Lenovo and Superfish put your security and privacy at risk

img_2015-02-19_Engadget-Superfish

NEWS

If you own a new Lenovo computer, your Web surfing sessions might not be private and your personal information is at risk. This unsettling problem comes courtesy of a partnership between Lenovo, the world’s largest seller of PCs, and their corporate partner, Superfish (which also may be linked to another SSL snooping company, Komodia). Whatever their intentions, the group created a security threat and brand-damaging nightmare when they included Superfish bloatware on Lenovo machines sold at the end of 2014.

According to a statement by Lenovo, the pre-installed software was merely intended to “help customers potentially discover interesting products while shopping.” In reality, the software was designed to push more results and ads in addition to whatever results a search engine offered.

Lenovo customers as well as numerous companies have expressed outrage at this invasive practice. But beyond the annoyance to users and the frustration to websites that had their valuable search results unfairly modified, the real crisis with the Superfish bloatware is the security threat it poses to innocent victims.

2015-02-19_Twitter_Superfish
The design and functionality of Lenovo and Superfish’s bloatware are the heart of the problem. It adds the companies’ own root certificate authority (CA) to the trusted CA list in the Windows operating system.  Worse, the companies have installed the identical signing certificate and private key on every Lenovo machine containing Superfish.

Anyone with a copy of that private key can create a seemingly trustworthy server certificate for any website -- a bank, a corporate web app, a healthcare provider, whatever. This is an awesome power. Bad actors with sufficient network access could easily capture private web communications to gain access to a person’s bank information, medical history, and anything else that's supposed to be protected through web encryption.

In essence, Lenovo has included within its machines a way for a criminal to insert a man-in-the-middle (MITM) proxy into a user’s network and have full access to encrypted data: passwords, transactions, banking information, and more.

Lenovo’s attempt to fix the situation for customers included instructions on how to remove the Superfish bloatware from their computers. However, recent reports indicate that following their advice does not remove the CA certificate from the trusted list on the Windows operating system. Even if someone diligently follows Lenovo’s advice, they’re still vulnerable! The Lenovo CTO has performed a pseudo mea culpa and says his team will release a tool allowing users to easily remove it.

If you can’t wait (and you shouldn’t), find a detailed description on how to remove it here or Lenovo’s instructions here.

We live in an age where companies willingly allow others to gain access to our private information, all in exchange for a few pieces of silver -- or worse. Inserting adware hacks into our browsing activity is not new. Free WiFi providers have been caught inserting their own javascript into web pages for years.

But you don’t need to create an SSL MITM in order to inject advertisements. Perhaps there is something more going on. SuperFish and Komodia’s roots trace back to foreign government intelligence organizations.  Lenovo, a Chinese company, runs massive campaigns for US government employees to purchase their products at reduced rates.

Snooping the web traffic of government employees seems like something pretty valuable to someone with nefarious intent, much more valuable than some incremental advertising revenue.

Beware! If history teaches us anything, it's that Lenovo will not be the last company to try something like this. The solution is to stay informed. Whether it was Jefferson or Paine who said it, the words still ring true: “Eternal vigilance is the price of liberty.”

Additional Links:

Scott Petry - Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.

Topics: News