Computers, Privacy & the Constitution

Why Are Our Device Manufacturers Harming Us and What Can Be Done To Prevent It?

-- By AriGlatt - 10 May 2015

Introduction

Privacy evokes a cornucopia of concepts for Americans, some of them tied to traditional notions of civil liberties and some of them driven by concerns about the surveillance of digital communications. Edward Snowden alerted America and the world about the how the US government engages in massive, illegal dragnet surveillance of the domestic and international communications records of millions of ordinary people. But the NSA is not the only one trying to access others' internet data, and therefore internet users endeavor to protect their privacy from hackers in many different ways.

One such tactic to shelter communications is to use secure HTTPS connections for encrypting transmission data. Many sites on the web offer some limited support for encryption over HTTPS. Large sites like Google have migrated towards HTTPS by default for most purposes. HTTPS protection is valuable in order to defend Internet users against surveillance of the content of their communications, cookie theft, account hijacking, and other web security flaws.

Superfish and Lenovo's Disruption of HTTPS Encryption

It is obvious that the benefits of HTTPS encryption are undermined if there are weaknesses and vulnerabilities in the encryption protocols. Which is why data privacy experts were horrified to learn a piece of news that broke a few months ago. Namely, that Lenovo had been shipping laptops with a horrifically dangerous piece of software called Superfish. Superfish tampers with Windows' cryptographic security to perform man-in-the-middle (“MITM”) attacks. This means that the Superfish software intercepts the encrypted traffic for web sites visited by the user and presents itself as the certificate for that web site. If a computer has the Superfish certificate installed, it won’t recognize fake web sites (for example, a phishing site that masquerades as the site of a legitimate bank) as imposters.

The problems don't just stop there. The encryption key for the Superfish certificate has been cracked and publicized on the web, so attackers can use that key to initiate more man-in-the-middle attacks. Because this certificate is so weak, anyone can take its private key, use the password and sign anything from fake certificates to viruses or malware and your PC will trust it because it is signed by a trusted certificate. Therefore, any controls on one of these laptops that were used to stop malware by only allowing signed programs are now worthless.

If you purchased a Lenovo computer anytime within recent memory, then it is strongly recommended to check if your machine is vulnerable. Many websites offer the service check for free, such as the one here.

Reasoning Behind Manufacturers Allowing Superfish

So why are companies allowing their devices to ship with such harmful software? This is done in order to inject advertising into secure HTTPS pages. So the pivotal answer to the aforementioned question is: Device manufacturers allow Superfish in order to make money. This latest Superfish debacle highlights the strategy for device manufacturers across the electronics ecosystem looking to get their slice of the billion-dollar advertising revenue market: Software vendors pay hardware vendors to include their products on the machines. These embedded programs are delivered like Trojan horses, bundled into devices with the sole intent of spying on and generating revenue at the expense of the user's privacy.

Although Lenovo was at the forefront in the news in regard to the negative impact of pre-installed programs, Lenovo is hardly the only device vendor that takes it upon itself to embed software programs that neither need nor want. This has been an ongoing problem for many years, since even if these unwanted programs that come pre-installed don’t pose a security risk, bloatware can have other negative effects. Some of these effects are merely annoying in that they take up precious space on devices with limited storage space, suck up bandwidth, reduce battery life, or even cut into mobile data allocations by accessing the network periodically even though they aren’t being used.

Possible Solutions

Some backlash has already started to affect Lenovo. Some investigations have been launched into Lenovo’s preinstalled software. Additionally, Lenovo was hit by a lawsuit over the Superfish adware. But it is doubtful that this will be enough to warn other greedy manufacturers to take a more transparent approach.

Something stronger needs to be done in order to prevent manufacturers from preloading malicious software or bloatware. Consumers need to put enough pressure on hardware vendors or operating system vendors to convince them that it’s bad for business to include bloatware and tracking tech. This could be accomplished by boycotting known manufacturers who endanger their users with preloaded apps just in order to make a quick buck. Hopefully the publicity from Superfish will be a wake-up call for consumers. Consumers need to educate themselves and take precautions to know who is capable of watching them on their own device, regardless if it's from unwanted adware from the manufacturer, the government, or hackers using malicious techniques.

A better solution and one more likely to get results would be to have legislation that would prevent this problem of hidden embedded tech. South Korea has tried to remove bloatware by enacting new regulations banning the practice. The United States needs to follow suit and reform the law to protect its citizens against illegal prying eyes; that is, other than the United States government.

Conclusion

We trust our hardware manufacturers to build products that are secure. When the manufacturers start enabling the bad guys to get into the supply chain and install malware, it is devastating. This is why it is all the more disappointing, and shocking to find that it is legal for a manufacturer to be doing this to its customers voluntarily. Lenovo's decision to ship software using MITM certificates to inject ads was an utter abuse of the trust their customers placed in them. Legislation is necessary to prevent Lenovo and other companies from being so blinded by revenue that they create egregious security risks for their innocent consumers.


Navigation

Webs Webs

r2 - 26 Jun 2015 - 20:48:48 - MarkDrake
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM