So it looks like Lenovo has been installing their machines with adware that hijacks the HTTPS connection, effectively serving as a man-in-the-middle attack. And it’s extremely vulnerable, especially since a researcher was able to crack the cryptographic key within 3 hours. It looks like it was pre-installed on systems made/sold between October-December of last year.
Info about the adware
Lenovo has already released a statement saying that they thought customers would enjoy being able to find new products with that “service.”
I have to believe this was a decision made completely by suits or marketing. No one with a tech background can think this was a good idea, or that they wouldn’t get caught and have a huge PR debacle over it, right?
Hahahahaha. I’d love to see them take a lie detector test when saying that. No one actually wants more ads. It’s a shame because I still love the ThinkPad line.
Lenovo’s response is so hilariously a “sorry we got caught” apology. It’s pathetic. And then the audacity to claim that it shouldn’t be a security issue. Hmm, a compromised root certificate? Nah, shouldn’t be an issue.
I dunno how real that is. I mean would why would (Western Digital, Seagate, Toshiba, IBM, Micro Technology and Samsung) be complicit in such a thing? It’s not like they are all US companies towing some US national security line.
Well crap. I bought a Lenovo laptop in October. I understand plausible deniability, but come on Lenovo, the key word there is “plausible”, you lying sacks of shit. Anyway… In for the inevitable class action suit!
They don’t have to. All the NSA needs is access to a hub while the HDDs are in transit.
The backdoors aren’t present in the firmware downloadable from the vendor, or installed by default. This hacking program has managed to stay secret for so long because it did its best not to spread everywhere. Instead it focused on the targets. So only a batch of HDDs of which a few were destined for the Kremlin would be infected while in transit. Or they would be infected while running, by an auto-triggering infectant on an USB flash drive.
Ah, right, intercepted and modified in transit, similar to what allegedly was happening with some Cisco routers. That is a little different from broad-base collusion with multiple vendors and would not typically be something that would affect the average home consumer, but rather targeted attacks against specific groups or individuals. Not that it makes it any better.
The danger here is that it’s pretty tough to understand the action of the problem, and even a high-level description of it seems to inevitably wind up with lots of jargony words in most of the headlines I’ve seen on it so far. Most folks don’t know what a security certificate is and would rather just not think about a story than spend 10 seconds reading the first paragraph to learn. (Note: having spent the majority of my life in the US states of NC, TN, and KY, I may have a skewed perception of the average person’s willingness to learn)
So, in essence, it’s hard to turn this into a sexy headline unlike with Heartbleed (first off, a name like Heartbleed is just great; second, the headline “Massive Security Flaw on Most Websites Exposes Your Password! More at 11!” is great and most places ran with something similar). I think a competent writer could do so, but again, having spent 4 years studying to become a journalist and then 6 years failing to do so, I doubt there are many competent writers out there ;)
Technophiles and GNUckbeards will be all over this story and riot in all the web’s loneliest comment sections, but I dunno if it will pick up the mainstream attention/concern necessary to actually inflict harm on Lenovo over it. Their PR response thus far paints a pretty clear picture: they’re sorry they got caught, but aren’t very concerned about how this reflects on them or will affect their business going forward.