Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo Allegedly Installing "Superfish" Proxy Adware On New Computers

Posted by timothy on from the hey-man-you're-s'posed-to-join-the-nsa-first dept.

An anonymous reader writes It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time. The adware, named Superfish, is reportedly installed on a number of Lenovo's consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user's permission. Another anonymous reader points to this Techspot article, noting that that it doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick. Also at ZDnet.

25 of 248 comments (clear)

  1. All the more reason... by AltGrendel · · Score: 5, Insightful

    ...to wipe the box and install some other OS.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

    1. Re:All the more reason... by cdrudge · · Score: 5, Insightful

      Why ditch Windows when it's allegedly Lenovo that did the dirty work. If Lenovo shipped a laptop with Linux installed on it with a similar piece of malware, would you be saying ditch Linux too?

    2. Re:All the more reason... by Anonymous Coward · · Score: 5, Insightful

      Don't forget to reflash EVERY blob of NAND or ROM inside that box, especially the hard drive firmware. And make sure that the present firmware actually does the flash command you believe you're asking of it, rather than lying about success. I hope you didn't download that new firmware (when's the last time your HDD vendor did that?) on a Lenovo, that's riddled with unsound root certificates.

      Are you sure that some magical combination of ASM.JS opcodes, as they are being decoded by your CPU, don't trigger a carefully crafted pagetable bug? Is your RAM hammer proof? That's a nice WIFI card you have hooked up to the PCIe bus, what does it really do with malformed data? What about your phone's baseband, and the teeny remotely operated JVM inside your SIM card?

    3. Re:All the more reason... by geogob · · Score: 4, Funny

      Just pull the plug and battery during the process. You'll get definitely rid of the malware.

    4. Re:All the more reason... by gmack · · Score: 4, Informative

      I strongly suggest avoiding Lenovo completely. They already fail to boot if there is an unrecognized wifi card ( I had to hack the BIOS) and for their latest move towards evilness refuse to charge both third party and batteries the system detects as too old.

    5. Re:All the more reason... by Thor+Ablestar · · Score: 3, Informative

      At least when some our Russian programmer found a hidden Chinese (?) hypervisor in new Intel boards he has found that reflashing actually cures the problem. https://xakep.ru/2011/12/26/58... (in Russian). And also, Russians have a proggie that detects it.

      Also, the HDD bug can either run before a system - and it will be quite interesting to look how it will break GELI - or become resident. If it uses VM to become resident - it will be detected. If not - a system (I don't speak about Windows) will overwrite it.

    6. Re:All the more reason... by geekmux · · Score: 4, Interesting

      Which is fine for you and me and everyone else reading /. but no so much for the majority of people buying an off-the-shelf Laptop from Lenovo.

      Seriously, how dumbed down does a Linux installer need to get in order for the average moron to wipe and re-install their YouTube/Netflix binge box?

      We've already turned the right-clicking, mouse-wielding user into a drooling baby that just points at the large colorful tiles on the touchscreen to make it "go".

      I'm really starting to wonder if the Year of the Linux Desktop is directly tied to reducing the average consumer IQ level to that of a goat. Better start working on the voice recognition interfaces now, since our future appears to be an idiot yelling at a server to make it reboot.

    7. Re:All the more reason... by JohnFen · · Score: 3, Interesting

      That was because of Microsoft? I hate, hate, hate that practice, but I assumed that it was just because the computer manufacturers wanted to save a dime.

    8. Re:All the more reason... by zlives · · Score: 4, Funny

      as it turns out, not one of my devices or the any blob inside is hammer proof.
      i hope this pigeon makes it to /. to answer your curiosity.

  2. Does it inject by invictusvoyd · · Score: 4, Funny

    Ad's even after you go through the gentoo stage 3 , compile your custom kernel and build your userspace from source ?

  3. Hardly allegedly by OzPeter · · Score: 5, Informative

    From the ZDnet link

    The issue has remained latent since Mark Hopkins, a Lenovo social media program manager, confirmed in January that the company was installing the Superfish Visual Discovery software on some of its products in order to serve ads.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Hardly allegedly by TheBogBrushZone · · Score: 5, Interesting

      Not allegedly at all. My new Y50 (3 weeks old) came with Superfish pre-installed, phoney root certificates and all. Luckily I've encountered Superfish before when they were trying to insinuate themselves into every extension they could on the Chrome Web Store so it was easy to spot and obliterate.

