Friday, February 20, 2015 - 00:28

Pre-installed adware on Lenovo Laptops.

This stunt is absurd bordering surrealism. For some reason beyond me Lenovo decided to pre-load Superfish Visual Discovery. In this form the software qualifies as adware.

The software itself is just a contextual image search wrapped in a product commendation package. So if you look at a picture of Lenovo's CEO for example you'll get product commendations for dildos, shotguns and electric chairs. There are actually useful applications for this. In this form however it's the very definition of adware. A while ago Lenovo's stance on this was

[...] to help customers potentially discover interesting products while shopping.  However, user feedback was not positive [...]

To help customers potentially discover interesting products? ... fuck me. Seriously? What fucking moron do you have to be to crap out that ingenious idea? I'd guess 'not positive' is a major euphemism for devastating. Who on Earth wants additional ads injected into webpages? Well. Apparently there's at least one moron who is with Lenovo...or maybe was.

But that's not the good part of the story. It gets better ... much better.

A usual problem with software like this is encrypted traffic. You can do everything locally but mostly that doesn't fly that well either. So the solution is to operate as a man-in-the-middle. Somehow like a proxy. To not fuck up the users' experience or to not get them suspicious - depending on the scenario - the software in question generates certificates for encrypted webpages on the fly. To prevent browsers from complaining about those certificates the software installs a trusted root certificate in the system's key chain. This allows the software to snoop into encrypted traffic without the user noticing or the browser complaining. The software is actually modifying the webpage. See where we are heading here?

Aside from the fact that I wouldn't want adware to snoop in on or modify my online-banking there's a much bigger problem here. The key for the root-certificate is shipped with the software. If an attacker can - and he can - extract it he can create valid certificates for any website. Shopping carts, online-banking, otherwise secured pages. Everything. There's not much explanation required why this might not be an ideal situation. It's a major security risk. Again Lenovo's stance on this is

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

Really? It seems there are at least two morons working @Lenovo. If you do not see the security concern with this than you probably should not be investigating security concerns in the first place. It's just not your thing.

And of course the humiliation would not be complete without the PR clowns crapping on the floor.

Users are given a choice whether or not to use the product.  The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.

User's had a choice whether they wanted to use the product or not? How exactly did they chose to use the software? The software was pre-loaded and active. That's not exactly a choice they made.

Why enhance the users' experience in the first place? They bought a Laptop with Windows. If you don't advertise it it's not a relevant factor. The guy already bought your Laptop before he even knew it came with enhanced experiences. 

And this is a lie of course. If you actually do something that enhances the users' experience and thus raises the value of the product you sure as hell make sure everyone knows about it before he makes a decision.

Financially not significant is probably right. But it doesn't has to be. The trick behind crapware, adware and other shit you never asked for that enhances your experience is this.

Every dollar that is made with crap shipped can be deducted from the product. That's why you always have truckloads of try-and-buy crap that's mostly completely useless. The deal takes heat from the retail price. This is never anything that actually enhances your experience. It enhances the product's competitiveness. It's not meant as a major financial factor. It's meant to reduce the impact of price wars.

The fallout of this one is probably more than just financially significant. The damage to the products is huge. Most people check ratings these days and most online shops offer them. And the products in question are probably burned. The damage to Lenovo's reputation - if that Chinese backyard rat-shop ever had one - is not easily fixed.

If you're that kind of business you're usually avoided if the customer knows. And many will know one way or the other. Repairing this is going to cost real money. A lot of it.

Here's an idea for everyone thinking about enhancing their users' experience. Actually enhance their blood pressure by not enhancing the product.

[Update 20.02.2015]

Just to make a final point on the 'security concerns' statement above... Robert Graham extracted the private key yesterday. He has a detailed description of what he did online here