According to the BBC PC maker Lenovo has been forced to remove hidden adware that it was shipping on its laptops and PCs after users expressed anger. Here to comment on this news are information security experts from Tripwire: Craig Young, senior security researcher and Ken Westin, senior security analyst. Here to comment on this news are information security experts: Ken Westin, senior security analyst at Tripwire, TK Keanini, CTO at Lancope and Brett Fernicola, CISO of Stealthbits Technologies.
Ken Westin, senior security analyst for Tripwire (www.stealthbits.com):
It will be interesting to see what affect this has on Lenovo’s sales and brand reputation. With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetization strategies. If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk.
TK Keanini, CTO, Lancope (www.Lancope.com):
I’m happy to see consumers pushing back and demanding greater security out of the box. Unless the market steps up and ask for more secure systems, vendors will keep doing silly and sometimes irresponsible things.
I remember purchasing a laptop for my daughter a few years back and the retailer wanted me to pay extra to remove all the adware and extra’s from the unit. This is not right. Pay extra so that I can get rid of all the advertising software and programs that slow my experience down? It is like buying a car and paying extra to remove ads painted on the side of the vehicle.
Brett Fernicola, CISSP, CISO of STEALTHbits Technologies (www.stealthbits.com):
Regarding security concerns of Lenovo’s “Superfish,” I feel they definitely hold water. From the evidence I have seen the adware was capable of passing phony self-signed certs to the browser so that it could ease drop-on encrypted SSL web pages, you know the ones that are supposed to make you feel safe inside? No, by itself there is not much harm being done. The main reason they did this was probably to sniff traffic from sites like Facebook and Goodge that default to using SSL these days. This is where most of your average consumers are spending their time, to be blind to that traffic would make adware useless in a sense. The security concern is that the adware responsible for monitoring your SSL traffic could be compromised by hackers, other malware, malicious sites, etc. Thus making it just that much easier to steal sensitive information from that PC such as passwords, online banking information, etc.
Gone are the days of PC manufacturers taking pride in not just the hardware they ship, but the configuration and setup of the Operating System. I remember reading PC Magazine way back when drooling over benchmarks that the new Micron Pentium MMX 200 tower was a split second faster than the Dell Pentium MMX 200. Back then manufacturers would try to squeeze every little drop of performance out of their boxes to compete for king of the hill.
Now we are so spoiled with multicore handheld supercomputers that manufactures don’t care about benchmarks anymore. They know they can load that box with as much junk as they want and it will probably have very little performance impact on the box to the average user. I’ve been building computers for over 20 years and I have first-hand seen this evolution unfold over the years. If you remover E-machines, they were one of the first to pioneer this field. Their desktop’s were dirt cheap mainly due to cheap hardware but also the fact that they came preloaded with loads of adware with the goal of learning your habits and feeding you adds. So what Lenovo has done is nothing new, they were just very shady about it.
At least when you got an E-Machine you sort of new what you were getting into up front. Lenovo on the other hand stooped to a new low and preloaded adware that was hidden from the user leveraging advanced malware like techniques such as monitoring encrypted SSL web traffic with self-signed certs better known as man in the middle attacks. The other slap in the face is this new trend where most computers don’t come with the operating system media. Back in the day your computer always came with the Windows CD and lic key, and or some sort of restore disc. It seems like Lenovo went the extra mile to ensure that the average consumer was stuck with an adware laden machine.
The lack of any restore media or Operating System Media means the user was at their mercy. The most common trend on these adware boxes is a special boot partition for emergency recovery. This way if windows completed melted or you otherwise broke your pc you could reboot hit a special button and have your PC restored like the day it was delivered, only catch is the adware is present in the restore image so no matter what your stuck with an infected PC. That is unless you are like me and don’t even boot a new laptop the first day you get it.
I know that no matter what brand laptop I buy its going to be riddled with adware, freeware, and who knows what else these days so I don’t even waste my time. I boot right from DVD and blow away everything that came from the factory and install my OS of choice from scratch. The thought of using any factory installed operating system makes me cringe these days; unfortunately it’s the average consumer that’s hit hardest by these bad practices.
In the end one hopes stories like this help educate the consumer forcing better products to be delivered to the consumer.
Free eBook: Modern Retail Security Risk – Get your copy now.