Tag Archives: Lenovo

The Lenovo Problem is NOT just Lenovo

I wrote the other day (see post) about malware (called Superfish) that Lenovo intentionally installed on their computers in the name of improving your customer experience.  Well, they admit that it was poorly thought out, but only for one of the two reasons I am concerned about.

They admit that snooping on your private conversations to present you with ads is probably not a good plan.  The bigger problem is the Komodia software is a security train wreck.

Marc Rogers, the guy who tipped us to the problem, has done more research on Komodia and the problem is much bigger.  Komodia makes a bunch of products that eavesdrop on your traffic for a bunch of different reasons and they all have the same issue.  Some of the products that use this same toolkit include:

  • Komodia’s “Keep My Family Secure” parental control software.
  • Qustodio’s parental control software
  • Kurupira Webfilter
  • Staffcop (version 5.6 and 5.8)
  • Easy hide IP Classic
  • Lavasoft Ad-aware Web Companion
  • Hide-my-ip (note: this package does not appear to utilize the SSL MITM, and the certificate is slightly different from the one found in other packages however it still utilizes an unrestricted root certificate with a simple plaintext password.

All of these products suffer from some common illnesses which include:

  • They intercept your private communications
  • The secret key for the software is embedded in the software and it is the same for every one of the installations around the world (no hacker would ever take advantage of that)
  • The password for the secret key, which is also embedded in the software, is also the same for everyone and it is a stupid password – Komodia .  I guess that is better than using 123456, but not much better.
  • The Komodia software which negotiates a connection with, say, your bank on your behalf, allows a whole bunch of weak cryptographic methods that are old, weak and modern browsers eliminated them years ago.  That means that on top of everything else, your traffic is susceptible to hacking.
  • The Komodia software does not check (not correctly, anyway) whether the certificate of the web site you are going to is valid.  This means, that, on top of everything else, you might be sent to a bogus web site and not even know it.

The web site that I reported last week (link above) has a test to see if the Superfish software is installed on your computer.  The site has been updated to reflect this news and the address is:

https://filippo.io/Badfish/ 

If you do have this software on your computer, not only do you need to remove the software, but you also need to remove their certificate (basically, a skeleton key into your computer) as well.  Marc has instructions for doing that on his web site.

All I can say is ARGH!!!!!

As I have said before, the internet merchants want to fool you into believing that SSL is secure.  It is less unsecure when you implement it correctly, but is totally unsecure when you implement it the way Komodia implemented it.  Worse than being unsecure, Komodia puts your computer at risk because of their actions.

The U.S. Computer Emergency Readiness Team (part of DHS, but run by intelligent people at Carnegie Mellon University) is now involved as well, so we may yet see more news about this.

If you are using any of these products, I would definitely uninstall them and remove the root certificate as well.

SOOORRY!

Mitch

Beware Lenovo Users

Marc Rogers (white hat hacker and principal security researcher for Cloudflare) wrote about an interesting problem Lenovo users have.  (see article)

What is not clear is how long Lenovo has been doing this.  The good news is that a friend of Marc’s has created a test to see if your Lenovo laptop is infected.

The short version is this.  Lenovo has partnered with a company named superfish to serve up ads to and steal data from your laptop.  They do this by creating a man in the middle attack inside your laptop – submitting fake SSL certificates to your bank (or any other site) and reflecting the data back to you.  If you look at the SSL certificate, which no one does, it is signed by Superfish, not your bank.

They did this by installing a SSL signing certificate in the certificate store that has God power and use that to generate certificates on the fly for any web site that you visit.  That requires that the password for this certificate is hard coded into the software on your laptop and that password is Komodia – for every laptop they sell.  Komodia is the name of a company that makes SSL software.  Not so secure.

The site that Marc’s friend created to test for the Superfish malware is:

https://filippo.io/Badfish

If you are infected, Lenovo has created instructions for removing the superfish software, the link for which is in Marc’s blog post above.  However, that removal does not remove the God like certificate in the computer and Marc has additional instructions to do that.

A smarter move, given we have no idea what other ‘bugs’ are hidden in the software, would be to wipe the disk and reinstall the software from a known good version of Windows (NOT the one that came with the laptop) and then reinstall all the applications and finally restore your data.

China has been getting rid of Cisco network gear because they say that they can’t trust it.

It is time for the U.S. to get rid of Lenovo computers for the same reason.  If you want to understand how really dangerous what Lenovo did is, you will need to read Marc’s blog, but for those of you who are not techies, trust me (and Marc) – it is pretty serious.

But here is the real question – they got caught doing this.  What else are the Chinese doing?  I took Lenovo off my buy list as soon as IBM sold it to the Chinese.  I get to be vindicated now – we have real evidence.

If you need help, feel free to contact me.

Mitch