Lenovo has been caught installing adware onto a number of its laptops that could potentially leave customers totally vulnerable to cyber criminals wishing to steal their data.
The software, called Superfish Visual Discovery, came pre-installed on Lenovo machines and can inject third-party ads in Google and other searches carried out in Internet Explorer (IE) and Chrome, while making them look like genuine ad results.
The technique has infuriated many users and caught the attention of Lizard Squad, which hacked the Lenovo website in an apparent revenge attack.
Consumers began complaining about Superfish Visual Discovery, which can also produce pop-ups and cause some websites not to render properly, as long ago as September 2014. However it took until 23 January this year for Lenovo to acknowledge users’ complaints about it being more than simple crapware.
Mark Hopkins, Lenovo’s program manager for social media, posted a statement on the Lenovo forums reassuring customers their online behaviour is not tracked by the adware, and that the technology is “purely contextual/image based and not behavioural”.
Superfish security threat
Nevertheless, serious concerns have been raised about the out-of-the-box nature of this software, both from a privacy and a security point of view.
Firstly, Superfish Visual Discovery was created by a third-party company, called Superfish, which is not part of Lenovo. Therefore, any data collected by the program is being sent back to a third party.
On the security side, some have argued Superfish can be thought of as a “man-in-the-middle” malware, including Facebook engineering director, Mike Shaver.
Lenovo installs a MITM cert and proxy called Superfish, on new laptops, so it can inject ads? Someone tell me that’s not the world I’m in.
— Mike Shaver (@shaver) February 19, 2015
Additionally, Superfish’s self-signed root security certificate appears to give the same level of access as Microsoft, meaning it can read data sent over supposedly secure SSL connections, such as online banking.
While there’s no indication Superfish or Lenovo have carried out this kind of snooping, it potentially makes users vulnerable to attack if a hacker were to get hold of the program’s root certificate private key.
Because the certificate gives Superfish the same level of authority on Windows as Microsoft, it could, according to security bloggers Decent Security, be used by cyber criminals to engineer malware that appeared to be written by Microsoft. This could allow the malicious program to go undetected by anti-malware software, leaving users totally vulnerable.
This scenario is made worse by the fact Superfish apparently uses the same key for all installations, meaning once a malicious actor had the key for one machine, they would have the key for all of them.
.@akatakritos @ETFovac @__apf__ #superfish Yours: http://t.co/JhaE5UqOQJ Mine: http://t.co/F2RXfz8blF Same RSA modulus and SPKI. 😐
— Chris Palmer (@fugueish) February 19, 2015
Chris Boyd, a malware intelligence analyst at Malwarebytes, told PC Pro: “Preinstalled software is always a concern because there’s often no easy way for a buyer to know what that software is doing – or if removing it will cause system problems further down the line. While a clean operating system install is preferable, it isn’t always practical – hitting the rollback / factory setting button on a new machine will give you back programs you’ve just tried to remove, and not everybody has a stack of operating system discs to hand.
“In this particular case, anybody affected should uninstall the Superfish software then type certmgr.msc into their Windows search bar – from there, they can find and remove the related root certificate.”
There is also the question of the legality of Lenovo’s pre-installation of Superfish on users’ computers.
Lawyer David Marchese, the English member of international legal network Globalaw, told PC Pro: “From a legal perspective … the questions will be, is someone making use of a consumer’s personal data without their prior consent or other lawful justification? Is the consumer’s personal data being sent out of the EEA without consent and so on.”
Marchese said those upset by Lenovo’s behaviour may be able to bring a civil case against the company as well.
“If a consumer purchases a computer that has inbuilt threats to their security, that would seem to give rise to basic claims under the Sale of Goods Act 1979,” he said.
PC Pro also contacted the Information Commissioner’s Office (ICO), which oversees communications and data regulation and standards in the UK. A spokesperson said: “We are aware of concerns that have been expressed about Lenovo’s handling of consumers’ information and will be making enquiries to establish the full details.”
Superfish: Lenovo’s response
In a statement, Lenovo told PC Pro: “Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in market from activating Superfish.”
“Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market,” Lenovo said.
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to the issue with concern, and so we have taken direct action to stop shipping any products with this software,” it added.
Lenovo also told us that Superfish “was preloaded onto a select number of consumer models only”. However, this seems to be contradicted by complaints on the Lenovo forum that the program was causing IE not to recognise .Net smart cards, which are used for security and access management within some businesses.
The company said it’s “thoroughly investigating all and any new concerns raised regarding Superfish”.
Let us know in the comments if you’ve experienced any similar problems, we will also be updating this article as new information becomes available.
How to detect if you have Superfish
Update: Vaughn Highfield: If you have a Lenovo laptop and are unsure if you have to worry about Superfish intercepting your transactions there are a number of ways to see if you’ve got Superfish running under the hood.
One surefire way to know that you’re fine is if you bought your laptop from Microsoft’s Signature range of laptops. These laptops come completely bloatware free, so you know that you’re getting a completely safe device not bogged down with useless – and potentially dangerous – rubbish.
If you didn’t do that, you can head on over to this Superfish CA test and that’ll tell you rather plainly if you do have Superfish intercepting your communications. There’s also a slightly more colourful variant on the LastPass blog, offering up instructions on how to uninstall the program and remove the old certificates.
While you may just think “oh how bad could it be?” it’s worth noting that within an hour or so of Superfish’s discovery, Errata Security stuck up a guide to show you just how easy it is for anyone to hack in and see exactly what you’re doing with your computer.
Scary stuff indeed.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
Comments are closed.