Wednesday, March 30, 2011

Bad security juju

It looks like Samsung ships laptops where they've pre-installed keyboard loggers:
While setting up a new Samsung computer laptop with model number R525 in early February 2011, I came across an issue that mirrored what Sony BMG did six years ago.  After the initial set up of the laptop, I installed licensed commercial security software and then ran a full system scan before installing any other software. The scan found two instances of a commercial keylogger called StarLogger installed on the brand new laptop. Files associated with the keylogger were found in a c:\windows\SL directory.

According to a Starlogger description, StarLogger records every keystroke made on your computer on every window, even on password protected boxes.
This is double-plus ungood, from a security perspective.  The fact that a vendor would record your passwords without your knowledge or consent is a huge breach of trust.  So far, the Samsung PR flacks are ducking the issue.

My recommendation is that anyone considering buying one of these reconsider.

Update 31 March 2011 11:17: An anonymous commenter says this is a false alarm.  El Reg adds some detail:
Samsung has issued a brief denial, in which it said the researcher has identified an innocuous directory as the keylogger in error. Its statement says that the researcher's security program "mistook a folder created by Microsoft Live Application for a key logging software, during a virus scan."
If this is an antivirus false positive event, I wonder if Samsung could sue for damage to reputation.


Keads said...

I hate to say it but I recommend building your stuff from scratch. It used to be cheaper, but not any more. Fresh components from different manufactures and a clean install of an OS of your choice will work wonders.

wolfwalker said...

Um, you want to try to build a laptop from off-the-shelf components?

I hope Samsung gets a bloody nose for this, PR wise. No, a whole bloody face. They deserve it. How friggin' stupid can you get, betraying your own customers' trust this way?

Keads said...

Whoops! Sorry wolfwalker you are absolutely correct!

I stand corrected! Since I deal with desktops my view was skewed.

Midwest Chick said...

Definitely crosses Samsung off my list of computers to buy. But if they are doing it, I wouldn't put it past any of the other companies to be doing it to.

wolfwalker said...

Keads: I should add that WRT desktops I agree, to a large extent. Building my own PCs is a very satisfying activity. The only problem is the occasional hardware/software inconsistencies one encounters. But I think that's made up for by the certainty that I know what's in that box, and what's on that hard drive, because I'm the one as put it there.

But laptops are a different animal. I'd as soon try to build my own laptop as build my own car or dSLR.

Keads said...

@wolfwalker- I concur!

Anonymous said...

Samsung has no interest whatsoever in what you do, so they question is who told them to do this and why and can we trace where the data is being sent?
Has some paranoid government agency insisted all Laptops in the USA have this installed all in the name of puppies, kittens and of course the children.

Anonymous said...

Or on reflection Samsung will not make the laptops themselves or install the software so either the third party probably Chinese manufacturer did it on instruction from their Government. Samsung will license an OEM version of Microsoft OS and other products to install all it takes is something to be added without their knowledge.
I used to work for a company way back in the day that made that software under license for shipment with PC's. It would be easy to change the master copy with a modified one. Just some thoughts or Samsung really is so dumb that they have now broken lots of federal laws if any data has been taken without permission.

Anonymous said...

False alarm: not a keystroke logger at all.

TOTWTYTR said...

The danger of the Internet (one of them) is that a story can fly around it instantly and have undeserved credibility.

Turns out it was bad security software.

Lawyers will be forthcoming.