Thursday, Creepy Thursday ⇥ firstlook.org

Jeremy Scahill and Josh Begley, writing for the Intercept:

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

“Well that’s the government,” you begin, “can’t trust ’em.” Surely, then, a private corporation will fare better?

Allow Ars Technica’s Dan Goodin to pour cold water all over that theory:

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there’s something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine.

“Phew, at least I don’t have a Lenovo PC,” you sigh.

Yeah, but do you have OnStar? Or a Kinect? Or an LG TV? Or a bunch of other products?

Earlier this month, Samsung was the target of a privacy dust-up due to a disturbing sentence in the privacy policy for its smart TVs: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

[…]

But Samsung’s televisions are far from the only seeing-and-listening devices coming into our lives. If we’re going to freak out about a Samsung TV that listens in on our living rooms, we should also be panicking about a number of other emergent gadgets that capture voice and visual data in many of the same ways.

At this point, you’re forgiven if you’re preparing to crawl into the fetal position under your desk. Happy Thursday, everyone.