Since 2014 Lenovo has been selling consumer laptops installed with an innocuously named program, Superfish. For those not in the habit of wiping their laptop and installing the OS fresh to avoid the bloatware generally present on consumer products, you have been sharing the exact same SSL certificate as every other Lenovo owner and the icing on the cake is that it is self signed by Superfish, not a certificate authority. This means any and all transmissions done on a browser (apparently other than Firefox) could have easily been unencrypted by anyone who captured your wireless transmissions since the SSL key you were using is well known seeing as it is present on every recent Lenovo machine.
Lenovo is downplaying the security issue and emphasizing that Superfish was just intended inject ads into your browser based on history and that it could be disabled manually or by not agreeing to the terms and conditions when you turn on your laptop for the first time. As the commentors on Slashdot rightly point out, that argument is disingenuous and exposing your customers to a man in the middle attack just so you can serve them up some targeted advertising is a gross oversight. Samsung has not seen much success with the argument that their monitoring software could be manually disabled either. The program is no longer bundled on Lenovo laptops, as of this year.
"… doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick."
Here is some more Tech News from around the web:
- Microsoft opens Office storage back end for iOS love @ The Register
- Qualcomm outs ARM Cortex A72-based Snapdragon 620 and 618 chips @ The Inquirer
- How to Zip, Stick, and Screw Stuff Together @ Hack a Day
- BlackBerry's money-making QNX unit touts virty dual-OS devices @ The Register
- Getting Data Out of the Cloud Before Disaster @ Benchmark Reviews
- New Android Trojan Fakes Device Shut Down, Spies On Users @ Slashdot
- Adobe Photoshop turns 25 @ The Inquirer
- 10 Highlights of Jon Corbet's Linux Kernel Report @ Linux.com