmare Lenovo is going to be fielding I doubt they would do so.
Honestly, I think that's unlikely. This is far too sloppy to have been intentional. There are much better ways to implement a backdoor when you control the OS image. This is just incompetence, plain and simple.
Superfish looks like the kind of crapware that pays OEMs to include it in their bundle. Lenovo took the cash and didn't bother to review the code. Superfish, for its part, probably doesn't have the best and brightest engineers working for them. They probably tasked a junior programmer with working around SSL, who then committed the first solution that worked without ever thinking about security implications, and they shipped it.
Cannot see how this could possibly be true. Having been privy to OS bundling for products, I can assure you there is lengthy contracts, and negotiations, about exactly what is happening. You do no simply walk up to Lenovo and have your "software" installed into the OS without a very detailed contract and pay structure. There also looks to be js injected into pages, which is serving up the ads, and a comment about Lenovo [1]. Think about what the means. There was a project at this company, where they had meetings, project plans, testing to make sure it worked, and a very detailed idea of what was going on. Never mind all the ramping up capacity due to new Lenovo's boxes coming on-line. There is zero chance this was some low level junior programmer fly by night operation.
Oh I'm sure they had lots of meetings about the contracts and pay structure, and they may have done testing to make sure it didn't break things, but apparently no one did a security review. Sadly, this doesn't surprise me that much.
If they did know about the problem, they could have fixed it. If the app simply generated a new key as part of first-time use, then it would just be run-of-the-mill crapware rather than a gaping security hole. Even if Lenovo has malicious intent, it would still have been in their best interests to do at least that, yet they didn't. Hence I assume it was incompetence.
It doesn't take a "security review" to spot a gaping security and privacy violation like this.
Any engineer with even the slightest clue of how a browser and "the internet" works would have called this out during the first "How does this product work?"-presentation.
(Which, possibly unfairly, is one reason I'm leaning more towards ansible than saltstack to this day -- I mean, if stuff like that got through... what else, in more complex areas of the system?)
I don't know, I've worked on some large government projects where things like this could have possibly slipped through because an engineer or two thought it was a clever way to workaround the issue. Granted they should have known and may have known but I'm not convinced they had to have known.
Interesting this appears to only be on the consumer grade laptops. I know at first glance I saw nothing relating to it on my W540 that I bought in November.
What's funny is that they have three apps for photo-based matching of products...and pets. They really are a "visual search" company, a CA start-up of 80-200 people according to LinkedIn... They just seem to have forgotten the "don't be evil" parts of their business model...
Anyway to see if that certificate is on a Lenovo computer? Anyway to remove it? I bought a Lenovo laptop recently, and I was appalled at the amount of crapware that was installed. It's a wonderful laptop at a great price, just too bad about the software.
> It's a wonderful laptop at a great price, just too bad about the software.
Lenovo's hardware support for Linux is great so unless there's something keeping you on Windows switching to a good Linux distro usually works fine on these laptops.
It should show up in the system certificates list as "Superfish, Inc.". I haven't seen it myself but search for #superfish on Twitter to see a lot of screenshots and such.
>They install a web proxy which MITMs all web connections, including HTTPS by means of a pre-installed trusted root certificate.
That's the odd part of this. Browser plugins can modify the DOM (insert ads, change search results, etc) without proxying anything. So why do it? I wonder if they were fishing for an NSA contract to further monetize the installs.
Jebus, how far the might IBM laptop line has fallen under the leadership of Lenovo. There was a time when a ThinkPad was arguably the best laptop money could buy. Many companies, including Google, would offer a choice between a ThinkPad or a MacBook, because those were the really reliable choices that were free of shovelware.
I even considered buying a Lenovo recently when a pretty nice looking ThinkPad was on sale, but a couple of friends have had very bad experiences with their Lenovo laptops. Both have had to go back to Lenovo for repairs; one of them had to send it back twice, and on the second go around demanded a new one instead of a repaired one, because the "repaired" one was worse than when it went in for repairs.
That said, there's "bad QC", which is forgivable with time and a sincere effort by the company to correct it, and then there's "evil". Intentionally shipping adware is evil.
Given this, I can genuinely think of no way for Lenovo to ever get my business for any product.
I think Microsoft sells those in its stores but even then I'm pretty sure they come with a few things but mostly from the manufacturer.
It would sure be nice to bring home a Windows machine that only had Windows on it and any necessary but minor applications from the manufacturer (like a settings application or drivers and not some photo sharing spyware).
So for "developer-tier" laptops, i.e. not a netbook, does that pretty much leave Apple as the sole non-shit laptop maker? Is there a chromebook out there that runs linux pretty well if you pull chromeOS off?
You pay a hefty premium for that backlit Apple logo on the lid, and I'd prefer to get something a little more down-to-earth.
