When the supply chain is insecure

Security types were tearing their hair out today over two different stories that illustrate how hard it is for consumers to protect themselves against privacy dangers.

First off, technologists discovered that Lenovo was selling computers that came pre-loaded with advertising software from Superfish that “fundamentally broke the security bubble of the machine,” according to security consultant Eric Rand. Superfish works by identifying photos users are viewing—while shopping, for example—and then offering up competitors’ products available at lower prices. Because the program wanted to be able to see what users were looking at—even on secure sites that encrypt their traffic—it placed itself between the user and the encryption process, called SSL, that normally safeguards secure sites. Experts call this a “man-in-the-middle attack.”

Worse, the spoofed security certificate that Superfish used to carry out the man-in-the-middle attack was easily cracked, meaning that hackers could theoretically take advantage of the vulnerability to monitor Lenovo users’ activity, or to spoof websites. This means that a user could, for example, think they’re visiting their Gmail inbox—and even see the SSL indicator on their browser—while actually visiting a site pretending to be Gmail.

Superfish paid Lenovo for the opportunity to be preloaded on the company’s machines. Lenovo’s apparent willingness to agree to such an arrangement outraged many security researchers.  “This is preying on the group of people least able to handle this effectively,” said Rand. “The average consumer can’t remediate these issues and that’s what they count on.”

“Even if you start with the premise that this is a legitimate business model, which it isn’t, it puts users at risk in way that is incomprehensible to me,” said Kenn White, a security technologist.

Lenovo realized the error of its ways and says it stopped putting Superfish on people’s computers in December. “The relationship with Superfish is not financially significant; our goal was to enhance the experience for users,” said Lenovo in a statement. “We recognize that the software did not meet that goal and have acted quickly and decisively.”

Lenovo is offering an illustrated guide for people who have Superfish on their computers to remove it. (You can check to see if it’s on your Lenovo device here.) But we now have to hope that everyone who has a Lenovo actually hears about this controversy, and feels technologically confident enough to fix their system. The company’s CTO also says he plans to also release software that will scrub Superfish from user’s machines.

The second story to break today came from The Intercept, which reports that intelligence agencies stole encryption keys from Gemalto, the largest manufacturer of SIM cards. With those encryption keys, the NSA and GCHQ (the NSA’s British equivalent) can secretly listen in on phone communications without having to go to the trouble of getting access from phone carriers. “Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment,” wrote Jeremy Scahill and Josh Begley.

Gemalto’s encryption keys were compromised thanks to malware that the British intelligence agency GCHQ was able to put on their computers, according to the Intercept.

We rely on manufacturers providing us with products that are fundamentally secure. When that security is subverted, either by state hackers or by the companies who sell us our devices, it means that consumers have to go to extra lengths to protect themselves. In the case of Lenovo, it means auditing your computer for security flaws and then rectifying them—not an easy task for the average user. With phones, it means using encrypted phone and messaging apps that make up for the phone’s built-in encryption being compromised—also not a walk in the park.

In both cases, it highlights how much harder we have to work these days to make sure our information stays private and secure.