Lenovo Allegedly Installing "Superfish" Proxy Adware On New Computers 248
An anonymous reader writes It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time. The adware, named Superfish, is reportedly installed on a number of Lenovo's consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user's permission.
Another anonymous reader points to this Techspot article, noting that that it doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick.
Also at ZDnet.
All the more reason... (Score:5, Insightful)
Re: (Score:2)
s/other //
FTFY
One strike (Score:3)
I'll just buy from elsewhere if I need a Windows machine. I have a one strike and you are out policy on this kind of nonsense. I used to buy their machines back when IBM was still making them but they seem to have lost their way.
Re: One strike (Score:2)
Build your own. Works best for Windows machines and Linux as well
Re: (Score:2)
Build your own. Works best for Windows machines and Linux as well
I'm not a hobbyist and don't have the time. Any Windows machine I buy will almost certainly be for work and I'm not about to waste a ton of time building a machine. If Lenovo wants to load their machines with spyware then there are plenty of other options out there.
Re: (Score:2)
Gotta say... If you NEED a windows machine... my windows VirtualBox VM runs better/faster than most windows laptops.
That cannot be true almost by definition. Running a virtual machine of any description carries overhead which you will not incur running directly on the hardware. I do run Windows machines in VMs and it works great but I'm not going to pretend it is faster than running it directly on the hardware.
slower in theory, faster in practice. w/cheating (Score:2)
> That cannot be true almost by definition. Running a virtual machine of any description carries overhead which you will not incur running directly on the hardware.
A computer scientists might say that's true. A stopwatch will say the virtual machine is faster - much faster. You can easily see it for yourself by checking how long it takes to reboot while installing Windows updates. You can also explain it "scientifically".
You would agree, I'm sure, that a system with 8GB of RAM and a hard drive with 64M
Re: (Score:2)
VirtualBox fucking sucks, though. You can't part out a GPU between VMs like RemoteFX, Citrix, or VMWare can.
Re: (Score:2, Interesting)
Serious Question - So these Lenovo computers most likely come with UEFI. I recently tried wiping a new UEFI Lenovo PC and re installing using a WIN 7 CD, and the key was retrieved using a tool to read the OS. When It came time to "activate" the fresh WIN 7 OS, that key would not be accepted. Lenovo support said they couldn't provide another key, and that only the recovery CD would work. Are there any known workarounds for this?
Re: (Score:2)
I have the similar problem with HP book that had no drivers at all except a recovery Win7 CD. My attempt to reinstall a Win8.1 from scratch failed due to absence of drivers. Moreover, there ARE good drivers for it but Win8.1 insists on replacement of them with fresh but incompatible drivers. As a result, I gave the book to my Windows-only friend and switched to Lenovo. I don't use Windows, but at least the Windows drivers for Lenovo are downloadable from their site.
Re: (Score:2)
Re: (Score:3)
I'm the same way. The recovery partition is just a chunk from the HDD, so malware can easily seize control of that. Plus, I prefer server operating systems (paid for, of course.) Some laptop makers like Dell can ship a business-line model with a server OS, and since it comes from the OEM, there is a good chance the OS can just activate from the BIOS certificates. I have yet to see a machine shipping with a server OS have any crapware on it, other than maybe some administration tools.
I wish laptop makers
Re: (Score:2)
Even wiping the box may not work. For example in the case of LoJack for Laptops, there is BIOS support that can get a machine to reload the utility even if the main BIOS is reflashed and all media (hard disks, SSD, etc.) are erased. In the case of this product, it can be a good thing, but this same technology that can protect a laptop can be used to reinstall spyware.
Re: (Score:2)
Of course I have yet to see a piece of software that I couldn't in some way uninstall or totally disable, even if it meant manually hacking it out of the registry and deleting it's files.
I've never bought a new, pre-built computer before; can you get them without any OS installed?
Re:All the more reason... (Score:5, Insightful)
Why ditch Windows when it's allegedly Lenovo that did the dirty work. If Lenovo shipped a laptop with Linux installed on it with a similar piece of malware, would you be saying ditch Linux too?
