Lenovo Quietly Deletes That Bit About 'No Security Concerns' To Superfish... While Superfish Says 'No Consumers Vulnerable'

from the own-it dept

Wednesday night, the security world blew up with the news (which had actually been out there for a while), that the adware/malware Superfish that Lenovo had been installing by default on many laptops included a massive and dangerous security vulnerability by installing its own, self-signed root HTTPS certificate, and then basically mounting a man in the middle attack on every single HTTPS connection -- and doing so with an easily hacked certificate, creating a giant vulnerability for anyone owning one of those laptops. We were shocked at the tone-deafness of Lenovo's initial response, which didn't even name which laptops Superfish was installed on, and made this blatantly bullshit statement:
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
However, within hours, Lenovo had quietly updated its statement to remove that line. The company is now also (finally) admitting which laptops were infected and put together a page about how to remove the software and the rogue certificate. That's better, but Lenovo should at least apologize, which it has not done, and admit that it was completely full of shit in insisting that there was no security concern.

Speaking of which, Superfish has remained remarkably quiet as well. At the time I write this, there is nothing about this on its website, and it's only given a ridiculously misleading statement to reporters:
Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement: http://news.lenovo.com/article_display.cfm?article_id=1929.

It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrongdoing on our end.
First of all, at the time it "stood by" the Lenovo statement, that statement was blatantly false in claiming that there were no security concerns. Similarly, it's simply not at all true that Superfish is "completely transparent" because no one knew that it was inserting its own self-signed certificate and using it on every HTTPS connection. Furthermore, consumers absolutely were vulnerable.

Finally, there's Komodia. As Robert Graham discovered when he hacked the Superfish certificate, the password is "komodia" which just happens to be a company that sells a product for... creating these kinds of man in the middle attacks on HTTPS connections, mainly for parental spyware. The company is also entirely silent on this stuff. Its website looks like it hasn't been updated recently. It has various blogs and a Facebook page, none of which appear to have been updated since 2013.

However, as security researchers are discovering, Komodia's tool is being used in other crappy spyware/malware and always in the same terrible manner -- all using the password "komodia." As Marc Rogers notes:
What does this mean? Well, this means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.

This problem is MUCH bigger than we thought it was.
The software known to use Komodia are Komidia's own "Keep My Family Secure," Qustodio's parental control software and the Kurupira Webfiler -- all of which likely are very vulnerable thanks to this idiotic implementation.

Lenovo, Superfish and Komodia all have done a piss poor job taking responsibility for the massive security vulnerability they created.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 20 Feb 2015 @ 4:32am

    The fun never ends

    Oh, and that man in the middle attack it does? It validates the certificate, and if it's invalid, changes the domain name in the certificate so it won't match in the browser.

    But there are two different ways to match a domain name to a certificate, and they forgot the other one. So anyone can create an invalid certificate which, when passed through any of these Komodia proxies, will be treated as valid by the browser. The attacker doesn't even have to use the Superfish key.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 20 Feb 2015 @ 7:33am

      Re: The fun never ends

      Lenovo products are misrepresented as being secure, while instead containing this malware.

      It makes more sense if you spell it as "SuperPhish."

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 20 Feb 2015 @ 4:44am

    But they were only trying to make the customer experience better.

    More telling was poking around on the Lenovo forums I found an older thread where it appears this product was screwing up peoples net access and downloads, and they went ahead to patch it to make it work better. One wonders if the solution was the cert.

    reply to this | link to this | view in chronology ]

  • identicon
    Gordon, 20 Feb 2015 @ 4:56am

    Every day, my paranoia about the actions of these companies becomes more justified.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 4:58am

    You know who owns Lenovo know, right?

    So you think the US government is the only one spying on everyone it possibly can?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2015 @ 5:00am

      Re: You know who owns Lenovo know, right?

      Oh, and Motorola as well. Two brands I will never buy.

