Superfish breaks HTTPS

Lenovo in hot water over Superfish adware, but dismisses security worries (updated)

Reports from security consultants, media, and Lenovo users indicate that there’s bloatware pre-installed on recent Lenovo Windows PCs that’s a bit more sinister than a set of superfluous ThinkPad tools. It appears that adware called Superfish had been running on consumer laptops sold by Lenovo between September 2014 and this past January, raising significant security concerns.

In a statement issued on Thursday, Lenovo said although it had disabled Superfish “server side interactions” since January, it could “not find any evidence to substantiate security concerns.” It also promised not to pre-load Superfish in the future, while clarifying that Superfish requires users to approve its terms of use, and that it hasn’t been installed on devices since “December.”

Update: Sometime today, Lenovo changed its statement and quietly removed the line “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” The statement was most likely tweaked because there is actually a lot of evidence to back up that Superfish is a security problem. Lenovo also posted a PDF with instructions how to remove Superfish.

The Electronic Frontier Foundation called Superfish “horrifically dangerous” and a “security catastrophe.”

The worst part is, Superfish isn’t even tangentially useful to the consumer. It’s ad-placing software — so far, what it appears to do is to place it own ads against Google search results, which presumably generates income for both Lenovo, and Superfish, which is a privately-held Palo Alto-based company. Lenovo’s statement said that Superfish was included to “to help customers potentially discover interesting products while shopping.”

While ads might be annoying, the real problem with Superfish is the liberties it takes with users machines’ to serve those ads, which resembles a “man-in-the-middle” attack. The adware makes itself an unrestricted root certificate authority in Windows, so it is able to spoof SSL certificates. If you connect to a secure website, such as your bank, from Internet Explorer or Google Chrome on an affected Lenovo laptop, the security certificate will have been signed by Superfish, as opposed to a trusted SSL certificate services provider like VeriSign.

Essentially, this discovery means that HTTPS browsing on an affected Lenovo laptop is insecure. In fact, researchers have already cracked Superfish’s private key — which was the same on all affected laptops — meaning hackers could snoop on encrypted traffic while on the same network, or even install malware under the guise of a trusted program. Simply uninstalling the program doesn’t remove the unrestricted root certificate.

Lenovo is the top PC vendor in the world, according to IDC, and shipped over 16 million PCs in the fourth quarter of last year, part of the time period where Superfish was preinstalled on some devices. Here’s a online test to check whether your device is affected.

2 Responses to “Lenovo in hot water over Superfish adware, but dismisses security worries (updated)”