Lenovo installed software making laptops vulnerable to hacking - experts

Monday, 23 February 2015 00:00 - - {{hitsCtrl.values.hits}}

Reuters: China’s Lenovo Group Ltd , the world’s largest PC maker, had pre-installed a virus-like software on laptops that makes the devices more vulnerable to hacking, cybersecurity experts said last week. Users reported as early as last June that a programme called Superfish pre-installed by Lenovo on consumer laptops was ‘adware’, or software that automatically displays adverts. Robert Graham, CEO of U.S.-based security research firm Errata Security, said Superfish was malicious software that hijacks and throws open encrypted connections, paving the way for hackers to also commandeer these connections and eavesdrop, in what is known as a man-in-the-middle attack. Lenovo had installed Superfish on consumer computers running Microsoft Corp’s Windows, he added. “This hurts (Lenovo’s) reputation,” Graham told Reuters. “It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their laptops.” An administrator on Lenovo’s official web forum said on 23 January that Superfish has been temporarily removed from consumer computers. Lenovo executives were not immediately available for comment during the Lunar New Year holiday in China. Graham and other experts said Lenovo was negligent, and that computers could still be vulnerable even after uninstalling Superfish. The software throws open encryptions by giving itself authority to take over connections and declare them as trusted and secure, even when they are not. “The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” said Eric Rand, a researcher at Brown Hat Security. “This amounts to a wiretap.” Concerns about cybersecurity have dogged Chinese firms, including telecoms equipment maker Huawei Technologies Ltd over ties to China’s government and smartphone maker Xiaomi Inc over data privacy. Lenovo commanded one-fifth of the global PC market in the third quarter of 2014, according to data research firm IDC.

US urges removing Superfish program from Lenovo laptops

Reuters: The US government on Friday advised Lenovo Group Ltd customers to remove ‘Superfish’, a program pre-installed on some Lenovo laptops, saying it makes users vulnerable to cyberattacks. The Department of Homeland Security said in an alert that the program makes users vulnerable to a type of cyberattack known as SSL spoofing, in which remote attackers can read encrypted web traffic, redirect traffic from official websites to spoofs, and perform other attacks. “Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken,” the agency said. Adi Pinhas, chief executive of Palo Alto, California-based Superfish, said in a statement that his company’s software helps users achieve more relevant search results based on images of products viewed. He said the vulnerability was “inadvertently” introduced by Israel-based Komodia, which built the application described in the government notice. Komodia CEO Barak Weichselbaum declined comment on the vulnerability. Lenovo apologised late on Friday in a statement for ‘causing these concerns among our users’ and said that it was ‘exploring every action we can’ to address the issues around Superfish, including offering tools to remove the software and certificate. “We ordered Superfish pre-loads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday (Thursday),” the Lenovo statement said. “We recognise that this was our miss, and we will do better in the future. Now we are focused on fixing it,” the company said. Komodia’s website says it produces a ‘hijacker’ that allows users to view data encrypted with SSL technology. “The hijacker uses Komodia’s redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning,” according to the site. Lenovo did not disclose how many machines were affected, but said that only machines shipped from September to December of last year had been pre-loaded with the vulnerable software. Affected Lenovo products include laptops in its Yoga, Flex and MiiX lines as well as its E, G, U, Y and Z series, according to the company’s support website.

Google wins dismissal of US lawsuit over Android app limits

Reuters: A federal judge on Friday dismissed a lawsuit accusing Google Inc of harming smartphone buyers by forcing handset makers that use its Android operating system to make the search engine company’s own applications the default option. Consumers claimed that Google required companies such as Samsung Electronics Co (005930.KS) to favor Google apps such as YouTube on Android-powered phones, and restrict rival apps such as Microsoft Corp’sBing. They said this illegally drove smartphone prices higher because rivals could not compete for the “prime screen real estate” that Google’s apps enjoyed. But in Friday’s decision, U.S. District Judge Beth Labson Freeman in San Jose, California said the consumers failed to show that higher prices stemmed from Google’s having illegally forced restrictive contracts on the handset makers. She also said she could not tell how many supply chain levels there were between the handset makers who signed the alleged anticompetitive contracts, and the consumers themselves. “Their alleged injuries - supracompetitive prices and threatened loss of innovation and consumer choice - are not the necessary means by which defendant is allegedly accomplishing its anticompetitive ends,” Freeman wrote. The judge gave the plaintiffs three weeks to amend claims under the federal Sherman antitrust law and California’s unfair competition law. Robert Lopez, a lawyer for the plaintiffs, did not immediately respond to requests for comment. Aaron Stein, a Google spokesman, declined to comment. Google also faces antitrust issues in Europe.