Lenovo hardware compromised

[fjtorres]

Security alert:
http://www.zdnet.com/article/superfi...tag=TREc64629f

Quote:

Lenovo-branded devices sold between September 2014 and January 2015 through consumer online and retail stores, like Best Buy and Amazon.com, are likely affected by the Superfish adware, which hijacks secure internet traffic.

The bad news is that Lenovo ever put Superfish on their consumer laptops. The good news is that it's not that hard to get rid of it.

Defcon security chief and security researcher Marc Rogers, who detailed the scope and scale of the adware problem on his blog, told ZDNet that consumers should immediately check to see if their machines are affected.

"If they are affected, they should not use their laptop for any kind of secure transactions until they are able to confirm [the adware] has been removed," he said.

As many as 16 million Lenovo desktops and notebooks shipped in the fourth calendar quarter, according to recent IDC figures and Gartner figures.

Enterprise owners, who bought the device through a business channel, are said not to be affected.

More at the source.

[ChesterFritz]

That's quite bad, but not really surprising. It is terrible that just about every equipment manufacturer today wants to over-bloat their computers, tablets, or devices with very annoying and invasive adware and third party applications, which most people never want, just so they can earn a lot of commissions. I have a Lenovo tablet and it came with many third party applications installed on it. They also make a lot of these things notoriously difficult for an average user to remove. However, while installing third party applications such as anti-virus trials is understandable, I must say that installing an annoying and invasive adware like superfish was really pushing the boundaries of trust with consumers.

[PeterT]

And the hardware is not compromised; it's the software loaded on it....

[Phogg]

Quote:

Originally Posted by ChesterFritz

That's quite bad, but not really surprising. It is terrible that just about every equipment manufacturer today wants to over-bloat their computers, tablets, or devices with very annoying and invasive adware and third party applications, which most people never want, just so they can earn a lot of commissions. I have a Lenovo tablet and it came with many third party applications installed on it. They also make a lot of these things notoriously difficult for an average user to remove. However, while installing third party applications such as anti-virus trials is understandable, I must say that installing an annoying and invasive adware like superfish was really pushing the boundaries of trust with consumers.

Who do Lenovo think they are, Facebook?

Quote:

Originally Posted by ChesterFritz

However, while installing third party applications such as anti-virus trials is understandable

Is it? There are a number of approaches that they can take that does not include installing trials. One is to ignore it altogether, another is to create links to the anti-virus vendor's website. I'm also guessing that many of the vendors of free anti-virus suites would be happy to license a non-trial version. In the last two cases, the vendors would probably be willing to pay a commission since it is still marketing for their products.

Quote:

I must say that installing an annoying and invasive adware like superfish was really pushing the boundaries of trust with consumers.

Is is? As you said, it's not too surprising. Yet look at the products that people buy, and you'll find that it has "annoying and invasive adware". Look at Kindles. Look at Kobos. Look at Android and iOS devices. All of these products track the consumer's behaviour to some degree. All of these products have storefronts, which are little more than advertising platforms. While there is certainly a huge difference between what these vendors are doing and what Superfish was doing because Superfish compromises upon security protocols, a lot of what it is doing is the norm these days.

[bgalbrecht]

The issue with Superfish, though, is that in order to be able to hijack secure HTTP transmissions, it created its own certificate and presented it instead of all the real certificates, which makes it trivial for the bad guys to create man-in-the-middle attacks.

[PeterT]

See http://arstechnica.com/security/2015...esnt-tell-you/ for a guide to removing the certificates.

[AlexBell]

Quote:

Originally Posted by Phogg

Who do Lenovo think they are, Facebook?

No, of course not. They are a subsidiary of the NSA. And you people let them get away with it.

[fjtorres]

From the digital reader:
http://the-digital-reader.com/2015/0...comment-794949

Quote:

They also shared a list of affected computers. Hopefully it is complete:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

Edit: some complaints about Lenovo systems date back to last summer so older systems might also be affected.

http://www.nbcnews.com/tech/security...xperts-n308926

[fjtorres]

Lenovo swears the issue is only theoretical...
...but their own security issued an advisory rating it highly severe:

http://www.zdnet.com/article/lenovo-...tag=TRE17cfd61

Quote:

The company dismissed security concerns that Superfish was able to hijack SSL/TLS connections via a self-signing root certificate authority that had the same private key on each and every Lenovo device upon which Superfish was installed.

"We have thoroughly investigated this technology, and do not find any evidence to substantiate security concerns," Lenovo's statement said.

"We know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience, and priorities first."

However, a security advisory published by Lenovo rated the incident as highly severe.

"Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern," the advisory said.

[fjtorres]

MS updated Windows Defender to remove the infection:

http://www.zdnet.com/article/microso...tag=TREc64629f

It does not cleanup Firefox or Chrome.

Quote:

One caveat: Windows Defender doesn't monitor Mozilla Firefox, which maintains its own certificate store. After successfully running the cleanup, I checked the certificate store in Firefox and discovered that the potentially dangerous root certificate was still installed in that browser and would require manual removal. My test system didn't have Google Chrome installed, but I presume it might also require manual removal of the certificate.

[Shane R]

A PC manufacturer who will almost certainly never see my money again.

[Rbneader]

Quote:

Originally Posted by AlexBell

No, of course not. They are a subsidiary of the NSA. And you people let them get away with it.

I think you mean 'a subsidiary of the Chinese government', which is undoubtedly true. No one in the US is 'letting' Lenovo get away with anything - they're a Chinese company and the manufacturing facilities are completely out of US control.

The US is not the only, or even the worst, offender when it comes to tracking indiscriminately. China and several Asian countries are quite open about their determination to track all the things and are much farther ahead then the US. Russia doesn't have a strong legal concept of privacy rights and certainly not a cultural one. The UK and Germany are very open about their extensive tracking programs too.

If you're going to be outraged, get outraged at a reasonable culprit (Chinese government, going by your business=government logic), not just the popular target.

[Bilbo1967]

Quote:

Originally Posted by AlexBell

No, of course not. They are a subsidiary of the NSA. And you people let them get away with it.

Quote:

Originally Posted by Rbneader

I think you mean 'a subsidiary of the Chinese government', which is undoubtedly true. No one in the US is 'letting' Lenovo get away with anything - they're a Chinese company and the manufacturing facilities are completely out of US control.

I assumed Alex was talking about Facebook, not Lenovo?

[Rbneader]

Quote:

Originally Posted by Bilbo1967

I assumed Alex was talking about Facebook, not Lenovo?

Hm. I didn't read the sentence that way - the way the sentence is constructed seems to me to be 'Of course Lenovo doesn't think they're Facebook, Lenovo is a subsidiary of the NSA'. You could be right, I just didn't read it that way.