      I know what you are thinking, much of our tech is made there and that is true. But with a fully owned company, they are free to put whatever spyware software or hardware they want. With other companies, they would have get past their engineers with that stuff. Could the do it? Sometimes, but get caught once and they are done.

      reply to this | link to this | view in chronology ]

  • icon
    Groaker (profile), 20 Feb 2015 @ 5:37am

    Not free to put spyware on computers

    Private companies are not free to do what they like. They have fiduciary, privacy, and good practice requirements to meet.

    My bank can not advertise my balances in the local paper. My computer can not knowingly have spyware installed by the manufacturer that sends my passwords to a third party. A car manufacturer can not legally sell a car whose brakes will fail one time in a thousand.

    The we are a private company mantra, and can do as we like, is nothing but fabrication. Products of companies must meet implicit warranties of merchantability and fitness. Failure to meet those legal criteria open a company to civil and criminal liability. I don't know if Lenovo committed the actions described above or not. But any company that did so, would almost certainly be in breech of implied warranties.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2015 @ 7:51am

      Re: Not free to put spyware on computers

      Sadly, while technically accurate, the legal hurdles are sufficient to render them almost entirely effectively above the law.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 20 Feb 2015 @ 8:20am

      Re: Not free to put spyware on computers

      However, many companies (and the larger they are the more likely they are to think this way) don't view the mere fact that something is illegal as a reason to avoid doing it. They just boil it down as a cost/benefit analysis: if they can make more money by breaking the law (taking into account the expected payout in fines when they get caught), they will break the law without a second thought.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 5:54am

    Companies have always claimed vulnerabilities to be "theoretical", not a real threat, etc., until there's a ridiculous amount of proof. This is why security researchers release exploits with their advisories: in the 90s they didn't, and companies would always play up the angle that only some kind of rich genius or foreign government would be able to figure out how to exploit whatever was being reported. Even recently, most sites didn't deploy strong crypto until Firesheep and sslstrip existed.

    I wouldn't be surprised if Lenovo and/or Superfish continued to deny it until someone actually has an account cracked there's a sworn deposition, from a security expert, showing their software was to blame.

    always in the same terrible manner -- all using the password "komodia."
    This doesn't matter at all. They could use a unique strong password on each computer, and it would make no difference because that password must be stored on the computer so it can decrypt the certificate... which is the same on every computer anyway.

    reply to this | link to this | view in chronology ]

  • identicon
    dkone, 20 Feb 2015 @ 6:16am

    Lenovo's statement is such BS

    I am so sick and tired of these type of statements when a corporation/politician gets caught with their hand in the cookie jar.

    "we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security"

    So what you are saying is that either you have no one in your corporation that knows jack shit about security and moral responsibility OR you have the wrong people working above them with the authority to over ride them. In either case, time will not fix the problem. I take that back, time will fix the problem but only because you are banking on the consumer forgetting your past.

    As far as Lenovo's and just about any other manufacturer stance on pre-installing shit software on machines... Just stop it all together. If I buy a machine with Win7 Pro, that is all I want. If they insist on doing it, then there should be a full disclaimer about every single piece of other software pre-installed.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2015 @ 7:53am

      Re: Lenovo's statement is such BS

      "I am so sick and tired of these type of statements when a corporation/politician gets caught with their hand in the cookie jar."

      They all seem to follow the same playbook:

      First you lie outright. When that doesn't work, then you start mixing in half-truths and taking back some of the lies. Repeat as needed. Never admit to more than you're forced to.

      A full admission of the truth -- if it ever comes -- will be the result of a long process of dragging it out of them piece by piece by debunking all their lies and distortions.

      Of course, a few will prefer to be a Dick Cheney and deny everything to the bitter end.

      reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 20 Feb 2015 @ 6:46am

    Superfish *is* Transparent

    It is perfectly transparent to those who install it onto someone else's PC in order to spy, do MITM attacks and inject ads.

    Were you confused into thinking Superfish meant it was transparent to the person (who paid!) to be spied on?

