Protect ya Neck, The VirtualPBX Security Serial – Lenovo’s Dirty Little Secret
In this series of blogs we will examine all topics under the information security umbrella. From corporate blunders to rogue state attacks to the occasional celebrity hack, we believe there is something for businesses and individuals to learn from any cyber security event. We also believe that, while experience is the best teacher, it’s even better to let other people make the mistakes for you.
Trust for Sale
Would you buy a home from a man who was convicted of Breaking and Entering? How about taking a trip with a taxi driver who has had his license suspended? Probably not, right? Fortunately there aren’t many respectable businesses out there entreating us to part with our hard-earned dollars just to take advantage of our trust with a good ‘ol switcheroo. Well, unless you recently bought a Lenovo computer, that is.
Malware Included at no Extra Cost!
Things really may not be as bad as I described above, but the story is pretty horrifying nonetheless. Lenovo admitted to preinstalling Superfish adware to certain laptops with the intention, “to help customers potentially discover interesting products while shopping.” However, the software allegedly does more than the company suggests it was supposed to. By allegedly installing its own self-signed certificate authority, the software can inject ads into encrypted “https” websites, including secure retail or banking pages. If only there was some sort of paper trail of Superfish’s previous work to give an indication of their track-record with privacy and security concerns. But let’s keep it about Lenovo for now…
Original statements from Lenovo’s CTO said that this threat of piracy and data compromise presented by the software was only theoretical. In a decisive rebuttal, however, Errata Security’s CEO, Robert Graham, outlined detailed instructions on how exactly (and for not much investment, about $50) a hacker could set-up a malicious Wi-Fi hotspot to take advantage of compromised Lenovo computers. Whether someone has the knowhow and motivation to create such a trap with only a few bucks and some time to kill is beside the point. The crux of this issue lies in the fact that users shouldn’t have to worry about preloaded software on their brand new devices potentially harming them.
So You Bought a Lenovo, Now What?
Fortunately, the hardware that had Superfish pre-installed came in computers shipped in a relatively small window beginning in September 2014 continuing for a still-as-of-yet-uncertain period thereafter. Not sure if you have Superfish on your computer? Because Lenovo’s first two attempts to correct the issue were terrific acts of futility, I would first suggest diagnosing if you are at risk. To do that, there is a brilliantly elegant and simple diagnostic interface designed to automatically detects Superfish and other, similar threats. Simply go to the appropriately-named Badfish tool and the website will handle the rest. Spoiler Alert- you don’t want it to say, “yes.” If you do have the malware on your computer, you can check and the latest correction Lenovo has published, but I would advise returning to Badfish after rebooting after following their instructions to make sure that your computer is clean.
Aftermath- Show Your Work For Full Credit
How did Superfish actually contribute to Lenovo committing one of the (if not the most) egregious breach of consumer trust of the personal computing era? In a word, Komodia. Komodia is responsible for providing the fake certificate Superfish used in its programming that gave it access to the secure information that it should not have seen. Here’s where it gets a little scary, Komodia’s technology is easily compromised and has been utilized by what claims are 100s of clients including Fortune 500 companies for applications like parental control apps or anonymous search applications.
And if That Wasn’t Bad Enough
This means that, according to Marc Rogers, a security researcher for CloudFare, the same inherently dangerous, fundamentally flawed technology that was in Superfish exists in many more products. I am not sure if the Badfish page will detect threats for everyone who has any type of parental control software installed, or who has ever come into contact with a Komodia product, but it seems clear that anyone who has should begin checking for malware. Now.
Sorry to leave you with some sobering news this time, but it’s a jungle out there. Stay safe and remember to Protect ya Neck.