May 22, 2017

Lenovo Pays For Careless Product Decisions

The discovery last week that Lenovo laptops had been shipping with preinstalled adware that left users wide open to security exploitation triggered a lot of righteous anger in the tech community. David Auerbach at Slate wrote that Lenovo had “betrayed its customers and sold out their security”. Whenever a big company does something so monumentally foolish, it’s worth stepping back and asking how this could have happened.

But first, let’s review what happened. Lenovo laptops came preinstalled with adware from a company called Superfish, which intercepted users’ web traffic in order to insert ads. The adware would intercept even encrypted (https) connections, a capability it achieved by including software written by a company called Komodia. If the user tried to make a secure connection to, say, https://bank.com, the Komodia software would impersonate bank.com to the user’s computer, so that it could get its hands on the secure traffic that the user thought was going directly to the bank. The Komodia software succeeded at impersonation because it (1) modified the user’s computer to allow a certain private cryptographic key to vouch for the identity of any site, and then (2) using that private key, which was baked in to the Komodia software, to carry out the impersonation. Later, researchers discovered that in some cases Komodia accepted a site’s claimed identity without verification, making impersonation attacks even easier.

That’s a somewhat involved scenario, but the upshot is this: anyone on the net could impersonate any site to any affected Lenovo laptop user. Users’ email, private files, finances, online health information, and so on were wide open.

When this came to light, the fingerpointing began. Lenovo first said, implausibly, that the security problem was only theoretical, and anyway the software helped users by presenting them with ads for useful products. Later, Lenovo admitted error and pledged to issue a patch to close the hole. Superfish has said that its product is legitimate and the fault is Komodia’s. Komodia has been silent, as far as I can tell.

A stranger to today’s tech market would ask: Why in the world would a company like Lenovo include in its product a security-critical component, made by a small unrelated company, that has not been carefully vetted? Yet this practice seems to be common, and especially where ads are concerned. Mobile apps often include third-party ad libraries, and many publishers allow unrelated parties, which they hope are only placing ad content, to include material (and often software code) on their pages. Unchecked third-party inclusions of code are a ticking time bomb for many companies. In Lenovo’s case, the bomb went off, but others are equally vulnerable.

Superfish’s response has been a classic of security flaw denialism. Here’s an excerpt:

Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party.

The only way to read this as anywhere close to true is to postulate that Komodia is an unrelated party whose software somehow got onto the same computer as Superfish’s—as opposed to something that Superfish shipped as part of its product. Not to mention that if there was an “unintentional” vulnerability, it could only have been the extra vulnerability discovered at the end. The original vulnerability, the use of a private key installed everywhere that could impersonate any site to any affected user, could only have been a deliberate design decision by Komodia. And there was plenty of reason to suspect trouble with Komodia’s product—if somebody says they can intercept other people’s encrypted communications, it’s a good guess that they are doing something irregular.

If any good comes from this mess, it will be because companies learn from Lenovo’s experience and start paying closer attention to what they are including in their products. When a computer maker installs junkware on their systems, they are doing more than making a few pennies. They are putting their users at risk. Companies that respect their customers should refuse to do that.

Comments

  1. Australian says:

    The other thing to learn is that including software that modifies our systems in any way in order to advertise to us is just insulting. For either the security disgrace, or the advertising insult, I and my company will never consider buying a lenovo.

  2. Wait, a company that’s owned in part by the People’s Liberation Army would do something shady? I am shocked! Shocked and dismayed. Seriously, I warned my peers about this when Lenovo took over IBM’s PC business, and was resoundingly ignored. How could anyone not see ths coming?

  3. The big reason is that (other than maybe in the marketplace, and other not even then) there’s no liability for decisions like this. If not placed on machines by the manufacturer (whose EULA language may or may not cover this eventuality) or used for purposes of advertising, Superfish might naively be characterized as the kind of malware attack that put people in federal prison for a decade or more and costs them the rest of their careers in restitution. But as it is, it will probably be a blip in Lenovo’s income statement.

    The faux-naivete of the public statements is apparently an established way of outsourcing blame. We saw it a couple weeks ago in the Samsung Smart TV debacle (which has only gotten worse) when Samsung’s privacy policy “explained” that the company couldn’t be responsible for the treatment of user data by third parties. Of course they can: it’s called contract law. Samsung’s lawyers could simply have told Nuance, “If you want us to pay you piles of money to use your software and servers, you will make sure that user data is encrypted, and you will apply industry best practices to safeguarding that data in transit and in storage.” But no, somehow that never got said. And typically the blame-outsourcing works: it’s more expensive to either prove that a company was negligent in not regulating the behavior of third parties, or to sue the third parties directly.

  4. This reinforces the habit of nuke-and-repave the OS on acquisition of new hardware.

  5. L Jean Camp says:

    The more I read, the more it looks like Superfish went down a list of best practices for certificate generation and use. Then they carefully checked everyone to make certain that they violated it.

    Bad crypto? Check.
    No use constraints? Check (from what I have seen this could be used for code-signing)
    Private key stored locally? Check
    One weak password protecting details? Check
    Egregious installation choices? Check

    What did they miss? Anything?

    We do have security best practices. Companies do this because they can.
    http://www.ljean.com/files/eCrime2015CameraReady.pdf

  6. Harry Johnston says:

    Security issue aside, don’t affected web site owners (i.e., practically everyone) have a cause of action here? It seems to me that injecting someone else’s ad into my business site without my consent amounts to tortious interference. (Particularly since according to reports at least some of the ads in question were borderline pornographic. How can that not adversely affect someone’s business?)

  7. I was suggested this blog by way of my cousin. I’m not positive whether or not
    this publish is written via him as no one else know such designated about my difficulty.
    You’re wonderful! Thank you!