If you have a Lenovo, it might be time to clean install

So it looks like Lenovo has been installing their machines with adware that hijacks the HTTPS connection, effectively serving as a man-in-the-middle attack. And it’s extremely vulnerable, especially since a researcher was able to crack the cryptographic key within 3 hours. It looks like it was pre-installed on systems made/sold between October-December of last year.

Info about the adware

Lenovo has already released a statement saying that they thought customers would enjoy being able to find new products with that “service.”

Honestly, the government should get involved with this and crack down hard. Adding a new globally trusted root certificate is completely unacceptable.

I have to believe this was a decision made completely by suits or marketing. No one with a tech background can think this was a good idea, or that they wouldn’t get caught and have a huge PR debacle over it, right?

Hahahahaha. I’d love to see them take a lie detector test when saying that. No one actually wants more ads. It’s a shame because I still love the ThinkPad line.

This is where a government regulator should really step in and lay some serious smackdown. Surely this must violate a law somewhere.

We’ve heard.

Whoops. I must have missed that.

Hah, merged by executive action, so now my post makes no sense.

Instead of the generic “check our forums” link, here’s a link to the actual instructions to remove this crap:

They never do, Gus, but we love you anyways! :D

Good, these instructions tell users to remove the cert too. The original ones didn’t.

… although for whatever reason, the second “Step 2” (where it’s talking about removing the certificate) in that link is missing. It should say something like this:

Search for “certificates” (without the quotes), and you should see a listing that comes up which says “Manage Computer Certificates” - pick that

Then continue on to Step 3.

Lenovo’s response is so hilariously a “sorry we got caught” apology. It’s pathetic. And then the audacity to claim that it shouldn’t be a security issue. Hmm, a compromised root certificate? Nah, shouldn’t be an issue.

Lenovo are Chinese are they not?

I’m having trouble remembering where I read this, but didn’t the NSA install something like on hard disks manufactured in the US as well?

Bloke at work was telling me about this today - NSA allegedly installing backdoor code on various HD manufacturer firmware for years.

I dunno how real that is. I mean would why would (Western Digital, Seagate, Toshiba, IBM, Micro Technology and Samsung) be complicit in such a thing? It’s not like they are all US companies towing some US national security line.

Well crap. I bought a Lenovo laptop in October. I understand plausible deniability, but come on Lenovo, the key word there is “plausible”, you lying sacks of shit. Anyway… In for the inevitable class action suit!

Yeah, this is complete and utter bullshit. I hope Lenovo are hauled over the coals for this.

They don’t have to. All the NSA needs is access to a hub while the HDDs are in transit.

The backdoors aren’t present in the firmware downloadable from the vendor, or installed by default. This hacking program has managed to stay secret for so long because it did its best not to spread everywhere. Instead it focused on the targets. So only a batch of HDDs of which a few were destined for the Kremlin would be infected while in transit. Or they would be infected while running, by an auto-triggering infectant on an USB flash drive.

See the article on Ars Technica for more detail, http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Especially that last feat requires knowing the type of HDD installed in a computer. It must have required a lot of patience and persistence.

Now, thanks to Lenovo and SuperFish, it’s a lot easier.

Ah, right, intercepted and modified in transit, similar to what allegedly was happening with some Cisco routers. That is a little different from broad-base collusion with multiple vendors and would not typically be something that would affect the average home consumer, but rather targeted attacks against specific groups or individuals. Not that it makes it any better.

The danger here is that it’s pretty tough to understand the action of the problem, and even a high-level description of it seems to inevitably wind up with lots of jargony words in most of the headlines I’ve seen on it so far. Most folks don’t know what a security certificate is and would rather just not think about a story than spend 10 seconds reading the first paragraph to learn. (Note: having spent the majority of my life in the US states of NC, TN, and KY, I may have a skewed perception of the average person’s willingness to learn)

So, in essence, it’s hard to turn this into a sexy headline unlike with Heartbleed (first off, a name like Heartbleed is just great; second, the headline “Massive Security Flaw on Most Websites Exposes Your Password! More at 11!” is great and most places ran with something similar). I think a competent writer could do so, but again, having spent 4 years studying to become a journalist and then 6 years failing to do so, I doubt there are many competent writers out there ;)

Technophiles and GNUckbeards will be all over this story and riot in all the web’s loneliest comment sections, but I dunno if it will pick up the mainstream attention/concern necessary to actually inflict harm on Lenovo over it. Their PR response thus far paints a pretty clear picture: they’re sorry they got caught, but aren’t very concerned about how this reflects on them or will affect their business going forward.