Lenovo Laptops Ship With Giant Security Hole

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
It looks as though Lenovo is giving its customers a little something extra when they buy a laptop. :eek:

Rob Graham, CEO of security firm Errata Security, has cracked the cryptographic key encrypting the Superfish certificate. That means anyone can now use the private key to launch man-in-the-middle HTTPS attacks that won't be detected by machines that have the certificate installed.
 

shspvr

Gawd
Joined
Nov 22, 2009
Messages
735
Ever Laptop I have own get a full wipe and a then reinstall of a standard OS disk with out all that BS bulk ware and carp ware.
 

amddragonpc

[H]ard|Gawd
Joined
Sep 20, 2012
Messages
1,996
Liam Neeson should deliever his "I will find you and I will kill you" speech to Lenovo because of this.
 

MrCaffeineX

[H]ard|Gawd
Joined
Aug 22, 2011
Messages
1,520
Ever Laptop I have own get a full wipe and a then reinstall of a standard OS disk with out all that BS bulk ware and carp ware.

I do the same. All of the manufacturers I have dealt with engage in similar behavior. They call it revenue enhancement. Hopefully the usual bloatware is not as potentially dangerous as this stuff though.

From the BBC article on the same topic:
According to security experts, it appears that Lenovo had given Superfish permission to issue its own certificates, allowing it to collect data over secure web connections, known in malware parlance as a man-in-the-middle attack.
 

xorbe

Supreme [H]ardness
Joined
Sep 26, 2008
Messages
6,028
Is that possibly breaking some privacy law? Did the end-user opt in?
 

Gweenz

[H]ard|Gawd
Joined
Dec 18, 2003
Messages
1,216
Slow day at work so I've been reading about this all morning. Superfish installs what is essentially a wildcard certificate that breaks the certificate chain of trust. The end result is that Superfish's software becomes the CA for all certificates on that particular computer.

Unsurprisingly, Lenovo has come out and said publicly that there is no security risk and there is no evidence that this has been exploited in any way (other than Lenovo getting paid by Superfish and taking advantage of its customers, of course) but it is obvious to anyone with even modest knowledge of how certificates work (myself) that the Superfish "bug" could be used for MITM attacks.

Lenovo has also released a statement on how to remove Superfish, which obviously has been scrutinized by a team of lawyers so that Lenovo shoulders no blame and takes no responsibility. It is here:

http://forums.lenovo.com/t5/Lenovo-...lDiscovery-Superfish-application/ta-p/2029206

I read that as "we were just doing it for your benefit, but if you don't want us helping you, fine, here is how to remove it". It also does not remove the installed certificate. Of course a fresh install of Windows will fix the problem, but most laptops do not come with disks, only a recovery partition which when ran will reinstall Superfish. The average Lenovo customer will have no idea this is on their computer and worse, does not have the technical ability to permanently remove it.

This is a bad move, Lenovo.
 

xorbe

Supreme [H]ardness
Joined
Sep 26, 2008
Messages
6,028
Probably just a miscommunication between the Levono sales and engineering team.
 

Pyroja

Gawd
Joined
Jan 4, 2005
Messages
594
Probably just a miscommunication between the Levono sales and engineering team.

:p:p:p

But seriously, this is brutally bad. Lenovo is big with businesses. One would think this would wipe out any trust with them.
 

Sp33dFr33k

2[H]4U
Joined
Apr 20, 2002
Messages
2,481
Gotta wonder where the team is who gave the go ahead for this. I'm sure they've been rewarded with wonderful bonuses and stock options. I have a feeling there's a lawyer out there drafting up a class action suit.
 

dave99

2[H]4U
Joined
Jan 20, 2011
Messages
2,129
Slow day at work so I've been reading about this all morning. Superfish installs what is essentially a wildcard certificate that breaks the certificate chain of trust. The end result is that Superfish's software becomes the CA for all certificates on that particular computer.

Unsurprisingly, Lenovo has come out and said publicly that there is no security risk and there is no evidence that this has been exploited in any way (other than Lenovo getting paid by Superfish and taking advantage of its customers, of course) but it is obvious to anyone with even modest knowledge of how certificates work (myself) that the Superfish "bug" could be used for MITM attacks.

