U.S.-based security researchers Errata Security reported on Thursday that China’s Lenovo was pre-installing malicious adware on laptops that makes the devices vulnerable to hackers. A Reuters article notes that users have been complaining since last summer that a program called Superfish found on Lenovo laptops was actually adware (software that automatically displays custom advertisements).
After taking over IBM’s PC division some years ago and Motorola more recently, Lenovo has become the dominant player in the global PC market. According to research firm IDC, Lenovo controlled just over 20% of the global PC market as of year-end 2014.
Superfish makes devices vulnerable to “man in the middle” attacks
Robert Graham, CEO of Errata Security notes that Superfish is essentially malicious software that hijacks encrypted connections and makes it easy for hackers to also take over these connections and spy. This is typically known as a man-in-the-middle attack.
Graham pointed out that Lenovo installed Superfish on retail consumer computers running Microsoft Windows. “This hurts Lenovo’s reputation,” Graham said in an interview Thursday. “It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their laptops.”
Of note, the adware functions as an unrestricted root certificate authority, and installs a proxy that produces spurious SSL certificates whenever a secure connection is requested. Creating its own SSL certificates allows Superfish to operate even on secure connections, so it can place ads and read data from pages intended to be private.
Response from Lenovo
After the complaints started getting voluminous, an administrator on Lenovo’s web forum announced on January 23 that Superfish has been temporarily removed from consumer computers.
Lenovo responded to The Verge on Thursday, noting that the company is “thoroughly investigating all and any new concerns raised regarding Superfish.” The firm also went on record confirming that Superfish had been “disabled” on existing machines in January and it is no longer being installed on new machines.
The PC titan had said the technology was innocuous just last month, but the firm’s initial defense of the adware didn’t mention the huge security flaw, and Lenovo has clearly decided it’s better to cut their losses and move forward before the PR bloodbath gets worse.
Lenovo negligent any way you look at it
Graham and a number of other cybersecurity experts have come out saying Lenovo was negligent in installing Superfish. They also note it’s possible that your device will still be vulnerable after Superfish is gone because the program opens up encryptions by taking over connections and declaring them as trusted and secure, even when they are not.
“The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” commented Eric Rand of Brown Hat Security. “This amounts to a wiretap.”
More on Superfish
In an interesting aside, Superfish was recently ranked fourth on the Inc. 500 list of the fastest growing companies in the United States (the number one software company). The Superfish app analyzes the images you are viewing in a browsing session and then searches over 70,000 stores to find similar products at the lowest possible price. The software firm markets itself as a “pioneer in visual search technology,” but cybersecurity experts say Superfish is really no more than a Trojan Horse for hackers.
UPDATE: FIND STATEMENT FROM LENOVO BELOW:
Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:
1) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
2) Lenovo stopped preloading the software in January.
3) We will not preload this software in the future.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.
To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.
We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detail information is available at http://forums.lenovo.com.