Saturday, 21 February 2015


Over the past day or so I have been reading an intriguing amount of intriguing analysis over the latest computer world privacy fiasco coming at our direction from the House of Lenovo.
In case you haven't heard about it, the story goes like this. Since some time during 2014, Lenovo has been installing software called SuperFish on many of its Windows laptops. SuperFish thus joined a long line of bloatware computer purchasers get when they buy a preinstalled Windows computer, but unlike normal bloatware SuperFish is actually adware. And not just your regular adware, it is proper malware.
The way this application works is that it analyses whatever you're viewing online, regardless of the browser you use and regardless of whether you do so with an encrypted/secure connection or not, and replaces the ads on the pages you're watching with ads from Lenovo. If you run a website whose earnings are built on ad viewing, tough luck; Lenovo will take what should have been your money.
It gets worse. In order to do what it does, SuperFish replaces any security certificate used while browsing with its own. Thus when you think you're conducting your online banking with your bank, you could actually be dealing with any weasel out there who knows their way around the SuperFish's certificate (a kind of hacking attack known as "man in the middle"). And we have plenty of weasels out there: on the left side of the map we have the NSA, on the right China, and in between there are plenty of nice people who would love to get between you and your wallet.
But wait, it gets worse. As it turns out, SuperFish uses a single certificate in all of its installations. This means that all it takes is for this certificate to be cracked once before all Lenovo SuperFish users are under the radar. Lucky for them, the guy who discovered the problem already manage to crack the certificate, and quite easily so; surely, he's not alone there.

If you're stuck with such a Lenovo machine, you're rather limited for options.
Uninstalling SuperFish is a fine start, but it won't do on its own without removing the SuperFish certificate, too. The catch is that such an operation is not a trivial act to the vast majority of Windows home users. You can read more on how to do it here.
The optimal solution to the problem is to reinstall Windows from scratch. No, you cannot use the Windows image Lenovo gave you, because that would just reinstall SuperFish together with all the rest of Lenovo's approved bloatware. Indeed, as this guide attests, reinstalling Windows is not a trivial operation even for people who know their way around such operations, let alone your typical PC user.

Lenovo's reaction to the affair demands its own post.
First it came out with a statement along the lines of SuperFish being a service to Lenovo users in order to help them become aware of goods and services they were previously unaware of.
Eventually, in the third round of company replies, they acknowledged the problem but added that they have ceased the SuperFish servers. What a problematic reaction this is! For what does it say about Lenovo if it had central control, an HQ of sorts, for spying on all of its clients' allegedly secure online operations? Second, the fact Lenovo ceased the servers has zero effect on any hacker's ability to abuse the SuperFish certificate that is still very much installed, and come in the middle of a user and their money.

Now for my personal observations.
First, I would like to note that the chances of me ever touching a Lenovo PC again have significantly diminished. It is worthwhile noting I am making this statement just a few days after I have shortlisted its Thinkpad X1 as one of two laptop models to replace my current Windows laptop with. For the record, my current Windows laptop is a Lenovo.
Second, the affair raises doubts about the Windows ecosystem as a whole. Virtually all Windows laptops come with bloatware; what guarantee do I have that Dell, Asus or any of the other Windows laptop manufacturers do not pull the same trick on me as Lenovo? As long as those companies rely on bloatware for their bottom lines, none.
I do not have many options left if I want to avoid such concerns altogether. Fact of the matter is, I need a Windows PC for work purposes; I much prefer open source systems, like Ubuntu, and most of the time I am an Apple OS X user, but with all the love I have towards the latter two I am still forced to use Windows. It therefore looks as if my next Windows laptop would be... an Apple MacBook Pro, on which I will install Windows in a separate partition. It's a very expensive solution, I know, but at least I would get to enjoy Apple grade hardware in the process (and if you don't know what I'm talking about, try using an Apple laptop for a week or so and then go back to your average Windows laptop; once you come close to perfection, going back is very hard).
Third, and last, and perhaps most importantly, I want to ask a simple question: where was the NSA in all of this? Or, for that matter, the GCHQ? The NSA is an organisations with billions in its budget whose role is supposed to be the protection of Americans. Well, where was the NSA when it came to protecting American Lenovo users, undoubtedly numbering in the millions?
There are two possible answers to this question. One is that the NSA was simply unaware of the problem, in which case we may as well ask whether it is worth all the taxpayer money it is sucking out of the economy. The second is that the NSA knew about the whole affair, but chose to sacrifice the security of the people it is meant to protect in order to be able to tap on the seemingly secure online activities of all Lenovo users (and who cares if the Chinese or any two cent hacker can do the same just as well?).
Then again, by now it is taken for granted there is no low the NSA won't sink deeper from.

Image by Graham Holliday, Creative Commons (CC BY-NC-SA 2.0) licence

If you'd like to learn more about Lenovo's SuperFish affairs, I recommend the following sources:
  1. Ars Technica
  2. Anandtech
  3. Jonathan Zdziarski
  4. InfoSec Taylor Swift tweeted a lot about the affair.


wile.e.coyote said...

Our ACME corporate laptops used to be Lenovo and comes with so many spywares to check we don't sell secrets to the roadrunners.
Now they are replaced with a low weight Dell/HP laptops, I assume it is based on price and not the spyware issue, anyhow HP>Lenovo

Moshe Reuveni said...

As confirmed by Lenovo itself, corporates were never on the agenda for SuperFish; they don't get bloatware in the first place, and most of them re-image their PCs in the first place.
SuperFish victims were "limited" to ordinary people.

wile.e.coyote said...

And as a clarification from the newspaper, SuperFish is a company from PETACH-TIKVA, Israel.
SuperFish used another component that was developed by another Israeli company called KOMEDIA (very funny indeed) to bypass encryption.
Lenovo say they were not aware of the security issue that the KOMEDIA component can cause.