You Had One Job, Lenovo: And it didn’t involve sneaking malicious adware onto your customers’ computers.
Sean McCormick (on FB) – “Holy crap this is bad. Really bad. As in, next time you’re in a bank take a note of how many of the pieces of hardware are labeled ‘Lenovo’ bad.”
From Lance in the comments.
This isn’t just a reply to Occam, but to everyone comparing this incident to so-called company violations of consumer privacy.
You have no idea how bad this could be.
First, a basic understanding of how HTTPS works is necessary. Go here.
So in that link, under the “SSL in Action” part, what has been compromised on these machines is step 3.3 and on.
Step 3.3 compromise: the private key part of the root CA certificate on your computer is known.
A scenario off the top of my head:
I can set up a web page called, ‘rbc.com.en.sk.ca’ or something, make it look like rbc.com and then email spam a bunch of rbc customers to go there. I would create my own SSL certificate (easy) and sign it with the compromised root CA certificate.
I would then use the compromised root certificate on your computer so that your computer thinks its using a secure and trusted website. Done right, I could get your card and password for your actual rbc account. Guess what happens then?
This isn’t just about Leonva adding crap to their OEM installs. You’re right, they all do that to a degree, what this is about is that the install completely opens your machine to HTTPS spoofing and you don’t even know about it.
Now. that’s bad. It gets worse. What makes it worse is what Superfish does.
Via: US-CERT:
This software intercepts users’ web traffic to provide targeted advertisements. In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack.
The program is a proxy for all web traffic on the machine. Worse, uninstalling the program doesn’t ‘fix’ the problem, you also have to remove the Root CA key from your machine and this isn’t something that ‘joe user’ can do. (Although I’m sure patches to IE, Firefox, Opera and Chrome will be out soon to remove the trust of that Root CA.)
Okay. Think that’s bad? It is. Now, take it a step further. Like the article states, I’m sitting in a web-cafe with Wi-Fi. I’ve cracked the WEP/WPA Wi-Fi keys (simple) and am just watching packets. I notice Joe is visiting RBC and he’s got a Lenova laptop. I start capturing his packets. Now, on my hard drive I can later decrypt all of that supposedly secure traffic using the compromised root key.
I now have complete access to Joe’s RBC account. And don’t even mention how many machines your traffic goes through on the internet to begin with. Sitting at home going to RBC probably passes through at _least_ ten machines. That’s potentially ten strangers who have access to the packets.
I’ve never heard of this tech journalist before but I do like what he’s saying here… does he / could he comment on politics too? There’s a few thousand empty shirts to fill, at Slate too…
Nice job David.
If these are in fact the case, then sacking Adi Pinhas will hardly suffice. I smell class action lawsuit with injunctions to freeze Lenovo accounts.
I think the ethics-over-profit conundrum was settled over a decade ago when cell phone manufacturers and service providers decided to compromise their customers privacy by allowing the unique subscriber code be used by 3rd parties to track and RF triangulate proximity ad-flashes on client devices.
Operating system s are routinely released with 3rd party spyware – check out the crap you get on a new laptop running windoze 8.
Why the diaper wetting over Lenovo joining the consumer feast
But it’s OK for NSA/GCHQ to compromise every hard drive on the market and every PC in use?
I agree Peter. This is a much bigger story that hasn’t received nearly as much atttention.
http://www.computerworld.com/article/2885069/theres-no-way-of-knowing-if-the-nsas-spyware-is-on-your-hard-drive.html
Although so far they mainly seem to be targeting the bad guys.
Something useful from slate.
Whooda thunk it?
Oh, and let’s not leave out every SIM card encryption code on every cell phone
Gee – I thought that Lenovo, being the anointed of IBM, might be almost trustworthy. More fool me.
One can use a smart phone without a SIM card as a WiFi voip phone. There’s a nice little app called “Fongo”.
It turns any WiFi you can connect to into a connection to telephone services, you get a phone number, and it’s free.
There was also a story a while back about the Chinese government installing hardware in Lenovo computers designed to allow them remote access to the computer and its information.
Guess which brand of computers the hospital in my town uses? Wonder why they got THAT deal. /sarc
“There’s a nice little app called “Fongo”.
It turns any WiFi you can connect to into a connection to telephone services, you get a phone number, and it’s free.”
The only problem with this app is the fact its not”free” Free means no cost and when they tell you you can’t make a ld call because your acct doesn’t have enough money in it , its NOT free.What is is though, is a scam.
Lenovo is Chinese now. IBM spun it off. How can anyone be surprised that there
is spyware or adware in Lenovo computers?
Lenovo purchased the IBM PC division (and a few other IBM odds and sods) but IBM retained a financial interest in the Lenovo company in the deal. So – think IBM when you hear Lenovo and this will all make sense.
Funny, I’ve been using Fongo for weeks, and haven’t paid one red cent.
Sure, I have to put up with an add at the bottom of the screen (which I tap from time to time, so Fongo can stay free).