Lenovo has also released a statement on how to remove Superfish, which obviously has been scrutinized by a team of lawyers so that Lenovo shoulders no blame and takes no responsibility. It is here:

http://forums.lenovo.com/t5/Lenovo-...lDiscovery-Superfish-application/ta-p/2029206

I read that as "we were just doing it for your benefit, but if you don't want us helping you, fine, here is how to remove it". It also does not remove the installed certificate. Of course a fresh install of Windows will fix the problem, but most laptops do not come with disks, only a recovery partition which when ran will reinstall Superfish. The average Lenovo customer will have no idea this is on their computer and worse, does not have the technical ability to permanently remove it.

This is a bad move, Lenovo.

And not surprisingly, that certificate has now been hacked, password is: komodia
http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

Brilliant move lenovo. This is up there with sony rookit level of insanity.
 

Advil

[H]ard|Gawd
Joined
Jul 16, 2004
Messages
2,010
I would really like to see a return to laptops and desktops that come clean installed...

Wait, no I wouldn't. It would hurt my business. ;)

What really pisses me off anymore is how new systems need 6+ hours of updates and other things that should be there, that might not even WORK because of all the preloaded crap.

Am I the only one experiencing Windows 8 systems that won't update properly right out of the box? It's the preload the factory uses. It has nothing at all to do with Microsoft as a clean install cures it instantly.

So how many people are "pissed off at Microsoft" over Windows 8 when the problems are actually the utter #$%^ preloaded installs the major manufacturers are using?
 

pothb

Supreme [H]ardness
Joined
Mar 24, 2007
Messages
4,997
This seems to only have been in the last 6 or so months. So I guess I'm safe. I did go through the computer and tried to find what all teh preloaded crap did, and uninstalled what I thought was pointless. But you never know....

Man, and lenovo has been one of the better laptop makers, too.
 

Gweenz

[H]ard|Gawd
Joined
Dec 18, 2003
Messages
1,216
Am I the only one experiencing Windows 8 systems that won't update properly right out of the box? It's the preload the factory uses. It has nothing at all to do with Microsoft as a clean install cures it instantly.

We have been seeing the same thing, especially with HP laptops and desktops updating to 8.1. A fresh install cures it. It is either from their software suite or their recovery process, which subverts Windows 8's built in one.
 

magnetik

Moderator
Staff member
Joined
Jun 6, 2000
Messages
5,885
for those that can't click on links while at work...

Superfish may have appeared on these models:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
 

shansoft

Supreme [H]ardness
Joined
Oct 20, 2008
Messages
5,076
Why are people using Lenovo laptop in first place?

I would rather get a HP junk than their crap. Also, would not be surprised if it's used for chinese surveillance.
 

TwiceOver

2[H]4U
Joined
Jan 14, 2003
Messages
2,409
Tested 2 different T-Series Thinkpads, both bought within the last 6 months, neither had this.

I'd take a business class Lenovo over any HP any day of the week. God they make garbage. Well, except the HP Folio 13. Other than the screen, that laptop is excellent.
 

pothb

Supreme [H]ardness
Joined
Mar 24, 2007
Messages
4,997
Why are people using Lenovo laptop in first place?

I would rather get a HP junk than their crap. Also, would not be surprised if it's used for chinese surveillance.

Cuz it's better than HP junk?
 

Gweenz

[H]ard|Gawd
Joined
Dec 18, 2003
Messages
1,216
The HP Probook line before last year was pretty decent, metal case and solid internals without a lot of extra junk. Now the Probook line is garbage and Elitebook line is just ok. Stay the fuck away from any HP dv series, "Envy", or any laptop with a beats logo on it. We have stacks of dead HP "entertainment" laptops.
 

TwiceOver

2[H]4U
Joined
Jan 14, 2003
Messages
2,409
The HP Probook line before last year was pretty decent, metal case and solid internals without a lot of extra junk. Now the Probook line is garbage and Elitebook line is just ok. Stay the fuck away from any HP dv series, "Envy", or any laptop with a beats logo on it. We have stacks of dead HP "entertainment" laptops.

I actually have a Probook sitting right here on my desk. It is 4 years old now. What a fat pile of shit this laptop is. I remember when it was brought to me 4 years ago and I said the same thing at that time too.
 

CreepyUncleGoogle

Supreme [H]ardness
Joined
Mar 10, 2013
Messages
6,871
Lenovo is clearly a business that is wholly owned and operated by demonic creatures that are MSNBC spies who were bribed into betraying their masters that are evil hamsters living in submarines under the Antarctic sea ice (there's really no landmass there and you're not supposed to know that) by Subway sammich artists who promised them a bunch of peppermint bark in exchange for them subverting all of Lenovo's new computers into allowing monkey in the middle attacks that steal all your bananas.