Re: (Score:2, Insightful)
Yes. Any new computer is to be completely wiped and reinstalled from scratch. And, if possible, with reflashing of BIOS and every firmware imaginable.
Re:All the more reason... (Score:5, Insightful)
Don't forget to reflash EVERY blob of NAND or ROM inside that box, especially the hard drive firmware. And make sure that the present firmware actually does the flash command you believe you're asking of it, rather than lying about success. I hope you didn't download that new firmware (when's the last time your HDD vendor did that?) on a Lenovo, that's riddled with unsound root certificates.
Are you sure that some magical combination of ASM.JS opcodes, as they are being decoded by your CPU, don't trigger a carefully crafted pagetable bug? Is your RAM hammer proof? That's a nice WIFI card you have hooked up to the PCIe bus, what does it really do with malformed data? What about your phone's baseband, and the teeny remotely operated JVM inside your SIM card?
Re:All the more reason... (Score:5, Funny)
as it turns out, not one of my devices or the any blob inside is hammer proof. /. to answer your curiosity.
i hope this pigeon makes it to
Re: (Score:2)
Yes, using the BIOS to flash the BIOS will definately remove any malware.
Oh wait.....
Re:All the more reason... (Score:5, Funny)
Just pull the plug and battery during the process. You'll get definitely rid of the malware.
Re: (Score:2)
Whoosh.
Re:All the more reason... (Score:4, Informative)
At least when some our Russian programmer found a hidden Chinese (?) hypervisor in new Intel boards he has found that reflashing actually cures the problem. https://xakep.ru/2011/12/26/58... [xakep.ru] (in Russian). And also, Russians have a proggie that detects it.
Also, the HDD bug can either run before a system - and it will be quite interesting to look how it will break GELI - or become resident. If it uses VM to become resident - it will be detected. If not - a system (I don't speak about Windows) will overwrite it.
Re: (Score:2)
Yes, and use only self-written OS and self-written programs.
Re:All the more reason... (Score:5, Informative)
I strongly suggest avoiding Lenovo completely. They already fail to boot if there is an unrecognized wifi card ( I had to hack the BIOS) and for their latest move towards evilness refuse to charge both third party and batteries the system detects as too old.
I used to recommend IBM/Lenovo (Score:2)
But these days I tend to recommend Asus. Certainly they can cost a bit more than an HP/Acer, but they're fairly solid and have a decent warranty. My only real complain is their preference for 1366x768 resolution laptop screens...
Re:All the more reason... (Score:4, Interesting)
That was because of Microsoft? I hate, hate, hate that practice, but I assumed that it was just because the computer manufacturers wanted to save a dime.
Re: (Score:2)
Re: (Score:3)
The problem is hidden malware in firmware in devices like hard drives. No computer manufacturer can be immune to that if they buy parts that are infected when intercepted during shipping between the manufacturer and the computer assembler or end user by some three letter agency. The same for the finished computer. And w
Re: (Score:2)
I second the recommendation for Linux Mint on the Yoga 2. I never booted the copy of Windows that came with it. Set the bios and used a flash drive to install Linux Mint 17 to the SSD and had a great laptop with no malware, shareware or crapware.
And best of all, no Windows 8!
Re:All the more reason... (Score:5, Interesting)
Which is fine for you and me and everyone else reading /. but no so much for the majority of people buying an off-the-shelf Laptop from Lenovo.
Seriously, how dumbed down does a Linux installer need to get in order for the average moron to wipe and re-install their YouTube/Netflix binge box?
We've already turned the right-clicking, mouse-wielding user into a drooling baby that just points at the large colorful tiles on the touchscreen to make it "go".
I'm really starting to wonder if the Year of the Linux Desktop is directly tied to reducing the average consumer IQ level to that of a goat. Better start working on the voice recognition interfaces now, since our future appears to be an idiot yelling at a server to make it reboot.
Re: (Score:2)
Re: (Score:2)
I was going to say something like this. Linux has been as easy (or easier, with some distros) to install as Windows for years now.
Re: (Score:2)
Last time I tried to install Linux, admittedly more than a few years ago by now, it was very much YMMV. Sometimes it WAS easier than Windows, but other times it was a royal PITA. With the same distro.
Re: (Score:3)
We are all clueless about some things. I, for one, care about clueless computer users because I can help them. I hope to foster a helpful culture so that others can enlighten me about things *I* am clueless about. Or, in other words, technologists should elevate technology for everyone.
Re: (Score:2)
Those of us that get their personal info stolen when some clueless user clicks a phishing e-mail that lets a trojan into a healthcare provider.
Re: (Score:2)
Even on Macs, I prefer to zero out the HDD and install completely cleanly, as a matter of course [1]. In fact, on any hardware, be it POWER7, SPARC, x86, and others, zeroing out the storage and installing clean is a good idea. This not just ensures that one has a clean OS, but anything that was stashed previously is gone. No cruft, no oddball transient stuff that might have accidently wound up on the HDD during QA or testing (assuming the box was tested), just a working OS (hopefully.)
[1]: It isn't hard
Does it inject (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Disk firmware version is not a standalone program. It's a Windows (and maybe Mac) parasite as all the Equation group. You cannot catch it without using a Windows. If it does not find a host to infect it has exactly 3 ways: 1) Self-destruct, and the problem is solved, 2) Pretend to be nonexistent, and problem is at least nonexistent while you use Gentoo, 3) Crash and be sent to Kaspersky.
Re: (Score:2)
true... but if it were the NIC bios, it could perhaps be OS-neutral, just pretending "yeah, the other end had this in the html that came in, honest". At least for non-https.
If you have to be paranoid (Score:2, Funny)
Re: (Score:2, Troll)
Re: (Score:2)
Re: (Score:2)
If it isn't firmware level, a blkdiscard /dev/sda on a SSD should purge anything for good, and definitely not recoverable by any known means.
Hardly allegedly (Score:5, Informative)
From the ZDnet link
The issue has remained latent since Mark Hopkins, a Lenovo social media program manager, confirmed in January that the company was installing the Superfish Visual Discovery software on some of its products in order to serve ads.
Re:Hardly allegedly (Score:5, Interesting)
Re: (Score:2, Informative)
http://forums.lenovo.com/t5/Le... [lenovo.com]
Re: (Score:3)
And here's the kicker:
Hopkins defended the adware, saying that it “helps users find and discover products visually” and “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.”
I mean, damn... How stupid do they think people are, that they can actually present this adware as a positive thing for consumers?
Even though Hopkins says the company has stopped installing the software on computers, it appears that’s only “temporary” until the company behind the software makes some tweaks to stop pop-ups.
Aaand... they're just going to tweak it so it's less noticeable. Nice. This software creates a potential man-in-the-middle attack by installing it's own signed certificate on your system so it can show embedded ads even if you have a secure connection. Nasty, nasty stuff from a privacy concern. This could easily become malware if not for the "good grace
Re: (Score:2)
For desktops, I end up doing similar, and building my own (for my personal use.) However, for laptops, it is good to go with a brand's business line (not consumer junk, but business tiers that actually will offer decent CS). Similar if one needs desktops for a company (since for accounting and auditing, it is good to have machines that have similar hardware or one easily trackable model ID.)
Of course, for personal laptops, there is always Apple. Even if one installs Windows on it (easy to do as it is a U
Glad I Cancelled My Lenovo Order (Score:2)
When I needed a new laptop, I heard good things about Lenovo and they had a good deal so I ordered one. It initially said it would ship in 2 weeks. One week later, that ship date turned into 8 weeks. When I called asking why, I was told "we need some parts" (they wouldn't specify what parts). They also said that it *could* ship earlier but they couldn't guarantee when it would ship. When I tried to cancel, I was told I couldn't but that I could submit a form requesting cancellation which, if approved,
Re: (Score:3)
you didnt order a business-grade laptop, did you?