I'm surprised that this is just now news. I received complaints from people participating in our beta trial (http://sketchtogether.com) from as early as October 22nd, 2014 that our website was broken, and it was because of Superfish being installed on their lenovo laptops. When they uninstalled Superfish, our webpage started working again.
Superfish injected a line of code that referenced "sf_main.jsp" from a remote site into all webpages (including ours) that interfered with our code. Here's a pastebin of the sf_main.jsp javascript file it linked to: http://pastebin.com/bZFkfRd5 (I assume the linked code is not copyrighted, if it is, please let me know and I can take it down).
Correct me if I'm wrong, but I don't think any amount of CSP will help you in this situation. They're MITMing traffic and thus can modify the CSP headers.
I don't see myself ever bothering to keep the default windows install on a thinkpad but this really hurts my impression of the company regardless. I've had my eye on the new X1s and had planned to upgrade my X201 this year but now I'm having second thoughts.
Who if anyone has taken over the place of great laptop for linux / development?
Can someone with one of these laptops connect to https://www.howsmyssl.com/ and post what it says? I'm curious what cipher suites are used from the proxy to the real site.
Lenovo going down the drain. All they had to do was continue the Thinkpad legacy left by IBM. It's honestly breathtaking how badly they've fucked up. After the touch-based function keys, ruining the trackpoint buttons and now this. It's unbelievable.
They brought the trackpoint buttons back on the latest line and you can switch the F-keys back to being the defaults via a bios setting. Just in case you were curious.
Well, it seems as though this [superfish] is categorized as a virus on most websites. From their own description:
"Superfish Window Shopper is a free browser add-on that instantly compares prices and shows similar items on ANY product in hundreds of U.S. online stores including Amazon.com, Best Buy, Macys, Nordstorm, Overstock.com, Staples, Target, and Wal-mart."
So if I have this right, this is essentially a massive affiliate scheme to produce revenue for the company? If it compares prices on all these sites, affid='s are injected for Lenovo and a % of the sale is given to them?
There reviews are horrible as well. All spam / annoyance related.
About a week ago I was trying to troubleshoot Nitrous.io for a friend because she had complained that it wasn't establishing a connection. We discovered along the way that there was an odd line of Javascript on the page that immediately had me assume that her computer was infected with a virus.
A Google search on the filename had others saying that it was removable by uninstalling some Lenovo Utility preinstalled.
"Multiple intelligence and defence sources in Britain and Australia confirmed there is a written ban on computers made by the Chinese company [Lenovo] being used in “classified” networks."
IIRC, that article is a fine combination of bullshit and technically correct. There is a "written ban" purchasing equipment from anyone not on the approved vendor list. Lenovo didn't ask to be on the list, they're not on the list, therefore they're banned. As am I. As are you.
I thought that had to do with the fact that they're a chinese owned company and if say the CIA makes a large order (or any order really) the chinese government might step in and force malware to be installed.
This reinforces my policy of buying laptops with the cheapest drive offered and replacing the drive with an SSD before the first boot. I run Linux anyway, so booting Windows has no value for me.
I recently did this exact thing -- bought a Lenovo laptop with a 5400 RPM disk drive, and immediately popped it out and replaced it with a Crucial MX100 SSD. Installed Linux, it works great :)
You also have to reflash all firmware with known-trusted versions using a known-trusted reflasher to be safe.
... and replace the CPU with one that is known not to have backdoors. You'll have to craft it from Silicon yourself, though, because there aren't any available for sale anymore.
Can't you just write all 0's to the drive or just reformat it? Genuine question here, why would you need to physically replace the drive to ensure security when you can write to the whole thing?
What is it that the firmware can achieve? Is the firmware capable hijacking data, communicating with the NIC and transmitting data? Or is it somehow injecting harmful code? I feel like I'm missing something here.
... rewrote the hard-drive firmware of infected computers—a
never-before-seen engineering marvel that worked on 12 drive
categories from manufacturers including Western Digital, Maxtor,
Samsung, IBM, Micron, Toshiba, and Seagate.
The malicious firmware created a secret storage vault that survived
military-grade disk wiping and reformatting, making sensitive
data stolen from victims available even after reformatting the
drive and reinstalling the operating system. The firmware also
provided programming interfaces that other code in Equation
Group's sprawling malware library could access. Once a hard drive
was compromised, the infection was impossible to detect or remove.
That appears to be the act of a nation-state though. I don't really sweat those, because I'm pretty sure if the NSA really wants in to my machine, I can't stop them.
According to various reports, this Superfish adware uses the same certificate across Lenovo computers. It should be easy to grab the private key out of the proxy binaries. And then... all these computers are vulnerable to arbitrary HTTPS man-in-the-middle attacks. Uh oh.
