UPDATED 10:17 EST / FEBRUARY 19 2015

Lenovo said to be shipping adware-infected PCs that pose serious security risk

monster-426993_640Lenovo is mired in trouble after being caught red-handed shipping out laptops pre-installed with ‘adware’ that can potentially steal web traffic via man-in-the-middle attacks. The software in many of its Windows-based devices not only injects advertising into user’s search results, but it’s also capable of hijacking SSL/TLS connections to websites, thanks to the presence of a self-signing certificate authority on affected PCs.

Mark Hopkins, a Lenovo social media program manager, confirmed that the “Superfish Visual Discovery ” software was being installed on many of the company’s devices in order to serve up ads last January in a post on the Lenovo forums.

“Due to some issues (browser pop-up behavior, for example) with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,” wrote Hopkins. “As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.”

“To be clear, Superfish comes with Lenovo consumer products only, and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine,” he continued.

The revelations have led to numerous complaints from Lenovo customers, who said the software was interfering with other digital certificates, as well as external devices like smart card readers.

One unhappy user posted a screenshot that purportedly shows a fake certificate claiming to be issued by the Bank of America, while another claimed the program was showing itself as a trusted root certificate and claiming a web connection to their bank was intercepted.

“A blatant man-in-the-middle attack malware breaking privacy laws. I have requested return of the laptop and refund as I find it unbelievable that … Lenovo would facilitate such applications pre bundled with new laptops,” wrote the user.

Following a deluge of complaints, Lenovo has now removed Superfish from new laptops, but experts believe its presence on numerous devices that have already been sold is a massive security concern.

Robert Graham of Errata Security told Forbes that one of the biggest fears is that hackers could use the encryption methods Superfish deploys and intercept Lenovo user’s traffic. If an attacker is able to extract the private key Superfish uses to sign its certificate, this could be used to sign their own fake certificates and allow them to spy on Lenovo laptop user’s activities, providing they’re using the same network as the attacker.

“It’s the same root CA private-key for every computer. This means that hackers at your local cafe Wi-Fi hotspot, or the NSA eavesdropping on the internet, can use that private-key to likewise intercept all SSL [encrypted] connections from Superfish users,” Graham told Forbes.

While the risk of this happening remains low, if an attacker does pull it off, they could easily help themselves to their target’s data, whether that’s banking login details, emails or something else.

Unfortunately, while Lenovo is no longer shipping compromised PCs, those with older PCs are still at risk. The only way to remove Superfish is to do a clean install of Windows from a non-Lenovo image, or use a completely different operating system, because simply uninstalling Superfish leaves the root certificate authority behind.

Image credit: geralt via Pixabay.com


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU