This is a real security threat. If Lenovo is manipulating certificates it becomes very easy to intercept all communications to/from a machine whether they are encrypted or not. Additionally, it allows anyone else who can extract the certificate to do the same.
This would not be the first time a Chinese company has been caught "backdooring" equipment. The US, UK, Canada, Australia & New Zealand governments have banned Lenovo, Huawei & ZTE for good reason. See here and here for more info. The simple fact is this, the Chinese government is one of, if not the, largest cyberespionage organizations in the world. Due to the tight integration of Chinese business and the government when something like this is discovered you can bet Beijing is behind it.
My suggestion to you if you own a Lenovo computer, buy a Dell (my personal preference) or HP computer.
From Forbes:
How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It
Lenovo Lenovo might have made one of the biggest mistakes in its history. By pre-installing software called ‘Superfish Superfish’ to get ads on screens it’s peeved the entire privacy community, which has been aghast this morning on Twitter TWTR -0.44%. There are serious security concerns about Lenovo’s move too as attackers could take Superfish and use it to ensnare some unwitting web users.
What I find most disturbing in this article:
But there’s a bigger concern that Lenovo is intercepting encrypted traffic so it can show ads on people’s computers. In the security world, this is known as a man-in-the-middle attack. If Lenovo was doing this, it would have to interrupt what’s known as the certificate chain. This is a chain of trust, whereby companies who run the machines that users visit on their way to a particular website provide certificates to prove they’re a legitimate party and not a malicious actor, like a criminal or a spy.
With Superfish, it’s been claimed Lenovo is using a self-signed certificate to appear as a trusted party (which it no doubt considers itself to be) along the chain. In theory, it is therefore able to see users’ traffic and alter it in whatever way it sees fit. This method, according to Robert Graham of Errata Security, makes Superfish the root Certificate Authority (CA) – essentially the link that decides what encrypted communications to trust.
“It means Superfish can generate a valid (from the browser’s standpoint) encryption certificate for Facebook or Google, or any other site using HTTPS,” noted security analyst Andreas Lindh.
No comments:
Post a Comment