Well, I dunno. In one case Superfish can see all your data and store it on their servers, in the other case _anyone on the internet_ can spoof any site (as soon as someone extracts the key). Either way is pretty bad.
But proxying all traffic from all Lenovo laptop owners through a third-party server without someone immediately noticing a problem is just not feasible, so I think we can assume that's not what they're doing.
Are you sure? Android Chrome proxies all non-HTTPS traffic through a third-party server, by default. So it isn't like the traffic volume is impossible.
Yes but that's Google. I'd be surprised if Superfish had resources like that, or could generate that much traffic from their servers and not be noticed (by, say, Google). I could be wrong.
Clevo makes high quality laptops that are also very reasonably priced when bought barebones from the right vendor (they don't do direct consumer sales). Sager, System76, FalconNW, and a whole bunch of other boutique laptop companies are actually selling rebadged/modified Clevos.
I thought so too, but my recent experience with a Zenbook has changed my view. WiFi drivers were so bad it took half a year after my purchase before the connection became stable (not dropping every 15 minutes requiring a reboot). Touchpad drivers were also a mess with awful kinetic scrolling. And just couple of weeks ago it stopped booting Windows altogehter (something related to ACPI I guess, Linux works if I don't use suspend). Conveniently one month after the expiration of the warranty.
The WiFi drivers are made by Intel, but yes, they were
terrible (blue screen). I had to downgrade back to the drivers that came with Windows for while but the latest versions seem to be fine. I'm using some stock touchpad drivers that don't seem to have any kinetic scrolling.
Was just about to purchase a lenovo... although I would have wiped it and installed linux immediately this has caused me to look elsewhere. when will companies learn this kind of behavior is toxic to their business?
Unfortunately a very small proportion of potential customers are going to hear or care about this... it's about as toxic to their business as stepping in some stinging nettles is toxic to me.
Unfortunately they have no competition in terms of a quality laptop to run Linux on. None of the competition offers similar features as my current x230 or the x250 I'm probably going to pick up later this year. If you could recommend a replacement that has a good keyboard, trackpoint, 12+ hours of real battery life, i7, etc. I'd be happy to hear about it.
1. Home menu, search for Administrator tools
2. Open services
3. Find the VisualDiscovery service. Stop the service.
Right click properties. Set "Startup type" to Disabled
4. Start -> Control panel
5. Add/ remove programs
6. Find Superfish and uninstall
From what I understand, you need to go one further and spelunk through your local machine certificate stores and remove any Superfish certificates. They are not uninstalled.
Given that antivirus products detect this as malware, does Lenovo not install any antivirus on their systems, or do they install a substandard one that fails to detect it?
The article says that Superfish "injects third-party ads on Google searches." Does that include https://encrypted.google.com/ in Chrome and Firefox, or do key pinning and HSTS preloading successfully prevent that?
EDIT: According to another comment here, HTTPS connections in Firefox aren't affected because they don't use the system certificate store. But what about Chrome - do users see an error on pages with pinned keys, or is the proxy smart enough not to attack those connections? Or does it also disable Chrome security features like HSTS and key pinning?
Hopefully Redmond will give hell to Lenovo for this.
Also, apparently this is just the start for crapware on new PCs - Paul Thurrott said on the podcast Windows Weekly about a week ago that crapware is going to get a lot worse this PC cycle.
So on a fresh Windows 7 virtual machine with zero apps installed, this program gives me 200 some errors and wants $49.99 (-$20 for instant savings) to register the program. This keeps getting better. Typical scam.
As a Lenovo owner, I'm really pissed off, and offended. I feel violated. I just can't comprehend how they could think they wouldn't get caught at something like this. Especially with the current climate of the privacy movement in the US. This is bad, very bad for Lenovo.
Stupid. I don't understand their motivations - are they making such a huge amount of money from this?
Lenovo doesn't stand out as much as they used to. Dell/HP/Apple make pretty great business laptops these days. If everything else is equal and I know the competitor (for example) won't install adware, then why would I ever buy Lenovo again?
I am guessing the Lenovo machines that are bought from the Microsoft Store are free of this, because of the Signature PC program, might be worth the extra cost if any and the trip there to get a crapware free machine.
Your strategy works only if you have a clean copy of the OS or you buy one (since the thread is about Lenovo I assume you are talking about Windows). Typically, a new PC doesn't come anymore with a copy of the OS, but with a hidden recovery partition that will basically let you do a factory reset (meaning all the crap will show up again).
Microsoft itself has provided Windows installation media for download since Windows 8, including Windows 7 media. All you have to do is read your key off BIOS or the sticker.
Unless things have changed, usually the sticker key is only valid for a certain kind of media. E.g. VLK's only work with VLK images, retail keys only work with retail images...
