Skip to main content

Lenovo's security breakdown shows the danger of invisible systems

Lenovo's security breakdown shows the danger of invisible systems

Share this story

Lenovo is having a very bad day. Last night, the company was called out for implanting adware that cut through user security. This morning, researchers uncovered a crucial password in the system, exposing Lenovo users to all manner of malicious attack. It's a major, embarrassing security failure — but unlike breaches like Heartbleed or Shellshock, Superfish isn't a flaw in a protocol or a programming mistake. It's a deliberate program, deliberately installed on Lenovo computers with corporate permission but without user consent.

A deliberate program, installed with corporate permission

At its heart, Superfish is just an unusually mean piece of crapware, the kind of program that has been cluttering up cheap PCs for decades now. Manufacturers pre-install the programs onto low-end machines in exchange for a small fee from the software company. Traditionally, all those programs would do is bug you about paying for an upgrade or throw a pop-up ad onto your desktop. But Superfish goes farther, circumventing web encryption to insert ads into HTTPS-protected sites for secure services like webmail and online banking. It's a major breach of protocol, but it's also a wakeup call for many researchers. The mild annoyance of crapware has turned into a serious security flaw — and this bug may only be the beginning.

The problem isn't just that users don't choose to install the software (although that's a problem too.) For the most part, we don't even know it's there. We see ads pop onto the desktop or into browsers, but we don't see the structure behind them. For web inserts, we don't know if the ads are being served by the original site or a browser site. Even if you know it's coming from adware on your computer, it's rare that you'll know the name of the program. The structure is designed to be invisible, outside of the user's control.

Invisibility leads to some strange incentives

Invisibility leads to some strange incentives. If crapware vendors want to try out a new way of targeting ads, for instance, most users will have no idea. Vendors have to justify the new features to the hardware manufacturer, but that can be as simple as paying a little more money. Without a public check, there's nothing to stop the software from growing more and more invasive, until it spills out into a public embarrassment like Superfish.

Hardware manufacturing tends to be invisible too, which makes it easy for adware to slip in. It's very hard to tell if a manufacturer has included something malicious on a given device — something the NSA has ruthlessly exploited over the years. Researchers can look, but the average consumer has to judge by signals. We can't run a security audit alone, so we flatten complex privacy issues into the simpler question of whether or not we trust a given brand. Do you trust Lenovo? Huawei? Apple? It's a crude measure, but it's all we have. Once that trust is gone, it's very hard to replace.

SSL is invisible too

Superfish crossed the line because it targeted SSL, the web's most basic security protection. In the politically charged world of encryption, SSL is the one thing everyone agrees on — the little green lock that protects passwords and credit card data as it moves across the web. Nearly everyone who makes money on the internet relies on consumers trusting SSL, so any move that threatens it is an existential threat. If Superfish became the industry norm, it's not just users that would be in danger. Everyone from Amazon to Google would have to scramble to keep their data secure.

Superfish's attack is particularly dangerous because SSL is invisible too. We see the little green lock and we have the option to sniff out the certificate behind it, but we almost never do. We trust that someone else has checked it out for us. When there is a certificate hack — like the one that got GoGo in trouble earlier this year — it often lays undiscovered for months. This isn't self-vetted encryption like PGP or its open-source sisters. You don't have to work for SSL; it does the work for you. We want web security to be as painless as possible, so painless that it becomes invisible.

The vulnerabilities of Superfish won't last long. Lenovo has already released instructions for uninstalling the software, and users are beginning to address the trickier certificate problem. The damage will last longer, as attackers make use of the stolen passwords and infected machines, but even that may pale in comparison to system-wide hacks like Heartbleed or Shellshock. The bigger danger may be the invisible systems themselves. To the average consumer, manufacturing will always be invisible and SSL will never be more than a 20-pixel padlock icon. And for anyone trying to break through, in the name of profit or national security, that invisibility will be a powerful tool.

Today’s Storystream

Feed refreshed Two hours ago Not just you

External Link
Emma RothTwo hours ago
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.

External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.

The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.

Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.

External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.

External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.