Although I’ve never tried to use it to call someone over 400km away, yet.
This isn’t just a reply to Occam, but to everyone comparing this incident to so-called company violations of consumer privacy.
You have no idea how bad this could be.
First, a basic understanding of how HTTPS works is necessary. Go here.
So in that link, under the “SSL in Action” part, what has been compromised on these machines is step 3.3 and on.
Step 3.3 compromise: the private key part of the root CA certificate on your computer is known.
A scenario off the top of my head:
I can set up a web page called, ‘rbc.com.en.sk.ca’ or something, make it look like rbc.com and then email spam a bunch of rbc customers to go there. I would create my own SSL certificate (easy) and sign it with the compromised root CA certificate.
I would then use the compromised root certificate on your computer so that your computer thinks its using a secure and trusted website. Done right, I could get your card and password for your actual rbc account. Guess what happens then?
This isn’t just about Leonva adding crap to their OEM installs. You’re right, they all do that to a degree, what this is about is that the install completely opens your machine to HTTPS spoofing and you don’t even know about it.
Now. that’s bad. It gets worse. What makes it worse is what Superfish does.
Via: US-CERT:
The program is a proxy for all web traffic on the machine. Worse, uninstalling the program doesn’t ‘fix’ the problem, you also have to remove the Root CA key from your machine and this isn’t something that ‘joe user’ can do. (Although I’m sure patches to IE, Firefox, Opera and Chrome will be out soon to remove the trust of that Root CA.)
This seems pretty easy for most users to remove it:
https://www.eff.org/deeplinks/2015/02/how-remove-superfish-adware-your-lenovo-computer
It also says how to delete the certificate.
After a bit of research, it seems that CA’s are simply not entirely trustworthy or secure, period.
https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
And here I am reading and typing on my LENOVO!!!
This is an interesting issue, I had my Master Card account used for ~ 20K of unauthorized money transfers between an unknown Pay-pal Account & my Master Card Bank (last Month). The usual fraud flags missed the daily hits of 2K until my card limit was exceeded. (Fraud flags are made by your usage profile which was violated by the first transaction over 1K)
The action looks like an inside job by Master Card & Pay pal…
The charges have not been resolved, but both Master Card & Pay pal fraud squads are working the issue. Will find out Next week
Hmmmmm. Wonder who they’re partnered with? NRA? Homeland Security? CRA? 😉
I can’t stand that goopy site Slate. It’s like dreaming of running in mud watching that site try to load and I have 10 mps internet, four processors, and several gigs of RAM. There is no excuse for it.
yer getting off cheep lad, I got hit, not electronically, for about 3 times that, and it was an inside job:-))
uhuh – what, seven years late?
See:
http://www.winface.com/zdnet/2008/may17_08.html
and see also: http://www.winface.com/zdnet/feb20_10.html
It’s been obvious for years that out sourcing coding and hardware production to antagonistic regimes is pretty dumb.
The people who manufacture laptops do not review the adware that goes on them. At all. Lenovo doesn’t actually make laptops; that job is contracted out to an EMS facility. That facility takes the software payload and injects it into the laptops without review; the payload is selected by the retailer – so Lenovo – and it’s selected entirely on the basis of how much cheaper it makes the laptop to manufacture, and therefore how much cheaper it is at point of sale.
Consumers want sub $500 laptops, and this is how retailers make that happen.
“As in, next time you’re in a bank take a note of how many of the pieces of hardware are labeled ‘Lenovo’ bad.”
No, that’s different. The consumer and commercial divisions of any hardware manufacturer are completely separate. For example, Acer’s commercial products are actually quite decent. None of the Lenovo gear sold to any financial institution will have any adware preinstalled, and it’s most likely the software was customized and preloaded as part of a managed deployment by IBM consulting services.
(Disclaimer: if you bought an HP Pavilion laptop between 2008 and 2010, I designed the system that preloads the OS and the adware on the hard drive in the factory).
The simple answer is for folk to know what they’re doing, and low-level format drives, and install Linux.
“No, that’s different. The consumer and commercial divisions of any hardware manufacturer are completely separate. ”
It is different, but something this bad flings mud everywhere, fairly or not.
Well, that didn’t take long.
If your solution to any computer problem is “Install Linux” then you have bigger problems than an SSL vulnerability.
Not discounting that this current issue with Lenovo is a problem, BUT.
A year or two ago, the US military or CIA demanded that all personnel stop using all Chinese devices. This would include Huawei smartphones and they specified Lenovo laptops. I believe they were discovered to have spyware as part of their firmware. Also the ability to control your camera and microphone; no hacker required.
I guess the gov’t discovered buying technology from a communist country – not a good idea.
Well, Daniel, Windows is where “where the money is”. Your solution is then go Windows and hope?
Perhaps you should re-read the first part of my post.
Yeah, I’m a “Freetard”.
