Lenovo is mired in trouble after being caught red-handed shipping out laptops pre-installed with ‘adware’ that can potentially steal web traffic via man-in-the-middle attacks. The software in many of its Windows-based devices not only injects advertising into user’s search results, but it’s also capable of hijacking SSL/TLS connections to websites, thanks to the presence of a self-signing certificate authority on affected PCs.

Mark Hopkins, a Lenovo social media program manager, confirmed that the “Superfish Visual Discovery ” software was being installed on many of the company’s devices in order to serve up ads last January in a post on the Lenovo forums.

“Due to some issues (browser pop-up behavior, for example) with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,” wrote Hopkins. “As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.”

“To be clear, Superfish comes with Lenovo consumer products only, and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine,” he continued.

The revelations have led to numerous complaints from Lenovo customers, who said the software was interfering with other digital certificates, as well as external devices like smart card readers.

One unhappy user posted a screenshot that purportedly shows a fake certificate claiming to be issued by the Bank of America, while another claimed the program was showing itself as a trusted root certificate and claiming a web connection to their bank was intercepted.

“A blatant man-in-the-middle attack malware breaking privacy laws. I have requested return of the laptop and refund as I find it unbelievable that … Lenovo would facilitate such applications pre bundled with new laptops,” wrote the user.

Following a deluge of complaints, Lenovo has now removed Superfish from new laptops, but experts believe its presence on numerous devices that have already been sold is a massive security concern.

Robert Graham of Errata Security told Forbes that one of the biggest fears is that hackers could use the encryption methods Superfish deploys and intercept Lenovo user’s traffic. If an attacker is able to extract the private key Superfish uses to sign its certificate, this could be used to sign their own fake certificates and allow them to spy on Lenovo laptop user’s activities, providing they’re using the same network as the attacker.

“It’s the same root CA private-key for every computer. This means that hackers at your local cafe Wi-Fi hotspot, or the NSA eavesdropping on the internet, can use that private-key to likewise intercept all SSL [encrypted] connections from Superfish users,” Graham told Forbes.

While the risk of this happening remains low, if an attacker does pull it off, they could easily help themselves to their target’s data, whether that’s banking login details, emails or something else.

Unfortunately, while Lenovo is no longer shipping compromised PCs, those with older PCs are still at risk. The only way to remove Superfish is to do a clean install of Windows from a non-Lenovo image, or use a completely different operating system, because simply uninstalling Superfish leaves the root certificate authority behind.

Image credit: geralt via Pixabay.com