Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo Allegedly Installing "Superfish" Proxy Adware On New Computers

Posted by timothy on from the hey-man-you're-s'posed-to-join-the-nsa-first dept.

An anonymous reader writes It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time. The adware, named Superfish, is reportedly installed on a number of Lenovo's consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user's permission. Another anonymous reader points to this Techspot article, noting that that it doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick. Also at ZDnet.

44 of 248 comments (clear)

  1. All the more reason... by AltGrendel · · Score: 5, Insightful

    ...to wipe the box and install some other OS.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

    1. Re:All the more reason... by cdrudge · · Score: 5, Insightful

      Why ditch Windows when it's allegedly Lenovo that did the dirty work. If Lenovo shipped a laptop with Linux installed on it with a similar piece of malware, would you be saying ditch Linux too?

    2. Re:All the more reason... by Anonymous Coward · · Score: 2, Interesting

      Serious Question - So these Lenovo computers most likely come with UEFI. I recently tried wiping a new UEFI Lenovo PC and re installing using a WIN 7 CD, and the key was retrieved using a tool to read the OS. When It came time to "activate" the fresh WIN 7 OS, that key would not be accepted. Lenovo support said they couldn't provide another key, and that only the recovery CD would work. Are there any known workarounds for this?

    3. Re:All the more reason... by Anonymous Coward · · Score: 5, Insightful

      Don't forget to reflash EVERY blob of NAND or ROM inside that box, especially the hard drive firmware. And make sure that the present firmware actually does the flash command you believe you're asking of it, rather than lying about success. I hope you didn't download that new firmware (when's the last time your HDD vendor did that?) on a Lenovo, that's riddled with unsound root certificates.

      Are you sure that some magical combination of ASM.JS opcodes, as they are being decoded by your CPU, don't trigger a carefully crafted pagetable bug? Is your RAM hammer proof? That's a nice WIFI card you have hooked up to the PCIe bus, what does it really do with malformed data? What about your phone's baseband, and the teeny remotely operated JVM inside your SIM card?

    4. Re:All the more reason... by geogob · · Score: 4, Funny

      Just pull the plug and battery during the process. You'll get definitely rid of the malware.

    5. Re:All the more reason... by gmack · · Score: 4, Informative

      I strongly suggest avoiding Lenovo completely. They already fail to boot if there is an unrecognized wifi card ( I had to hack the BIOS) and for their latest move towards evilness refuse to charge both third party and batteries the system detects as too old.

    6. Re:All the more reason... by Thor+Ablestar · · Score: 3, Informative

      At least when some our Russian programmer found a hidden Chinese (?) hypervisor in new Intel boards he has found that reflashing actually cures the problem. https://xakep.ru/2011/12/26/58... (in Russian). And also, Russians have a proggie that detects it.

      Also, the HDD bug can either run before a system - and it will be quite interesting to look how it will break GELI - or become resident. If it uses VM to become resident - it will be detected. If not - a system (I don't speak about Windows) will overwrite it.

    7. Re:All the more reason... by geekmux · · Score: 4, Interesting

      Which is fine for you and me and everyone else reading /. but no so much for the majority of people buying an off-the-shelf Laptop from Lenovo.

      Seriously, how dumbed down does a Linux installer need to get in order for the average moron to wipe and re-install their YouTube/Netflix binge box?

      We've already turned the right-clicking, mouse-wielding user into a drooling baby that just points at the large colorful tiles on the touchscreen to make it "go".

      I'm really starting to wonder if the Year of the Linux Desktop is directly tied to reducing the average consumer IQ level to that of a goat. Better start working on the voice recognition interfaces now, since our future appears to be an idiot yelling at a server to make it reboot.

    8. Re:All the more reason... by Streetlight · · Score: 2

      I'm not sure crapware is now the problem. Crapware can generally be removed and for the unwashed masses one can get a Windows machine without crapware using Microsoft's Signature program.

      The problem is hidden malware in firmware in devices like hard drives. No computer manufacturer can be immune to that if they buy parts that are infected when intercepted during shipping between the manufacturer and the computer assembler or end user by some three letter agency. The same for the finished computer. And what about malware hidden so deeply into computer parts where the firmware can't be rewritten? If Intel's or AMD's parts are corrupted in this way during manufacture, swapping out the part will never solve the problem.

      --
      In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
    9. Re:All the more reason... by JohnFen · · Score: 3, Interesting

      That was because of Microsoft? I hate, hate, hate that practice, but I assumed that it was just because the computer manufacturers wanted to save a dime.

