Lenovo PCs ship with extremely dangerous man-in-the-middle adware ( Windows )

**Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections **

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said. The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there’s something much more nefarious about the Superfish package.

It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

**Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. **Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.

[Update: Rob Graham, CEO of security firm Errata Security, has cracked the cryptographic key encrypting the Superfish certificate. That means anyone can now use the private key to launch man-in-the-middle HTTPS attacks that won’t be detected by machines that have the certificate installed. It took Graham just three hours to figure out that the password was “komodia” (minus the quotes). He told Ars the certificate works against Google even when an end-user is using Chrome. That confirms earlier statements that certificate pinning in the browser is not a defense against this attack (more about that below).

Source: Arstechnica

Whilst I know this isn’t strictly Linux related as its a pre-loaded Windows system, I would advice anyone to never buy anything from Lenovo again and if they have friends / relatives with said brand using Windows to check if this application is installed on their systems as it is EXTREMELY dangerous as the cryptographic key has been compromised and it essentially allows anyone to intercept and decrypt https communication from said systems.

Simply removing the application is not enough as the key is still in the certificates, this needs to removed separately!

The question that I have is confirmation that this shouldn’t be an issue if one replaces the Windows that came with the Lenovo with Linux, or clean-install a vanilla Windows?

Why do open source OS enthusiasts constantly promote their own brand of FUD? Within the article you reference, IT IS NOT ALL LENOVO MODELS:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30]

The W530, W540 are not there.

By the way, the tone of the post is to harp on Lenovo/Windows. Here, let me “p” on System76 - those laptops from 2012 era are pure krap.

I bought my Lenovo (TS140) without disk drives or Windows. So I presume it to be safe.

I tend to see this as a problem in the Windows world, not just Lenovo. Computers typically come pre-loaded with adware and similar junk. Up through Vista, my practice was to format the hard drive then install from the reinstall media. But, more recently, the vendors have not been providing re-install media. They instead give you a way to take a backup, which presumably includes all of the unwanted junk.

Lenovo has released an automatic Superfish removal tool. http://www.theverge.com/2015/2/20/8079933/lenovo-superfish-removal-tool-uninstall

If I had a lenovo running windows (whether or not it was one of the potentially infected laptops) I would wipe the disk and reinstall windows from a cd/dvd (not the vendor backup). I figure I could borrow a disk from a friend for the reinstall and use the serial number/key from the oem sticker on the laptop (might require a call to ms to get them to recognize the key as legit).

You can buy the disks directly from IBM - it’s $59.

Heres a typical example of system76 quality from the ubuntu forum:

Bonobo Extreme Stuck at BIOS ScreenYesterday, everything was normal and working well when I turned the computer off. Today it’s stuck at the BIOS screen. I believe its a BonX8 (the model just before the nvidia GTX9XXM series was released). Everything is basically stock from when I received it in ~July 2014, (using ubuntu 14.04, system76’s nvidia driver ppa, etc.).

Just to check if there was something wrong with the hard drive not letting the system boot into the OS, I stuck in a flash driver with ubuntu, BUT the boot option would not respond. Everything is completely frozen and stuck at the BIOS screen. I’m guessing its more serious than a faulty hard drive http://ubuntuforums.org/images/smilies/icon_razz.gif If it helps, I don’t recall any update that contained anything “major” to the system other than an upgrade from the nvidia 343 to 346 drivers about a week ago. I have no clue what to do seeing as I cannot do anything but stare at the system76 logo.

But, come to think of it, there have been a few instances when playing a game in wine and having the computer completely shut down. My character spun in circles just before it shut off, as if the PC was fried or something. The temp was fairly cool, (~48 C) so I doubt it was a heating issue. It didn’t happen too terribly often, so I passed it off as a weird “wine thing”. But, the same thing happened recently while playing Wasteland 2. The camera spun around and the system just shut off. The temp is roughly the same with Wasteland 2 (a native Linux game) as with the wine game. Perhaps its related to my current problem, like some sort of early sign of the larger problem I should have caught?

