That’s no Superfish, Lenovo, its stinkyfish

For years, when you bought a new PC from the likes of Dell, HP, Lenovo and other Windows PC makers, you tended to get crapware on the computer.  These companies make a few dollars by installing this crapware that you, likely, never use.  Most of the time, all it tends to do is eat up space on the storage device and, often, can slow your computer down a bit.  Now, however, it can also break something called SSL and that’s bad.

The crapware in question is called Superfish and it came pre-loaded on consumer PC’s from Lenovo.  Now, before I go on, let me say that Lenovo, a Chinese owned company, makes excellent computers.  They made the IBM Thinkpad and desktop computers for years before buying the whole line from IBM.  The consumer grade stuff is just as well designed and built and I would have recommended them in a heartbeat.

Sadly, I can’t do that now.

Superfish is a package that injects advertising into web pages.  ANY web page, even those that did not have any ads.  And, worse, it had to break SSL encryption to do so.

I uses a root certificate that is SHARED.  That is, it is packaged with the product and distributed to any computer that gets Superfish.  It takes precedence over the SSL certs that are installed.  It is called a ‘middle man’ attack and it is bad.  What it means is that when you log into a site, say your bank, that is secure and uses SSL, this product negates that and then serves up the ads.  In doing so, it opens up your connection to snooping and your computer becomes vulnerable.

Initially, Lenovo said it was a benefit, giving its users a chance to see ‘alternative’ choices in the ads it served.  As anger grew, Lenovo’s response changed, several times, and now the company is saying that they will no longer offer up crapware.  They have been cagey about this, so time will tell if they mean it or not.

Now, the company that developed Superfish claims that the piece that breaks encryption was developed by another company, Komodio, This is troubling because this company has its hooks in well over a hundred other applications and services, including several anti-virus applications, parental control apps (just stick with the Microsoft supplied solution for this, it is great and works well) and other popular applications. 

eWeek has a  much better explanation of the problem here.

Sadly, I cannot recommend Lenovo and will even go so far as to say you should probably avoid it for now.  While the Superfish crapware can be removed, Lenovo’s response and initial attitude has discredited them and, for me, it will take a long time to rebuild that trust.  Sad, really, since the hardware is great. 

And, by the way, Microsoft’s Security Essentials has been update to detect and wipe out this mess.  It thinks it is a virus.

I’d say it is right.

Advertisements

Bad, bad Lero…err, USB…baddest USB in the whole town

USB. We all use it. It is ubiquitous these days. Our phones use it for power and to transfer data to and from the phone to a computer. Our keyboards, mice, mobile devices, external hard disks, cameras, you name it, it probably has a USB port.  Even some of our power outlets in the wall have them.  So, why am I saying something you already know? Well, two gentlemen at SRS Labs have ‘discovered’ something that many of us probably knew, but just didn’t want to admit.

usb-drive-2What’s that, you say?

Well, unless the USB device is a simple power adapter, it contains a tiny little computer.  Yep, the two dollar USB Thumb drive is, in fact, a full fledged little computer. It has a CPU, internal memory, firmware (the OS or software that makes it all work, including the complicated USB protocol itself) and, of course, the gigs of memory that you bought it for. So, what does this mean? 

Well, for the vast majority of things, it means little.  However, there is a significant portion of USB devices-mainly the aforementioned two dollar thumb drive-that contain EEPROM instead ROM.

EEPROM is erasable programmable read only memory. It is a type of ROM that can, with the right combination of hardware and software, have its memory replaced-something standard ROM cannot do.  ROM, or READ ONLY MEMORY, is a write once memory. That is, once you have ‘burned’ or uploaded whatever you want to put in it, it cannot be changed. So, you better get it right the first time.  Which is why, I’m guessing, that some of the lower cost drives use EEPROM instead of ROM.  Perhaps the same chips are used in two or three memory sizes. It is easier to re-burn an EEPROM with different parameters than to purchase unused ROMS, go through the hassle of burning them, etc.   EEPROMS are just convenient.

So, what, exactly does this mean? So what if they used EEPROM, what does that have to do with me?

Simple: YOUR USB device COULD be hacked and its firmware changed to accomplish something more nefarious than just saving your Leonard Nimoy musical collection. 

For example, say that two dollar thumb drive was intercepted at some point before it got to the store. It’s firmware changed so that when you plug it in, it makes a copy of itself on your computer. It plants something in your operating system that allows it to copy itself back to other USB drives. Oh, it also could record your keystrokes. Or, perhaps, it could encrypt your data. Bottom line is that you don’t know what it could do.

One concern is that the device, if compromised, could actually overwrite your computer’s operating system.  Now, the chances of this happening are astronomical. I chuckled when I heard it, but…it is not out of the realm of possibilities.  So, maybe unplug the thumb drive before you shut the computer down, if you do that.

Now, before you go throw them all away, consider this:  there’s been no known exploits.  Most USB devices likely use real ROM-certainly the firmware in that Seagate you bought is in ROM. The chances of your computer actually being able to re-program other USB devices is likely slim. These embedded computers are limited in what they can do.

I, personally, am not too concerned about this, but I will think twice about grabbing that freebie drive or getting them at the Dollar General or Five Below. (Note: those are two fine stores, but some of the merchandise may not be as fine. They cannot control distribution from end to end. Just saying)

The two researchers are presenting their findings at the Black Hat conference this week. I will follow up this post with any additional information they present.

Steven Nichols has a typical story that came out this past week regarding BadUSB. Have a gander here.