If you own a new Lenovo computer, your Web surfing sessions might not be private and your personal information is at risk. This unsettling problem comes courtesy of a partnership between Lenovo, the world’s largest seller of PCs, and their corporate partner, Superfish (which also may be linked to another SSL snooping company, Komodia). Whatever their intentions, the group created a security threat and brand-damaging nightmare when they included Superfish bloatware on Lenovo machines sold at the end of 2014.
According to a statement by Lenovo, the pre-installed software was merely intended to “help customers potentially discover interesting products while shopping.” In reality, the software was designed to push more results and ads in addition to whatever results a search engine offered.
Lenovo customers as well as numerous companies have expressed outrage at this invasive practice. But beyond the annoyance to users and the frustration to websites that had their valuable search results unfairly modified, the real crisis with the Superfish bloatware is the security threat it poses to innocent victims.
The design and functionality of Lenovo and Superfish’s bloatware are the heart of the problem. It adds the companies’ own root certificate authority (CA) to the trusted CA list in the Windows operating system. Worse, the companies have installed the identical signing certificate and private key on every Lenovo machine containing Superfish.
Anyone with a copy of that private key can create a seemingly trustworthy server certificate for any website -- a bank, a corporate web app, a healthcare provider, whatever. This is an awesome power. Bad actors with sufficient network access could easily capture private web communications to gain access to a person’s bank information, medical history, and anything else that's supposed to be protected through web encryption.
In essence, Lenovo has included within its machines a way for a criminal to insert a man-in-the-middle (MITM) proxy into a user’s network and have full access to encrypted data: passwords, transactions, banking information, and more.
Lenovo’s attempt to fix the situation for customers included instructions on how to remove the Superfish bloatware from their computers. However, recent reports indicate that following their advice does not remove the CA certificate from the trusted list on the Windows operating system. Even if someone diligently follows Lenovo’s advice, they’re still vulnerable! The Lenovo CTO has performed a pseudo mea culpa and says his team will release a tool allowing users to easily remove it.
But you don’t need to create an SSL MITM in order to inject advertisements. Perhaps there is something more going on. SuperFish and Komodia’s roots trace back to foreign government intelligence organizations. Lenovo, a Chinese company, runs massive campaigns for US government employees to purchase their products at reduced rates.
Snooping the web traffic of government employees seems like something pretty valuable to someone with nefarious intent, much more valuable than some incremental advertising revenue.
Beware! If history teaches us anything, it's that Lenovo will not be the last company to try something like this. The solution is to stay informed. Whether it was Jefferson or Paine who said it, the words still ring true: “Eternal vigilance is the price of liberty.”