Lenovo CTO Claims Concerns Over Superfish Are Simply 'Theoretical'

Failures

from the find-a-new-cto dept

Lenovo keeps making things worse. First it installed crappy Superfish malware/adware on a bunch of its computers. That was bad enough. But the real problem was that in a clever little “hack” to get around the fact that the adware wouldn’t work on HTTPS enabled pages, Superfish installed its own self-signed root certificate to basically create a massively dangerous man-in-the-middle attack to snoop on what you were doing on those HTTPS pages. Oh, and to make it even worse, the company made sure that everyone who had this Superfish self-signed root certificate had the exact same certificate with an easily cracked password, so that a massive and easily exploited vulnerability is in place in tons of machines out there. And Lenovo’s first response was to insist there was no evidence of any security concerns. It later, quietly, deleted that statement, but still seems to be unwilling to admit what an incredibly dangerous situation it has created.

In fact, the company is still in denial mode. Lenovo’s CTO, Peter Hortensius, was interviewed by the WSJ, and he insisted that any threats were “theoretical.”

WSJ: There seems to be a disparity between what security researchers are saying about the potential dangers of this Superfish software, and what the company has said about this app not presenting a security risk.

Hortensius: We?re not trying to get into an argument with the security guys. They?re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.

Fire your CTO, Lenovo. Fire your marketing people. Fire your security team. This is a disaster. In our first post, we compared it to the Sony rootkit fiasco from a decade ago, while noting the security risk here is much, much greater. And, so far, Lenovo appears to be playing straight from the Sony rootkit response playbook. If you don’t recall, after security folks pointed out what a security disaster the rootkit was, Sony’s response was to dismiss the concerns as… theoretical:

“Most people, I think, don’t even know what a rootkit is, so why should they care about it?”

In both cases, these technologies opened up giant, massive vulnerabilities on people’s computers. In both cases, they were easily exploitable (in the Lenovo case, much, much, much more easily exploitable in a much, much, much more nefarious way). And, in both cases, senior execs from the company tried to handwave it away because they don’t know if anyone abused these problems. This ignores that (1) it’s quite possible people have been abusing these vulnerabilities for months and it’s just not public yet, and (2) more importantly, it doesn’t fucking matter because the vulnerability is still there and easily exploitable by lots and lots of people now because it’s widely known.

Handwaving this off as a “theoretical” concern is not just missing the point — it suggests a fundamental lack of understanding about rather basic security practices. As I mentioned earlier, I’ve been a very loyal Thinkpad buyer for years (though, thankfully, the machine I bought a couple months ago wasn’t one infected this way). Every time I’ve dabbled with other laptops I’ve regretted it. But Lenovo’s response to this is very quickly convincing me that the company should never get any more money from me. It’s not just the initial screwup in preinstalling such a security mess, but the completely ridiculous response to it that suggests a company that still doesn’t recognize what it has done.

Filed Under: certificate, danger, peter hortensius, security, self-signing, superfish
Companies: komodia, lenovo, superfish