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 20 Feb 2015 @ 7:28am

    Inevitability You Can Trust

    Superfish will no doubt soon disappear. Only to reappear under a new company and product name. A name containing some variation of "secure" or "trust", but not "ad."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 7:36am

    Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrongdoing on our end.
    That they jumped immediately to denying wrongdoing tells me this statement was written by a lawyer, in-house if they have one, and likely with at least some briefing on the problem. They have opted, possibly rightly from a legal liability point of view, to completely ignore the public relations disaster and jump straight to liability control. From my limited readings on civil liability, they probably cannot find a way to admit that this was a bad idea without having that admission come back to haunt them in any future court proceedings. Therefore, their only course of action is to deny that mistakes were made.

    As for the claims that users were never vulnerable, the only ways they could possibly believe that is either extreme incompetence or NSA-style redefinition. If by "vulnerable" they mean that their software never actively sent your plaintext around, then yes, users were never vulnerable - as long as they never talk to anyone untrustworthy who sends a certificate that exploits the great gaping hole in the product. That's about as useful as saying that "This window provides great privacy, as long as you don't let any peeping toms get within a mile of it."

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 20 Feb 2015 @ 8:23am

      Re:

      "the only ways they could possibly believe that is either extreme incompetence or NSA-style redefinition"

      True. But I think the more likely explanation is that they don't believe it at all and are simply lying their asses off.

      reply to this | link to this | view in chronology ]

  • identicon
    amarone, 20 Feb 2015 @ 7:38am

    They did...

    > That's better, but Lenovo should at least apologize, which it has not done, and admit that it was completely full of shit in insisting that there was no security concern.

    They did:

    https://twitter.com/lenovoUS/status/568578319681257472

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 20 Feb 2015 @ 10:02am

      Re: They did...

      Given what else they've said during this debacle, I'd say that's less an honest apology and admission that they were wrong, and more an attempt to salvage at least something after realizing that people weren't buying the 'There's nothing to see here, no glaring security holes, move along' line.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 20 Feb 2015 @ 10:05am

        Re: Re: They did...

        I also find it interesting that they apparently only apologized over Twitter, rather than in some venue where everyone would see it.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 20 Feb 2015 @ 10:14am

          Re: Re: Re: They did...

          Yeah, do a very public interview with the WSJ claiming it's 'No big deal' and the concerns people are voicing are overblown and the potential problems 'theoretical' and then 'apologize' via Twitter, an 'apology' that will only be seen by those that are following them on that service?

          Umm, no, they're going to have to try a little harder than that if they want people to believe that they're sincere. Contacting the WSJ and making a public retraction of their previous claims would be a good start, but given how utterly dismissive they've been during the whole thing, they've got a lot to make up for.

          reply to this | link to this | view in chronology ]

          • icon
            John Fenderson (profile), 20 Feb 2015 @ 11:09am

            Re: Re: Re: Re: They did...

            " they're going to have to try a little harder than that if they want people to believe that they're sincere."

            Indeed. I think their underlying problem here is that they genuinely aren't sincere. They're just trying to find the proper mouth-noises that will make the whole thing vanish from the public consciousness.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 7:55am

    You can only expect crappy software from a company named commodia...

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 20 Feb 2015 @ 9:04am

    I remember when Lenovo was briefly the place you could still get a solid IBM laptop (sort of). Not that IBM are magical saints or anything, but their good aspects tended to be really rather quite good.

    reply to this | link to this | view in chronology ]

  • icon
    The Wanderer (profile), 13 Sep 2016 @ 6:35am

    Removal link update

    A year and a half later, the provided link for the Lenovo removal-instructions PDF is now a 404; as best I can tell, the official removal instructions and list of affected products from Lenovo are now at:

    https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Removal-Instructions-for-VisualDiscovery-Sup erfish-application/ta-p/2029206

    That page does not itself actually explain how to remove Superfish, but it does link to two separate pages for that purpose, one of which provides a dedicated removal tool.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.