Thanks, and any help is appreciated http://ubuntuforums.org/images/smilies/icon_smile.gif

On Sat 21 Feb 2015 11:46:02 PM CST, J Andrew wrote:

Lenovo has released an automatic Superfish removal tool.
Lenovo has just released an automatic Superfish removal tool - The Verge

If I had a lenovo running windows (whether or not it was one of the
potentially infected laptops) I would wipe the disk and reinstall
windows from a cd/dvd (not the vendor backup). I figure I could borrow a
disk from a friend for the reinstall and use the serial number/key from
the oem sticker on the laptop (might require a call to ms to get them to
recognize the key as legit).

Hi
Google on digital river + dell, for windows 7 download, then mount the
iso image and remove the ei.cfg file from down in boot and you have a
multiversion one. If the systems is x86_64 but only a 32bit install, you
can use the product key for either arch. Just skip during install and
activate once system is up and running.

Windows 8/8.1 I use cccleaner to remove all the unwanted stuff clean
out the registry etc.


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.36-38-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

There is no FUD since I didn’t say it was ever Lenovo model, I said you should not buy anything from them as this gross violation of privacy in the form of injecting ads into https traffic as well as a security issue.

On top of this Lenovo denied initially that there were issues as well as treating people reporting this with an arrogant attitude.

I would not trust them and thus I will never buy anything from them. Not that I buy B-grade **** that Lenovo sells anyway.

So what do you buy then? HP? Dell? Toshiba? Gateway? ASUS? I have looked at 100’s of laptops - none are as good as Thinkpads.

I think it important not to perceive this out of proportion.

Re-installing an OS is not that difficult … even re-installing MS-Windows has traditionally not been that hard (albeit I find GNU/Linux easier to re-install), and if one is predominantly a GNU/Linux user, there is also a Virtual Server possiblity for running MS-Windows under GNU/Linux.

My wife has a Lenovo (Thinkpad X220) and she loves it. I have owned a Dell laptop in the past, and I really liked it. My current ultrabook is an incredibly light Toshiba Z930 (with core-i7 cpu and 256GB SSD drive) and I loveit. I have yet to find an Ultrabook for the same price, same very light weight (which is the most important criteria for me) , and same number of interfaces (which is the second most important criteria for me).

There are lots of possiblities, and I personnaly think the Lenovo Thankpad X1 Carbon and new X250 look very attractive to me, as a GNU/Linux user.

I am not out of proportion here - the original poster stated categorically , " I would advice anyone to never buy anything from Lenovo again", but the article he quoted was basically an anti-Lenovo piece. Here is a part of the actual response from Lenovo:

"Lenovo Security Advisory: LEN-2015-010Potential Impact: Man-in-the-Middle Attack
Severity: High
Summary:
**This advisory only applies to Lenovo Notebook products. **
(ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)
Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively:

  1. Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the software product is no longer active, effectively disabling Superfish for all products in the market.
  2. Lenovo ordered the pre-load removal in January.
  3. We will not preload this software in the future.

Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. The application can be uninstalled; however, the current uninstaller does not remove the Superfish root certificate."

Again, “(ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)”, so why tarnish ALL Lenovo products due to one small problem with a third-party software not designed by Lenovo?

[QUOTE=BSDuser;2696338

Again, “(ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)”, so why tarnish ALL Lenovo products due to one small problem with a third-party software not designed by Lenovo?
[/QUOTE]
IMHO Miuku is fully entitled to loose his trust in the manufacturer. And when you loose all trust in something, somebody, some organisation, you may decide not wanting to have relations (bying products in this case) with it/him/it any more. And he is free to express his decision. The fact that Lenovo (or you) try to persuade everybody that it was only a minor glitch and is cured anyway may not be enough to gain trust again.

Here we have a saying that says about: Trust goes away on horseback and only returns on foot.

Komodia/Superfish SSL Validation is broken Cloudflare security guy explains what the problem was and is. More Komodia than Lenovo.

Third, Komodia should be punished for jeopardizing the users, like probably all the companies that didn’t do due diligence here.

Those who dislike incompetence regarding security can easily come up with some reasons to “tarnish”.