      --
      And behold, a command prompt and he who sat upon it, his name was shutdown and -h 3:11 followed with him
  4. Revenge by JimSadler · · Score: 5, Interesting

    There are some really harsh laws concerning hacking and cracking. If Lenovo knew or caused this breach perhaps they could be prosecuted and actually jailed for this behavior.

    1. Re:Revenge by kelarius · · Score: 5, Insightful

      It's more likely that Lenovo installed this software because they were paid to do so (either directly or through kickbacks to Mike Hopkins or whatever VP) and they simply didn't vet the software to make sure that it wasn't malicious. So while some people in the organization may be guilty of negligence they would never get convicted on anything close to CFAA levels.

      --
      Personally I'd rather have my idiots at home glued to the TV than out doing idiotic things
    2. Re:Revenge by Anonymous Coward · · Score: 3, Insightful

      You seem to believe that laws apply equally to corporations and people. You must not be American.

  5. worse a fake root certificate! by Billly+Gates · · Score: 4, Insightful

    What were Lenovo thinking? People pay bills online you know. Easily can steal lots of information

    As much as we bashed RMS here for being a lunatic he has a point with trusting a for profit entity making closed source software.

    --
    http://saveie6.com/
    1. Re:worse a fake root certificate! by Dr.+Evil · · Score: 3, Interesting

      bankofamerica.com courtesy of Superfish:

      https://i.imgur.com/Ky0Bwih.jpg

      Not sure about the source of the screenshot, independent confirmation would be good.

    2. Re:worse a fake root certificate! by QuasiSteve · · Score: 5, Insightful

      Wouldn't really need one - SuperFish works in such a way that it inserts itself for any site. What would it do otherwise, keep a blacklist of all the possible banking/investment/whatever sites in the world that it should ignore?

      So yes, bankofamerica.com courtesy of SuperFish, but also facebook courtesy of SuperFish and YouTube courtesy of SuperFish and Mom & Pop's corner store courtesy of SuperFish.

      It's a nasty piece of software in that its intent is to serve up ads (and/or collect information, of course), but this sort of thing is also readily available on the market for parents who want to keep tabs on little johnny's browsing habits or bosses who want to keep tabs on their employees. Unless johnny/employee / their browser checks the certificate and notices it's probably not what it's supposed to be despite being perfectly valid, bob's your uncle.

  6. SuperFish Private Key cracked by brennz · · Score: 5, Informative

    See http://blog.erratasec.com/2015...

    Now all these boxes can be owned by anyone with the key!

  7. Nothing new. by nospam007 · · Score: 4, Informative

    That's why you run decrapifier as the very first thing. http://www.pcdecrapifier.com/

    Only then do you run your ninite selection. https://ninite.com/

  8. Lenovo website says they deactivated it... by fonos · · Score: 3, Interesting

    http://forums.lenovo.com/t5/Le...

    "Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
    Lenovo stopped preloading the software in January.
    We will not preload this software in the future."

    However, later in the post they state that the root CA will remain intact. The private key has already been extracted and cracked, so this leaves Lenovo users still open to a very easy MITM attack.

    1. Re:Lenovo website says they deactivated it... by JohnFen · · Score: 4, Insightful

      Yes, that response was insufficient on a number of points. But what struck me about their statement was this:

      The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.

      Why in the world do companies keep insisting that datamining and delivering ads "enhances the experience for users"? They can't possibly believe that. If they do, then they're hopelessly delusional. If they don't, then they're scumbag liars. Either way, it does nothing but make them look terrible.

  9. Re:Glad I Cancelled My Lenovo Order by The+Rizz · · Score: 3, Informative

    You can always have them officially ship it to your home address, but put a "hold for pickup at UPS/FedEx location" instruction on it. Then you just grab it before/after work, or over lunch hour.

  10. Don't dismiss RMS by matbury · · Score: 4, Insightful

    Richard Stallman is spot on regarding free and open source software (FOSS). He warns us about how proprietary, closed source software can be abused and that our dependency on it is a danger to civil society. In case you didn't see it the first time round: https://www.youtube.com/watch?... Only an idiot would dismiss the concerns he raises.

  11. Total Idiocy by Khyber · · Score: 4, Informative

    "Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well."

    Which means we can crack that shit and pwn any computer that even had the software 'removed.'

    Oh, and then issuing certificates under the names of other corporations? I do believe that is identity theft, at the bare minimum.

    Lenovo should be hit in the courts hard over this.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.