...


True story, bro! I read it on the blog I pretend to write! If I actually wrote it, I'd give you a URL to the article where I claim to quote an anonymous industry insider who is somehow in the know about that, but signed a NDA or two preventing not-anonymous disclosure.
 

Bobert

Limp Gawd
Joined
May 22, 2011
Messages
204
Lenovo is clearly a business that is wholly owned and operated by demonic creatures that are MSNBC spies who were bribed into betraying their masters that are evil hamsters living in submarines under the Antarctic sea ice (there's really no landmass there and you're not supposed to know that) by Subway sammich artists who promised them a bunch of peppermint bark in exchange for them subverting all of Lenovo's new computers into allowing monkey in the middle attacks that steal all your bananas.

...


True story, bro! I read it on the blog I pretend to write! If I actually wrote it, I'd give you a URL to the article where I claim to quote an anonymous industry insider who is somehow in the know about that, but signed a NDA or two preventing not-anonymous disclosure.

I'm sure all the Lenovo users are laughing. :rolleyes:

This has pretty serious security implications being a MITM attack.

I'd almost guess you are a corporate shill, but maybe you are just a troll.
 

xorbe

Supreme [H]ardness
Joined
Sep 26, 2008
Messages
6,028
Anyone that accessed medical information, the MITM guy is in trouble.
 

-Dragon-

2[H]4U
Joined
Apr 6, 2007
Messages
2,316
This seems to only have been in the last 6 or so months. So I guess I'm safe. I did go through the computer and tried to find what all teh preloaded crap did, and uninstalled what I thought was pointless. But you never know....

Man, and lenovo has been one of the better laptop makers, too.

Uninstalling isn't good enough. You have to actually go into the certificate store and delete the bad Root CA, which the uninstall program doesn't do, it leaves you permanently vulnerable unless you go mess around in MMC.
 

CreepyUncleGoogle

Supreme [H]ardness
Joined
Mar 10, 2013
Messages
6,871
I'm sure all the Lenovo users are laughing. :rolleyes:

This has pretty serious security implications being a MITM attack.

I'd almost guess you are a corporate shill, but maybe you are just a troll.

Well, if you _must_ take stuff seriously and be a big mister angry-face about it, you could maybe uninstall the program and then run certmgr.msc so you can delete the Superfishy cert.

Either way though, I insist the story I made up about how it happened in my previous post is one hundred and eleventy mo-jillions of percent true. I mean seriously, I claim to have read about it on the blog I pretend to write. That's gotta be legitimate.

But no, I don't work for Lenovo. If I did though, I'd totally work in their Marginal Scavenger Division because they use these super high tech gardening tools equipped with smarty-pants phone-like operating systems to rummage through peoples' trash to find old postage stamps that are then cleverly peeled from envelopes that used to contain pen pal letters. The company can then reuse those stamps in business reply mail.

....

True story, broskis! I read all about it from an anonymous industry insider source on the blog I pretend to write. :p
 

pothb

Supreme [H]ardness
Joined
Mar 24, 2007
Messages
4,997
Uninstalling isn't good enough. You have to actually go into the certificate store and delete the bad Root CA, which the uninstall program doesn't do, it leaves you permanently vulnerable unless you go mess around in MMC.

Yea, I read that. But I'm not one that's been affected by this one. Unless the older ones had issues as well, I'm safe... at least from that.
 

Thanatos.

Gawd
Joined
Jun 24, 2005
Messages
744
Wow i cant believe someone at Lenovo though it was a good idea to put this software on their laptops. The damage this has caused to their image and reputation is staggering. This could kill them as a business. I had been recommending Lenovo or Dell to colleagues that asked me for laptop recommendations. Two of them bought Lenovo's, hell i even bought one. I know one had Superfish on there because i removed it from the system when i helped them set it up but didnt know about the Cert. looks like ive got some more work to do for them. Goddamn this was really stupid of them. Hope the Money from Superfish was good because they are going to lose a lot of money from this for the next few years. Looks like Dell is all i can recommend now.
 

mi7chy

2[H]4U
Joined
May 22, 2013
Messages
3,985
Seems like Lenovo's consumer and business product groups are run by different people. Morons in consumer product group are making everyone at the company look bad. Thinkpads aren't affected by this.
 
Top