That they do it because greed and part of Windows OEM business model is not helping.

Microsoft could forbid tampering with clean Windows installs, would at least make it harder for vendors. They wont because bundle-ware is part of pc ecosystem since forever - so Microsoft is to blame too :slight_smile: They are only part which effectively can stop it.

Injecting data into a users https stream is UNACCEPTABLE.

The fact that any company would even think about doing something like that shows complete and utter loathing of a customers personal privacy. Also the fact that Lenovo essentially said it didn’t see any problem with them doing it in the first place shows nothing short of contempt and disregard for the customer in the first place.

In short; I see Lenovo as nothing but a two-bit crooked company that tried to downplay the fact that they screwed up majorly and then tried to ridicule the people who brought it up.

Why should I re-install an OS for a computer that I paid thousands for?

IT the only industry where this behaviour is, for some obscure reason, tolerated in. It’s insanity and they need to be punished - I only hope they get sued and other companies take heed that this kind of behaviour will stain them for all time.

Yeah I did read their forum where a hard working admin tried his best. Users going from “ok thanks” to “WTF” a little too fast! Then official denial and finally DARN, no jumpo jet crashed directing attention elsewhere - oh well. yes, yes guess there is a security issue, we are therefore sorry…

Other comparable vendors will probably do some extra checks comings days so that is always something. Bundleware will continue be sure of that and it is the problem. Even without any security issues we are over in “ad injecting” category already. Nasty stuff.

Found forum link English Community-Lenovo Community

It appears that you had what is considered a Potentially Unwanted Program on there

That was on page 1 :slight_smile:

Only if the vendor provides the reinstall media. That is becoming uncommon.

On Sun 22 Feb 2015 04:46:01 PM CST, js9600 wrote:

Other comparable vendors will probably do some extra checks comings days
so that is always something. Bundleware will continue be sure of that
and it is the problem. Even without any security issues we are over in
“ad injecting” category already. Nasty stuff.

Hi
Yup, that’s my bug-bear pushing stuff at me… a sign of the times and
especially good for the ISP’s if you go over your data cap :wink: Once it’s
past their interface it’s on your dime!

Windows 10 preview still tries to be very chatty even if you turn all
the stuff off.


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.36-38-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

Thousands ? There are many computers that cost much less than thousands that are very nice. I can’t recall the last time I paid thousands for a computer (and I have a very fast core-i7 with a large SSD drive).

Still, I understand your point.

Before I go further, let me state, I am not an MS-Windows user on my home PCs, and I have not been since 1998.

A thing I have always criticised about MS-Windows is that it is typically pre-installed on new PCs as an OEM install together with tons of bloatware put in place by the manufacturer. Bloatware that typically comes with varying levels of spying functionality. IMHO this bloatware (which the PC manufacturer receives money for, and hence they pass the savings on to the consumers by selling the PCs cheaper) has enabled PCs with default MS-Windows to be actually less expensive than having GNU/Linux as OEM. A number of us have pointed this out over the years.

And that contributes to my point - you paid less for your MS-Windows install, because of the bloatware. Its ugly, its definitely something I think is not correct, but that IS the way practically all manufacturers operate wrt selling new PCs. They charge you less for your computer, if you are willing to accept the bloatware.

I know company’s in Canada, that sell new PCs, and will then offer an extra $50 to $100 service, just to remove the bloatware.

Me ? I buy my new desktop PCs with no os. I’ve done that since year 2000 ! My laptops typically come with MS-Windows, and I have on more than one occasion with a new PC, completely reformatted the hard drive into a dual boot, with GNU/Linux in one partition, and with MS-Windows in a second (much smaller) partition, with NO bloatware. I see that extra effort on my part needed because of the lower price, as the laptop originally came with bloatware, saving me money. But I declined to use the bloatware and got rid of it by a re-install.

So you ask me why should you re-install, and my answer is that is the effort you pay for a cheaper PC.

Its not a nice answer, but I think it is an Industry wide observation, its a sad reflection on today’s PC sales industry.

Fortunately , a re-installation is something that is very easy to do.
.