News Lenovo admits installing man-in-the-middle adware

Discussion in 'Article Discussion' started by Gareth Halfacree, 19 Feb 2015.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    9,608
    Likes Received:
    358
  2. Shirty

    Shirty Time travelling rogue Super Moderator

    Joined:
    18 Apr 1982
    Posts:
    11,709
    Likes Received:
    1,305
    Crap job Lenovo. I mean, I'm sure it's easy enough to remove if you know what you're doing but 95% of their consumer market will be completely oblivious to this.
     
  3. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    7,741
    Likes Received:
    108
    Just curious but the article says "if the controlling company should decide to break a few more laws"
    Unless i have misunderstood does that mean they are already breaking a law, if so what part is breaking the law, Is it the fraudulent trusted certificate authority, acting as a man-in-the-middle (MITM) in encrypted connections, or something else ?
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    9,608
    Likes Received:
    358
    Here in the UK, I'd personally argue that Lenovo was breaking Section 1 of the Computer Misuse Act 1990, which states:
    Now, Lenovo will likely argue that there are clauses in the terms and conditions that allow them to do this, meaning that it's not "unauthorised," but the fact that they're wiretapping encrypted communications (and, fun fact, the fraudulent certificate authority remains in the system even if the adware is uninstalled) which are encrypted specifically to keep them private would likely obviate such a defence. There are other laws which could apply, of course, such as Section 1 of the Regulation of Investigatory Powers Act 2000, Sections 2 and 4 of the Fraud Act 2006, arguably Article 8(1) of the The Human Rights Act 1998 (although the House of Lords has ruled that this can't be used to bring a case for "invasion of privacy," that one may be a no-goer), and I could go on.

    Whether anyone will actually attempt to bring Lenovo to court for this, I don't know. I reckon there's a class action a-brewin', tho'.
     
    Last edited: 19 Feb 2015
  5. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    7,741
    Likes Received:
    108
    I don't think they'd have a leg to stand on if they tried to argue that there's clauses in the terms and conditions that allow them to do this, apparently the first time the user opens a browser it pops up a license agreement but even if you decline the agreement the certificate remains active, uninstalling the software doesn't remove the certificate either.

    It makes me wonder how many people are effected by this as it seems users on the Lenovo Forums reported it over four months ago, but only discovered it was installing the certificate last month.

    Word to the wise, never buy Lenovo again.
     
  6. Shirty

    Shirty Time travelling rogue Super Moderator

    Joined:
    18 Apr 1982
    Posts:
    11,709
    Likes Received:
    1,305
    I'd still recommend their business a class laptops as an option, but I agree that their consumer class products generally aren't the best option.
     
  7. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    7,741
    Likes Received:
    108
    Lenovo have released a statement about Superfish.
     
  8. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    9,608
    Likes Received:
    358
    'S been linked in the article since lunchtime, along with a snarky response to its "thorough investigation" which turned up "no evidence" to support any security concerns. Which apparently didn't extend to searching Twitter to see if people were sharing the private key, its password, and fraudulent certificates for Lenovo's own website signed with said private key (hint: yes, yes they were.)

    Fun additional fact mentioned in the updated article: Lenovo having "completely disabled server side interactions" does not remove the fake certificate authority. Neither does uninstalling the software. Anyone with a Lenovo laptop that had Superfish on it at any time is at risk of MITM attacks, whether or not they have remove Superfish. Nice, eh? You basically have to manually delete the CA from every browser on the system as well as uninstall Superfish.
     
  9. Fizzban

    Fizzban Man of Many Typos

    Joined:
    10 Mar 2010
    Posts:
    3,262
    Likes Received:
    101
    Never owned anything by them and now I probably never will.
     
  10. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    7,741
    Likes Received:
    108
    Opps sorry, it's easy to miss an update to articles if you mainly use the forums.
    I think a snarky response is being too kind to them personally but i must be in the minority, it seems people are OK with the rather wet response from Lenovo (wet, superfish :D see what i did there) :duh:
     
  11. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    9,608
    Likes Received:
    358
    No, it's entirely my fault: I should have posted a comment in this 'ere thread noting that there was an update for that very reason. Mea culpa!