    10. Re:All the more reason... by praxis · · Score: 2

      We are all clueless about some things. I, for one, care about clueless computer users because I can help them. I hope to foster a helpful culture so that others can enlighten me about things *I* am clueless about. Or, in other words, technologists should elevate technology for everyone.

    11. Re:All the more reason... by zlives · · Score: 4, Funny

      as it turns out, not one of my devices or the any blob inside is hammer proof.
      i hope this pigeon makes it to /. to answer your curiosity.

    12. Re:All the more reason... by mlts · · Score: 2

      I'm the same way. The recovery partition is just a chunk from the HDD, so malware can easily seize control of that. Plus, I prefer server operating systems (paid for, of course.) Some laptop makers like Dell can ship a business-line model with a server OS, and since it comes from the OEM, there is a good chance the OS can just activate from the BIOS certificates. I have yet to see a machine shipping with a server OS have any crapware on it, other than maybe some administration tools.

      I wish laptop makers could do what Tandy did in the early 80s... put an OS instance in ROM. Have a read-only SSD section set aside that would boot up Windows PE or even an image of whatever Windows edition came with the machine, with drivers merged in as well (easy to do with Vista and newer's WIM functionality.) This way, the box can be completely reinstalled and barring a flash of BIOS or other firmware, there can be high confidence a malware infection is eradicated.

    13. Re: All the more reason... by BlueTrin · · Score: 2

      To get rid of the malware just unplug the computer and replug it after counting to 30, that should teach the malware.

      --
      Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
  2. Does it inject by invictusvoyd · · Score: 4, Funny

    Ad's even after you go through the gentoo stage 3 , compile your custom kernel and build your userspace from source ?

  3. If you have to be paranoid by Anonymous Coward · · Score: 2, Funny

    Do that with OpenBSD.

  4. Hardly allegedly by OzPeter · · Score: 5, Informative

    From the ZDnet link

    The issue has remained latent since Mark Hopkins, a Lenovo social media program manager, confirmed in January that the company was installing the Superfish Visual Discovery software on some of its products in order to serve ads.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Hardly allegedly by TheBogBrushZone · · Score: 5, Interesting

      Not allegedly at all. My new Y50 (3 weeks old) came with Superfish pre-installed, phoney root certificates and all. Luckily I've encountered Superfish before when they were trying to insinuate themselves into every extension they could on the Chrome Web Store so it was easy to spot and obliterate.

      --
      And behold, a command prompt and he who sat upon it, his name was shutdown and -h 3:11 followed with him
    2. Re:Hardly allegedly by Anonymous Coward · · Score: 2, Informative

      http://forums.lenovo.com/t5/Le...

    3. Re:Hardly allegedly by Dutch+Gun · · Score: 2

      And here's the kicker:

      Hopkins defended the adware, saying that it “helps users find and discover products visually” and “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.”

      I mean, damn... How stupid do they think people are, that they can actually present this adware as a positive thing for consumers?

      Even though Hopkins says the company has stopped installing the software on computers, it appears that’s only “temporary” until the company behind the software makes some tweaks to stop pop-ups.

      Aaand... they're just going to tweak it so it's less noticeable. Nice. This software creates a potential man-in-the-middle attack by installing it's own signed certificate on your system so it can show embedded ads even if you have a secure connection. Nasty, nasty stuff from a privacy concern. This could easily become malware if not for the "good graces" of whatever code it's running or site that's intercepting your connection.

      I hate to say this, but I really think we're going to need some new comprehensive privacy and advertising laws. I'm usually one to let the market shake itself out first and see what happens, but we've ended up here, with companies showing absolutely no restraint on how far they're willing to go to extract your personal data for marketing purposes.

      Until we get such laws, I will never again purchase computer hardware from a large vendor like this (at least, Lenovo is forever out). For the last few years, I've been using a local boutique shop that specializes in custom computer builds. One of their nicest "features" is that they don't install any extra crapware on your system - only the bare minimum OS and tools, which is almost unheard of today. I'm willing to pay a bit more for that service, since they don't get subsidized by horrible stuff like this adware.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  5. Revenge by JimSadler · · Score: 5, Interesting

    There are some really harsh laws concerning hacking and cracking. If Lenovo knew or caused this breach perhaps they could be prosecuted and actually jailed for this behavior.

