In the past week Lenovo has been in the firing line from multiple angles; adware factory installed on their consumer systems, the injection of third party content into browsers, hidden root certificates installed on the systems, followed by the most damaging aspect – flawed technical implementation by the third party – Komodia.
The end result is a system which is remotely exploitable without any notification to the end user. Proven by Filippo Valsorda and then the pervasive nature of the exploit has been exposed in other products using the SDK of Komodia.
Numerous pieces of software are vulnerable due to password and certificate reuse and the full impact of that situation will depend on the market penetration of Komodia and its SDK.
The combination above effectively has the ability to destroy any consumer/business brand loyalty and trust due to the incompetence, and downright foolishness of their decisions. Risking their customer base in such a manner shows a lack of concern around security and in a best case, shoddy business ethics.
Hopefully OEM’s learn from these mistakes and start to clear up their pre-installs, however the tendency for these pieces of software be pre-installed on a system without the users permission leaves them in a precarious position. Especially in the UK where a person can be convicted for:
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured;
(b)the access he intends to secure, or to enable to be secured, is unauthorised; and
(c)he knows at the time when he causes the computer to perform the function that that is the case.
Points 2 and 3 of the offences is an interesting debate as to what extent they would be liable, however it highlights that law such as the computer misuse act is not causing a large enough impact on the actions and decisions manufacturers make. More so when there is an implied trust between the purchaser of a system and the company selling/manufacturing it.
No person would expect a brand new car to have doors that unlock remotely for anyone who asks, and for these terms to be hidden in a EULA that no sane person would ever read. When the average user spends just seconds reading over a document which can take minutes to hours to comprehend should terms like these be allowed?
Going forward my proposal would be a compartmentalised setup where users select what they want during the install phase:
- EULA – General Terms for use of hardware, specific operating system and core drivers.
- Value add manufacturer applications such as wifi managers, update managers (for example HP System update).
- Third party software (Antivirus, YouCam, PowerDVD and the likes).
- Advertising/adware software which the manufacturer may or may not have been paid for.
This clears up confusion around what a basic system requires, what software is actually needed/performs useful functions, and what software is effectively useless to the end user. With EU law dictating a browser ballot for all computer systems in the EU, can something like the above not be enshrined in law to secure consumers whilst offering the user friendly choice they deserve?
Taking an install approach much like the guys and gals at Ninite use during the setup phase with explicit descriptions could allow end-user customisation with the added benefit of customer satisfaction and ownership of their product and brand.
In a world driven by how connected we are and the move towards easy to use computing systems, the above would fill a voice no manufacturer has claimed or will claim in the near future.