I have one and mostly love it. the pci-e blacklist SUCKS (tried installing a new wireless card and it refused. not on the 'ok' list. had to install a hacked bios to allow any pcie card to be installed. HP is the same stupid way, too). and to be honest, with the hacked bios (I didnt hack it) I'm now at risk since I have no good idea what that 3rd party did to create the unblack blacklist, so to speak.
but if you don't need to hack the bios (buy all your st
Re: (Score:2)
I ordered a Thinkpad X60 from back when they were still IBM and got the same kind of fluctuating ship date BS (although I didn't respond by cancelling my order)... I guess nothing's changed.
Re: (Score:2, Offtopic)
I've had bad luck with Toshiba laptops in terms of durability and Linux support. In particular the ACPI DSD tables on Toshibas that I've had detect non-Windows operating systems and *deliberately* disable certain hardware like sound. It's fixable, but a PITA, adding extra steps every time you do a kernel upgrade.
For years IBM then Lenovo was my choice for build quality, but I guess from here on out I'm sticking with Apple. I'm very pleased with the hardware.
Re:Glad I Cancelled My Lenovo Order (Score:4, Informative)
You can always have them officially ship it to your home address, but put a "hold for pickup at UPS/FedEx location" instruction on it. Then you just grab it before/after work, or over lunch hour.
Re: (Score:2)
The "only ship to billing address" is not some conspiracy to keep you from ordering things. It is there to keep other people from stealing your credit card number and ordering a bunch of stuff.
If you are paranoid about your bank knowing the address of your work... well, perhaps you should not be using credit cards on the internet, since they will know about that laptop you just bought.
Revenge (Score:5, Interesting)
Re:Revenge (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
There are some really harsh laws concerning hacking and cracking. If Lenovo knew or caused this breach perhaps they could be prosecuted and actually jailed for this behavior.
Oh please. Laws are for little people. You know, the ones who aren't corporations. No one is going to jail for "just doing what it takes to 'compete' in a free market". What did you think we meant when we had our Spokesman In Chief tell you that "government is the problem"?
worse a fake root certificate! (Score:5, Insightful)
What were Lenovo thinking? People pay bills online you know. Easily can steal lots of information
As much as we bashed RMS here for being a lunatic he has a point with trusting a for profit entity making closed source software.
Re:worse a fake root certificate! (Score:4, Interesting)
bankofamerica.com courtesy of Superfish:
https://i.imgur.com/Ky0Bwih.jpg [imgur.com]
Not sure about the source of the screenshot, independent confirmation would be good.
Re:worse a fake root certificate! (Score:5, Insightful)
Wouldn't really need one - SuperFish works in such a way that it inserts itself for any site. What would it do otherwise, keep a blacklist of all the possible banking/investment/whatever sites in the world that it should ignore?
So yes, bankofamerica.com courtesy of SuperFish, but also facebook courtesy of SuperFish and YouTube courtesy of SuperFish and Mom & Pop's corner store courtesy of SuperFish.
It's a nasty piece of software in that its intent is to serve up ads (and/or collect information, of course), but this sort of thing is also readily available on the market for parents who want to keep tabs on little johnny's browsing habits or bosses who want to keep tabs on their employees. Unless johnny/employee / their browser checks the certificate and notices it's probably not what it's supposed to be despite being perfectly valid, bob's your uncle.
Re: (Score:3)
It didn't occur to me that it actually included the private key for its own root certificate in the local proxy...
Unbelievably stupid design.
Re: (Score:2)
How could it MITM with only the public key? It needs to sign each destination HTTPS site with the private key.
Each install could generate a unique key pair and install a new root cert.
Re: worse a fake root certificate! (Score:2)
Is there a way for sites to detect and block this?
Re: (Score:3)
Is there a way for sites to detect and block this?
No. The host is compromised.