    1. Re:Revenge by kelarius · · Score: 5, Insightful

      It's more likely that Lenovo installed this software because they were paid to do so (either directly or through kickbacks to Mike Hopkins or whatever VP) and they simply didn't vet the software to make sure that it wasn't malicious. So while some people in the organization may be guilty of negligence they would never get convicted on anything close to CFAA levels.

      --
      Personally I'd rather have my idiots at home glued to the TV than out doing idiotic things
    2. Re:Revenge by Anonymous Coward · · Score: 3, Insightful

      You seem to believe that laws apply equally to corporations and people. You must not be American.

  6. Re:Glad I Cancelled My Lenovo Order by TheGratefulNet · · Score: 2

    you didnt order a business-grade laptop, did you?

    I have one and mostly love it. the pci-e blacklist SUCKS (tried installing a new wireless card and it refused. not on the 'ok' list. had to install a hacked bios to allow any pcie card to be installed. HP is the same stupid way, too). and to be honest, with the hacked bios (I didnt hack it) I'm now at risk since I have no good idea what that 3rd party did to create the unblack blacklist, so to speak.

    but if you don't need to hack the bios (buy all your stuff at point of purchase to be safe) then the business grade models to NOT install crapware nearly as much and they all use the same chipsets since business needs each machine to be identical. consumer versions are the chip-o-the-month club and it sounds like that's what you were ordering. uhm, don't buy consumer grade lappies from lenovo. why bother? get what they are good at, the serious lappies. the t or w grade lappies.

    --

    --
    "It is now safe to switch off your computer."
  7. worse a fake root certificate! by Billly+Gates · · Score: 4, Insightful

    What were Lenovo thinking? People pay bills online you know. Easily can steal lots of information

    As much as we bashed RMS here for being a lunatic he has a point with trusting a for profit entity making closed source software.

    --
    http://saveie6.com/
    1. Re:worse a fake root certificate! by Dr.+Evil · · Score: 3, Interesting

      bankofamerica.com courtesy of Superfish:

      https://i.imgur.com/Ky0Bwih.jpg

      Not sure about the source of the screenshot, independent confirmation would be good.

    2. Re:worse a fake root certificate! by QuasiSteve · · Score: 5, Insightful

      Wouldn't really need one - SuperFish works in such a way that it inserts itself for any site. What would it do otherwise, keep a blacklist of all the possible banking/investment/whatever sites in the world that it should ignore?

      So yes, bankofamerica.com courtesy of SuperFish, but also facebook courtesy of SuperFish and YouTube courtesy of SuperFish and Mom & Pop's corner store courtesy of SuperFish.

      It's a nasty piece of software in that its intent is to serve up ads (and/or collect information, of course), but this sort of thing is also readily available on the market for parents who want to keep tabs on little johnny's browsing habits or bosses who want to keep tabs on their employees. Unless johnny/employee / their browser checks the certificate and notices it's probably not what it's supposed to be despite being perfectly valid, bob's your uncle.

    3. Re:worse a fake root certificate! by Dr.+Evil · · Score: 2

      It didn't occur to me that it actually included the private key for its own root certificate in the local proxy...

      Unbelievably stupid design.

    4. Re: worse a fake root certificate! by sexconker · · Score: 2

      Is there a way for sites to detect and block this?

      No. The host is compromised.

      Even if the bank mailed you a copy of their real cert, the compromised host could just update the malware to fetch the real cert and display that when the user tries to view the cert's details.

      Even if the bank handed you a copy of a UNIQUE cert they use for ONLY for you, IN PERSON, and you handed them your own UNIQUE client cert, the compromised host could just watch all the legit shit happen when you log in the first time, then fuck you in the ass with that legit information.

      Even "2-factor" authentication with a RSA clock won't help - these codes are good for a window of time (to allow people time to enter them and to allow for latency, clock skew, etc.). A compromised host can just use the same valid code rapidly within that window. Some systems require you to enter two distinct codes for a transaction, but this doesn't solve anything either as a compromised host can just trick the user into thinking they're moving $100 into their account when the real transaction is moving $10000 into the attackers account.

      True one-time use keys don't fix this either.

  8. SuperFish Private Key cracked by brennz · · Score: 5, Informative

    See http://blog.erratasec.com/2015...

    Now all these boxes can be owned by anyone with the key!

    1. Re:SuperFish Private Key cracked by NatasRevol · · Score: 2

      If only someone could identify Lenovo employees using Lenovo computers...

      --
      There are two types of people in the world: Those who crave closure
  9. One strike by sjbe · · Score: 2

    I'll just buy from elsewhere if I need a Windows machine. I have a one strike and you are out policy on this kind of nonsense. I used to buy their machines back when IBM was still making them but they seem to have lost their way.

  10. Nothing new. by nospam007 · · Score: 4, Informative

    That's why you run decrapifier as the very first thing. http://www.pcdecrapifier.com/

    Only then do you run your ninite selection. https://ninite.com/

    1. Re:Nothing new. by bmo · · Score: 2

      does it do a complete job? somehow, I have my doubts and that it leaves some stuff behind (like almost all windows 'uninstallers').

      It doesn't

      http://forums.lenovo.com/t5/Le...

      Uninstalling Superfish Visual Discovery

      Go to Control Panel > Uninstall a Program
      Select Visual Discovery > Uninstall
      Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well. The Superfish service will stop working as soon as it is uninstalled via above process, and following reboot.

      And then....

      This article will be updated with additional instructions on clean up of deactivated files and removal of certificate shortly.

      Uh huh. Sure.

      --
      BMO

    2. Re:Nothing new. by Dragonslicer · · Score: 2

      as we all know, if a bad actor behaves badly and there is no punishment, what reason does he have to change his bad ways?

      the fact that the US fellates all corporations, as a form of religion, is what allows them to continue the bad behavior. in fact, it encourages it by rewarding 'profit, above all else'.

      it really seems clear to me that we have chosen the wrong 'god' to worship. profit, above all else, WILL be our downfall. it has started already and many of us see it. but our words are not being heard ;(

      It started with a good idea: make it so that a person who makes a mistake running their business can't be sued into personal oblivion. If you remove that major risk factor, it will encourage (or more accurately, not heavily discourage) more people to start their own businesses. Eventually, though, corporations got big enough that they could use this merely to shield themselves from the consequences of any actions they take, so there's no risk at all to doing things that would likely destroy most small businesses.

      This is why we can't have nice things.

  11. Lenovo website says they deactivated it... by fonos · · Score: 3, Interesting

    http://forums.lenovo.com/t5/Le...

    "Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
    Lenovo stopped preloading the software in January.
    We will not preload this software in the future."

    However, later in the post they state that the root CA will remain intact. The private key has already been extracted and cracked, so this leaves Lenovo users still open to a very easy MITM attack.

    1. Re:Lenovo website says they deactivated it... by JohnFen · · Score: 4, Insightful

      Yes, that response was insufficient on a number of points. But what struck me about their statement was this:

      The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.

      Why in the world do companies keep insisting that datamining and delivering ads "enhances the experience for users"? They can't possibly believe that. If they do, then they're hopelessly delusional. If they don't, then they're scumbag liars. Either way, it does nothing but make them look terrible.

  12. Re:Glad I Cancelled My Lenovo Order by The+Rizz · · Score: 3, Informative

    You can always have them officially ship it to your home address, but put a "hold for pickup at UPS/FedEx location" instruction on it. Then you just grab it before/after work, or over lunch hour.

  13. Don't dismiss RMS by matbury · · Score: 4, Insightful

    Richard Stallman is spot on regarding free and open source software (FOSS). He warns us about how proprietary, closed source software can be abused and that our dependency on it is a danger to civil society. In case you didn't see it the first time round: https://www.youtube.com/watch?... Only an idiot would dismiss the concerns he raises.

  14. Total Idiocy by Khyber · · Score: 4, Informative

    "Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well."

    Which means we can crack that shit and pwn any computer that even had the software 'removed.'

    Oh, and then issuing certificates under the names of other corporations? I do believe that is identity theft, at the bare minimum.

    Lenovo should be hit in the courts hard over this.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  15. Firefox immune to this shit by Khyber · · Score: 2

    Firefox maintains its own certificate database so this SSL MITM vulnerability won't affect FF users - only IE and Chrome.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  16. I used to recommend IBM/Lenovo by phorm · · Score: 2

    But these days I tend to recommend Asus. Certainly they can cost a bit more than an HP/Acer, but they're fairly solid and have a decent warranty. My only real complain is their preference for 1366x768 resolution laptop screens...

  17. Information about the Responsible Parties by Khyber · · Score: 2

    http://i.imgur.com/kRO8OW5.png

    A nice cached screencap of their (conveniently) down website.

    See all these people, here? These are the people that need to be dragged into court.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  18. Did anyone bother to check this out? by WinstonWolfIT · · Score: 2

    From : http://news.lenovo.com/article...

    LENOVO STATEMENT ON SUPERFISH
    Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

            Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
            Lenovo stopped preloading the software in January.
            We will not preload this software in the future.