As in, from your linked site:
“The TM Repository was created as a means to take back the Internet from these zealots. It allows members to document the predictable rhetoric that zealots are always spouting in the form of “trademark slogans” or TM’s. The hope is to one day silence the “Freetards” by pointing out the lies, contradictions and hypocrisies of their incessant, desperate trolling.”
Well, good luck in helping to ensure folk don’t know how to use the tools they have!
Mike, as a sysdmin who specializes Linux, OpenSSL (the main SSL library on all Linux/BSD/Apple, and most Unix machines) has had at least three similar incidents. Perhaps you’ve heard of Heartbleed? And that was two ago. MS uses a completely different SSL library and was not affected.
Just saying.
I am platform agnostic. I have a Linux laptop, a Windows desktop, a Mac destop and Linux servers. They all suck. Some just suck less.
I get it now, it’s satire!
As per this site that I found on your posting:
http://adequacy.org/stories/2001.12.2.42056.2147.html
Lol!
Yes, some suck less, depending what you want them for.
You must admit, though, as a general rule, the better you know your tool, the better life is.
Open-Source is like Christian charity, non-coercive, maintained by a community, and getting very powerful, but you need to know what you’re doing with it, or no Netflix or whatever.
I guess I’d put it like this:
Apple is like taking a taxi: You have zero control over your OS, and the Company makes all decisions as to what you put on it.
Microsoft is like having a Jag, you can add after-market stuff, but it needs regular factory maintenance, and woe betide those who don’t know how to drive, as one day, they’ll find the steering doesn’t work..on the highway.
Linux is like having an old sports car, you need to tinker with it from time to time, but you have easy access to all the guts, and you need to know how to drive to use it.
I think the biggest security hole is the spyware itself. It has granted itself access to all your secure communications, like your bank account id and password. If a virus targets the adware then it can steal all your secure information.
Daniel Reams Browser:
http://noahcoad.com/wp-content/uploads/2012/04/ie-toolbar-hell_thumb.jpg
That’s where the money is!
Good thing I haven’t connected my new Lenovo tablet PC’s to internet and won’t do so until I’ve analyzed Wireshark’s output from a connection to my home network. Thus far just lots of crap from Norton, an application which I delete as soon as possible from any new windoze system I use as well as a massive amount of M$ software which serves absolutely no usefull purpose.
Have gotten Linux to boot immediately on my Lenovo PC in contrast to a new HP laptop which took incredible contortions to find out how to get past the new extensible firmware crap on recent machines. OTOH, had full access to the HDD of the HP laptop whereas on the Lenovo I don’t have access to the drive. Given the likelyhood of spyware, will probably just wipe the drive and install a version of Linux that supports RF pens on the tablet.
Only reason I bought Lenovo tablet PC’s is because they were so damn cheap and I like tablets in contrast to the POS touch screens which might be fine for a 2 year old to draw on but I’m used to making fairly detailed drawings on a tablet and much prefer using a pen than a mouse. Got the Lenovo tablets before I heard about about Superfish, but man-in-the-middle attacks are no big deal and have gotten at raw data sent from my account to local hospital by using a freeware proof of concept of this attack — very useful for me to get data which I need rather than putting up with a moronic medical administration who thinks I should only use their interfaces to access data and being unable to copy text is a feature rather than a design fault. Given that Lenovo is now a chicom company, I’m assuming that it’s full of spyware and will swap out the HDD’s in my tablets for new ones. The main thing about putting spyware in a machine is that it has to somehow get the data out and that means a network connection. In the event that the hardware is compromised, connect the presumed infested machine to an ethernet hub and attach another computer to the same hub and sniff all the packets coming through which will defeat hardware based data transfer through network card which Wireshark might not see.
The best way to keep track of what’s going on in ones computer when it’s connected to internet is to run Wireshark a lot and look at what connections are being made. Have discovered that many commercial programs I have are sending data to various addresses when I use them and hence I just run them with no network access once I’ve setup the program. For any sensitive applications, create a VM and do all communications from the VM. I use a hacked version of WinXP for this purpose and know it’s free of spyware; if a VM image gets contaminated can just destroy it and create a new VM image file from the clean source. Also, one can monitor VM’s from outside. One other useful thing about VM’s is that a lot of malware/spyware doesn’t like being spied on and immediately shuts down when it finds when it’s running in a VM.
For banking, I use a clean machine and run a Wireshark session at the same time so I can check if I see what I know are typical packet streams during this operation. The only anti-viral software that I run consists of Process Explorer, Windoze debugger, Wireshark, IDA and a hexeditor program which gives me raw access to disks. This won’t necessarily prevent rootkit installation, but managed to grab a rootkit that briefly infected my HDD (TDSS) when it totally misbehaved on my laptop. Easy to clean out but haven’t had the time to decrypt the payload and this is a rootkit that checks to see if it’s running under emulation.
I hate W7 and continue to run Win XP when I have to as it’s far easier to get into the guts of XP and W7 is a royal pain in the ass when it comes to modifying device drivers and portions of the OS. I want things the way to work how I want them, not the way M$ does.