Lenovo’s preinstalled Superfish spyware: A post-mortem

So, if you haven’t heard by now, last year Lenovo experimented with preloading its cheapest laptops with spyware that subverts HTTPS, allowing a third party to inject ads on any web page, and providing a convenient place for an attacker to hide behind while messing with your secure transactions.

By the end of the day yesterday, Lenovo had apologized, sort of, and after several sites had provided removal instructions, Lenovo provided its own. After spending much of the day downplaying the security concerns, by the end of the day they were at least reluctantly acknowledging them.

This was really bad, and I’ll explain why in a second, and I’ll also try to explain why Lenovo did it.

This is bad because it’s a blatant betrayal of trust. When it comes to selling home PCs, nothing is sacred anymore. But if there’s one thing that should be, it’s HTTPS and anything related to it, because that’s what protects you when you’re online with your bank, tax authority, and anyone else who handles your money.

We’ve trained ourselves to think we’re safe if we see that little lock in our browser window, but what Lenovo did was load software that does an end-run around your web browser, making it impossible to tell if someone else had subverted HTTPS. Very few people check that, but that doesn’t make it right to take the option away. As long as Superfish is running, it’s impossible to tell if anyone has gotten between Superfish and your bank, or Amazon. So someone could empty your bank account while serving up a web page that shows you still have money, or hijack your Amazon purchase, running off with your money while Amazon never gets your order and you never get your product, and it will be next to impossible for you to even know what happened.

It’s one thing for me to say this and another thing to pull off the attack. But pretty much anyone with Unix skills who’s used to working on resource-constrained systems could get it done eventually. Are there millions of people out there who fit that description, or merely hundreds of thousands? I don’t really know, but if there were a flaw in a particular make or model of car that made it trivially easy for someone with a certain skillset to steal, and hundreds of thousands of people had that skill, it would be a bigger story than this one was–and frankly I don’t see much difference.

Lenovo’s marketing department probably didn’t run this idea past its security department. Lenovo’s CISO would have thrown a fit. Or maybe they did, and they ignored the CISO’s inevitable tirade.

So why would Lenovo, to paraphrase dead Yankees manager Billy Martin, use their customers’ rights and best interest as toilet paper by agreeing to preload such a thing?

Money, of course. There’s very little profit in selling consumer PCs anymore. It’s possible to buy a laptop for $199-$249 that’s surprisingly good, but when the screen costs $50, the CPU costs $40, the hard drive costs $40, and the memory costs $30, that’s $160 without a motherboard to mount all of it on and a case to put it all in, among other odds and ends. That could easily consume another $20-$30. All of these prices are rounded up and a company like Lenovo can buy in huge quantities; their profit share may very well be the sum of those rounding errors, because the reseller has to make some money too. It’s not hard to imagine the retailer getting $20 and Lenovo getting less than $10.

They pad that razor-thin profit margin by preloading software on it. They may cut deals to load 90-day trial versions of useful software on the machine in exchange for a few dollars. The software companies will pay a few dollars for the privilege because enough people will end up buying the software to make it worthwhile. It’s cheap advertising for them.

Some software is less innocent, tracking user habits and using what it learns to display targeted advertising at them. A company that could get its software preloaded on millions of PCs stands to make tens of millions of dollars doing that, so they’d be glad to sling a few dollars Lenovo’s way in exchange.

That’s what happened here. Lenovo’s official statement said, “The relationship with Superfish is not financially significant,” which could be read two ways. Perhaps Superfish didn’t pay much money, or perhaps the amount of money was substantial but not worth the loss of future market share it was likely facing once word of Superfish got out.

My initial reaction certainly fell into that category. When I first heard about this, I said Lenovo was worse than Packard Bell–my reasoning being that consumers who bought Packard Bells in the ’90s were out $1,000 when their computers died on them within a month of the warranty ending, while a consumer with a Superfish-laden Lenovo could lose the entire contents of their bank accounts.

Lenovo’s statement contains a lot more PR spin than I would like and doesn’t sufficiently emphasize the need to remove the product–though their own removal instructions are sufficiently thorough–but they did stop loading the product and they disabled it so they’re no longer getting any financial gain from it.

Lenovo crossed a line, and they seem to realize it. Perhaps this will convince PC makers to tone down what they’re willing to preload. I understand the need to subsidize the slim-to-none margins on the cheapest of the cheap PCs, but they also owe the consumer some level of assurance that the product they are buying is safe to use.

If you found this post informative or helpful, please share it!

2 thoughts on “Lenovo’s preinstalled Superfish spyware: A post-mortem

  • February 20, 2015 at 12:32 pm
    Permalink

    “We’ve trained ourselves to think we’re safe if we see that little lock in our browser window…”. You’re kidding, right? I wouldn’t trust that little lock symbol to indicate anything at all.

    • February 20, 2015 at 6:12 pm
      Permalink

      Do you mean that you regularly click on the lock to make sure the certificate is where it says it’s from? Or that you just assume HTTPS does nothing? If you check out the connection, congratulations, you’re a one-percenter (and I mean you’re in the good one percent). But if you just assume HTTPS is always broken, why would you go on the web at all?

      But no, I wasn’t kidding. One of the staples of every annual information security training I’ve had to endure for the past 10 years has been a very high-level explanation of HTTPS and SSL and at least one question about looking for that lock. It’s an incomplete indicator, but it’s one of about three things you can get everyone in the company to remember for a year and they’re better off with that knowledge than without it.

Comments are closed.