You’ve almost certainly heard about the astoundingly stupid actions on the part of Lenovo. Forget about the security implications for a minute. What this boils down to is that Lenovo sold out their customers for a few pieces of silver by installing adware that, despite Lenovo’s protestations, no customer would want. Think about that for a moment. You pay good money for a relatively expensive product and the company selling it to you purposely makes it less useful than what you thought you were buying: unwanted ads pop up and other software stops working.
But of course security is the main story here. The adware, SuperFish, works by intercepting the victim’s HTTP stream so that it can inject ads. That’s bad but even worse is that it also snooped on SSL/TLS (HTTPS) connections by waging a man-in-the-middle (MITM) attack. It’s as if Lenovo had never heard of what happened when sony tried something like this. The spying on encrypted connections is arguably illegal and you can be sure there will be law suits, perhaps from the states as happened in the Sony case. Regardless, Lenovo’s reputation has suffered significant, perhaps mortal, damage.
But it gets worse. The MITM attack was effected by installing a self-signed certificate to act as a trusted CA certificate. Of course, if SuperFish could use the certificate, so could anyone else. SuperFish encrypted it but, obviously, the key to the encryption had to be in the binary in order for SuperFish to use it. It took Robert Graham no time at all to recover the key and decrypt the certificate. That means that anyone using an infected laptop at a coffee shop or some other public WiFi hot spot is subject to being hacked.
Lenovo’s reaction to all this is appalling. The best interpretation is that they’re clueless about the security implications. The more likely explanation is that they’re in CYA mode. Lenovo continues to insist that SuperFish represents no security problems despite Graham’s definitive demonstration to the contrary. As I said, expect law suits.
UPDATE: certificated → certificate
UPDATE2: I just don’t understand this. Lenovo has proven they don’t care about their users or their safety. Why would you reward them with your trust or money?
UPDATE3: Here’s Robert Graham again putting the lie to Lenovo’s “theoretical concerns” with an actual working exploit. If you’ve got one of these laptops, you need to take action immediately.