Even if the bank mailed you a copy of their real cert, the compromised host could just update the malware to fetch the real cert and display that when the user tries to view the cert's details.
Even if the bank handed you a copy of a UNIQUE cert they use for ONLY for you, IN PERSON, and you handed them your own UNIQUE client cert, the compromised host could just watch all the legit shit happen when you log in the first time, then fuck you in the ass with that legit information.
Ev
SuperFish Private Key cracked (Score:5, Informative)
See http://blog.erratasec.com/2015... [erratasec.com]
Now all these boxes can be owned by anyone with the key!
Re: (Score:3)
If only someone could identify Lenovo employees using Lenovo computers...
Lenovo Yoga 2 Pro (Score:2)
I just checked on my Lenovo Yoga 2 Pro I bought a few months ago, and it does not have Superfish as a trusted root certificate authority, as indicated in the screenshot in TFA.
Nothing new. (Score:5, Informative)
That's why you run decrapifier as the very first thing. http://www.pcdecrapifier.com/ [pcdecrapifier.com]
Only then do you run your ninite selection. https://ninite.com/ [ninite.com]
Re: (Score:2)
lenovo was caught and they are backpeddling. they SAY there is a removal script.
does it do a complete job? somehow, I have my doubts and that it leaves some stuff behind (like almost all windows 'uninstallers').
I really wish the US would punish companies (in a truly painful way, such as 10% or more of their GROSS income) when they act in bad faith, on purpose, like this.
then again, if the US punished bad actors, it would have to constantly punish ITSELF.
well, maybe that's needed too .....
as we all know,
Re: (Score:2)
Re: (Score:3)
does it do a complete job? somehow, I have my doubts and that it leaves some stuff behind (like almost all windows 'uninstallers').
It doesn't
http://forums.lenovo.com/t5/Le... [lenovo.com]
Re: (Score:3)
as we all know, if a bad actor behaves badly and there is no punishment, what reason does he have to change his bad ways?
the fact that the US fellates all corporations, as a form of religion, is what allows them to continue the bad behavior. in fact, it encourages it by rewarding 'profit, above all else'.
it really seems clear to me that we have chosen the wrong 'god' to worship. profit, above all else, WILL be our downfall. it has started already and many of us see it. but our words are not being heard ;(
It started with a good idea: make it so that a person who makes a mistake running their business can't be sued into personal oblivion. If you remove that major risk factor, it will encourage (or more accurately, not heavily discourage) more people to start their own businesses. Eventually, though, corporations got big enough that they could use this merely to shield themselves from the consequences of any actions they take, so there's no risk at all to doing things that would likely destroy most small busin
Lenovo website says they deactivated it... (Score:3, Interesting)
http://forums.lenovo.com/t5/Le... [lenovo.com]
"Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
Lenovo stopped preloading the software in January.
We will not preload this software in the future."
However, later in the post they state that the root CA will remain intact. The private key has already been extracted and cracked, so this leaves Lenovo users still open to a very easy MITM attack.
Re:Lenovo website says they deactivated it... (Score:5, Insightful)
Yes, that response was insufficient on a number of points. But what struck me about their statement was this:
The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.
Why in the world do companies keep insisting that datamining and delivering ads "enhances the experience for users"? They can't possibly believe that. If they do, then they're hopelessly delusional. If they don't, then they're scumbag liars. Either way, it does nothing but make them look terrible.
Re: (Score:2)
Why in the world do companies keep insisting that datamining and delivering ads "enhances the experience for users"?
Because it's the only way they can possibly spin advertising as being somehow pro-consumer. There's really no other way.
Re: (Score:2)
"enhances the experience for users"
that's why super-fish is mandatory and installed on all their corporate PCs?
Not the first time. (Score:2)
I've ran into this recently on a Lenovo tablet, but I don't think it was superfish (honestly I don't remember the name, but it was factory installed. ADWCleaner caught it.) although it looks like they purposely obfuscate the name to confuse people so they can't uninstall it.