    Lenovo appears to be taking a little more responsibility now: it's US Twitter account has been on a charm offensive, and the company has posted step-by-step instructions for removing Superfish and the CA - although instructions for the latter are only currently available for Internet Explorer.
     
  12. Nexxo

    Nexxo Bargaining chip

    Joined:
    23 Oct 2001
    Posts:
    32,327
    Likes Received:
    999
    Never will. Their Yoga 11 is buggy as hell and their customer support non-existent.
     
  13. Combatus

    Combatus Bit-tech Modding + hardware reviews Staff Super Moderator

    Joined:
    16 Feb 2009
    Posts:
    2,721
    Likes Received:
    50
    Doesn't suprise me in the least tbh as there's plenty of other areas the Chinese seem to do it too - iPhone jailbreaking software and smartphones to name a couple. With a company as huge as Lenovo doing it, it does worry me that it's possibly far more commonplace over there than you might think. I do like some of their laptops but as Corky42 says, this is a reason to avoid them completely, even if they're taking steps to remove it.
     
  14. forum_user

    forum_user forum_title

    Joined:
    4 Jan 2012
    Posts:
    511
    Likes Received:
    3
    100% agree with this. I hope Lenovo have sacked the idiot that decided this scheme was a good idea. Not that I care now, or at any time in the future.
     
  15. Unicorn

    Unicorn Uniform November India

    Joined:
    25 Jul 2006
    Posts:
    12,711
    Likes Received:
    438
    I've had one on the bench all day (a G580) and it's being a complete b**ch, so I agree with that, today more than ever. I am tying this from my X230 though, which is rock solid as ever.

    Some of their consumer products aren't too bad, still a bit "plasticy" for my liking but better than some. HP mid range consumer laptops have taken a complete nose dive in recent years. You're lucky if you can get 12 months out of typing on one without the keyboard wearing down to shiny plastic. At least they don't ship with adware though :rolleyes:

    Lenovo need to be careful about what they do with the ThinkPad range next. They've been slowly going downhill for a number of years, and having seen an X1 Carbon recently and decided it's not the rugged, "road warrior" machine my X230 is, I don't hold a lot of hope for the future of the range.

    This sort of thing is the reason I always recommend that average Joe consumers have their new computer set up by a competent engineer or tech, then looked over and serviced once a year after that.
     
    Last edited: 21 Feb 2015
  16. 13eightyfour

    13eightyfour Formerly Titanium Angel

    Joined:
    9 Sep 2003
    Posts:
    3,347
    Likes Received:
    99
    I'm still running an X61! It isn't the quickest laptop by any stretch, and I get odd looks in meetings for rocking an 8 year old machine. But it does what I want, has never failed me, and has very little chance of being stolen.

    I was considering replacing it with an X1 but like Uni I can't see it standing the abuse the X61 does, so until it totally dies I think I'll keep it, at least I know what's on it :thumb:
     
  17. wolfticket

    wolfticket Downwind from the bloodhounds

    Joined:
    19 Apr 2008
    Posts:
    2,616
    Likes Received:
    113
    Funny this is breaking news now.
    The first thing I did when I got my Yoga for Christmas was go through and remove bloatware. That bloatware included Superfish.
    Having a vague idea what it is I wasn't happy about it, but I guess I didn't realise the full gravity of the fact it came pre-installed.

    The certificates are a bigger concern, but I would guess that other good practise protected me from any security issues with them.

    That said: I wasn't sure whether it was worth doing a full wipe and re-install of Windows so I have a nice clean system before this.
    I am now.
     
  18. GMC

    GMC Well-Known Member

    Joined:
    26 Jun 2010
    Posts:
    1,500
    Likes Received:
    36
    Tested mine this morning after seeing an article on wired and pleased to say I'm clean. Bought an x240 a month ago. Got to say they aren't the most exciting but the 12.5" screen is the right size for me to be comfortable with and the 15-20 hr battery life is a game changer.
     

Share This Page