And this is Adware No. 2 for them. They had their own homebrewed Adware program called Message Center Plus. It was so bad that MSE Detected it.
IBM knew How to make a Laptop. Lenovo Knows how to exploit a Brand Name. it's a good thing Goo
Comment removed (Score:5, Insightful)
Total Idiocy (Score:5, Informative)
"Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well."
Which means we can crack that shit and pwn any computer that even had the software 'removed.'
Oh, and then issuing certificates under the names of other corporations? I do believe that is identity theft, at the bare minimum.
Lenovo should be hit in the courts hard over this.
Firefox immune to this shit (Score:3)
Firefox maintains its own certificate database so this SSL MITM vulnerability won't affect FF users - only IE and Chrome.
Re: (Score:2)
Correction: There might be code to inject into FF and Opera - https://twitter.com/supersat/s... [twitter.com]
Problem is the incentives (Score:2)
I'm a big ThinkPad fan, but I generally go download a fresh set of drivers and run my own OS install when I buy one.
This just sounds like a PC manufacturer wanting to juice the margin a few dollars by installing some crapware. Most techies just wipe out the crapware, but the crapware vendors pay the manufacturer to put their crapware on the machine image. Unfortunately, it looks like they went one step further and installed crapware that was spyware also.
I'm surprised they thought they could get away with i
Another on the list (Score:2)
Well, I'll just add Lenovo onto my list of companies whose products I will never again purchase. That they could think this was an acceptable thing to do tells me that they cannot ever be trusted.
Re: (Score:2)
Lenovo is a Chinese company, now. Where the fuck have you been, in a cave?
Bad joke (Score:2)
So you could say the fish was caught?
Re: (Score:2)
I'd say that it confirms that Lenovo is a fishy company.
Nonsense. (Score:2)
Re: (Score:2)
"Really guys? This is on the Windows side"
Nope, just tried using the injection code that the malware has for FireFox under Linux (Ubuntu) - it works and injects into FF's certificate store.
Perhaps you should do some of the work yourself instead of spouting off nonsense.
Re: (Score:2)
Information about the Responsible Parties (Score:3)
http://i.imgur.com/kRO8OW5.png [imgur.com]
A nice cached screencap of their (conveniently) down website.
See all these people, here? These are the people that need to be dragged into court.
Did anyone bother to check this out? (Score:3)
From : http://news.lenovo.com/article... [lenovo.com]
LENOVO STATEMENT ON SUPERFISH
Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:
Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
Lenovo stopped preloading the software in January.
We will not preload this software in the future.
Re: (Score:2)
Yea, and it's a big lie as there are forum posts in JUNE talking about this exact software.
Do you bother to do investigation before jumping to a conclusion?
Computer Fraud and Abuse Act (CFAA) (Score:2)
How does interfering with user encryption this way not qualify as a violation of the Computer Fraud and Abuse Act (CFAA) ?
Re: (Score:2)
Considering it's bypassing BANK security stuff as well as anything else using SSL...
Well, the execs won't see jail time - they're in fucking China.
Re: (Score:2)
Not really. Consider the following:
Over-promoted walking haircut (with "Executive" in his/her title somewhere) hears something about this "Superfish thingy". They get it in their hard-wired little business-school brains that "duuh Superfish = money = good", he/she grills someone with actual knowledge about it and selectively listens to how they can make money with it, and how it can be installed on every lapto
Re: (Score:2)
Agreed. This attitude more than anything else, in my opinion, is the biggest challenge the current economic environment faces. How do you keep someone from sacrificing long-term growth and stability for short-term gains, when they have a financial incentive to build the latter? You don't. Not without a mandate from an outside authority.
Yeah, yeah, gubmint bad, free market good, invisible hand, FREEEEEDOOOOOMMMM, etc.
Re: (Score:2)
Don’t get me wrong, it ws a very nice laptop. Good battery, expansions and a carbon chassis.
What do you mean by carbon chassis? Is it made out of carbon fiber? Diamond? Graphite?
Re: (Score:2)