Superfish blows up in Lenovo's face - TechCentral

Superfish blows up in Lenovo’s face

Alistair-Fairweather-180-profileOne in five of the personal computers sold worldwide in the last quarter of 2014 may have security holes so serious that even an amateur hacker could easily and silently penetrate its defences. All of the compromised computers were manufactured by Lenovo, whose gross negligence directly resulted in this mess.

How could this happen? Simple: Lenovo partnered with a shady advertising company called Superfish and installed its software on millions of new PCs before it shipped them to customers. This software sits between your Web browser and the sites you visit and injects its own adverts into search results from sites such as Google and Amazon.

While this behaviour is irritating and unethical, it’s not necessarily dangerous. Plenty of PC manufacturers ship their machines with custom software, most of it irritating or downright obstructive. This “bloatware” is aimed at making you a loyal customer by offering you additional value, but generally just slows down your computer.

What makes Superfish different, apart from its unusually invasive approach, is that it intentionally and recklessly compromises the security of any computer on which it is installed. It essentially opens a back door in the defences of a computer, and then leaves it wide open for anyone else who wants to use it.

This back door is in the most important part of a computer’s defence systems, the authentication certificates. When you visit your bank’s website or your Web-based e-mail account, your computer uses a digital key called a certificate to check whether the site you’re visiting is trusted by the rest of the Web. You know a site is trusted because the little padlock in your browser’s address bar turns green.

These certificates are vital because they stop hackers from masquerading as trusted organisations. When you get those e-mails allegedly from the South African Revenue Service that claim you have a refund of R15 978 waiting for you, or from “Standerd Bank” (sic) warning you to “change your password now”, hackers are hoping you will click on the link to their fake site and fill in your username and password.

Nowadays even the barely computer literate know to check that the URL of the page they’re visiting is correct. If a site called “var1t8.co.us” is asking you for Gmail password, you’re not likely to to fall for its tricks.

As hacking has become a global plague, more and more websites have started to require certificates for everything they do online. Even Google searches now have that friendly green padlock that reassures you that your browsing experience is safe.

This has made things harder for software like Superfish. It wants to inject adverts into your search results, but the browser will not let it do that because it does not have the correct certificate. Its solution is either complete genius or reckless idiocy, depending on your perspective.

As soon as it is installed, Superfish creates a self-signed certificate in the root of the computer’s security system. In other words, it creates a master key that allows it to pretend to be any website that you visit. This is how it injects adverts into Google search results — it intercepts those results on their way from Google to your computer and manipulates them to suit its needs.

On its own, this behaviour would be bad enough — not just unethical but also a flagrant invasion of privacy. But the back door that Superfish opens can be used by literally anyone who knows it is there. That means any hacker who realises you have a Lenovo computer can sit in between you and your bank’s legitimate website and steal your log in details. They can also reverse the flow and inject viruses and other malicious software into your computer.

And it gets worse: it appears that  Superfish uses exactly the same certificate for every single computer on which it is installed. Normally every certificate requires a different password before it can be used, but Superfish has used the same certificate with the same password on tens of millions of computers.

Lenovo is the biggest PC manufacturer in the world by volume

Lenovo is the biggest PC manufacturer in the world by volume

This is like installing security gates in millions of homes with a single, identical master key for all of them, and then leaving the key out for anyone to find and copy. So hacking a Lenovo computer has gone from a few hours of work to a few seconds of work.

After first denying that the security hole existed, and then trying to downplay its seriousness, Lenovo has finally released a tool that allows its customers to remove Superfish from their computers and close the back door it has opened.

If you bought a Lenovo new laptop between September 2014 and January 2015, you should visit this link immediately and run the uninstall tool. I promise, I’m not a hacker trying to steal your information. Pinky swear.

What’s truly extraordinary is that Lenovo has spent three decades overcoming its reputation as a low-quality Chinese PC manufacturer. Over the last decade, since it acquired IBM’s personal computer business in 2005, it has grown in leaps and bounds and is now the world’s largest PC manufacturer by volume. The revenue it would have earned from the Superfish deal might have totalled a few tens of millions of dollars at most; perhaps 0,1% of its yearly turnover. And for that it has put its entire global brand at risk.

And this at a time when PC sales are in terminal decline. In the last quarter of 2014, the PC industry sold just less than 80m computers worldwide. That’s 10m fewer than the same quarter in 2012. Lenovo is already the one-eyed king in the land of the blind, and now it has thrown acid in its own face.

There is clearly no malice here on Lenovo’s part. The company did not set out to compromise its customers security intentionally. But its behaviour makes it at best a dupe and at worst a greedy accomplice. Either way, Lenovo has a lot of work ahead of it.

3 Comments

  1. Greg Mahlknecht on

    I don’t see many articles mentioning that less that 24hrs after the news broke, MS updated the built-in Windows Defender software to kill Superfish, and the Norton AV that is preinstalled on Lenovo PCs has a specific exception for Superfish. As if we needed another reason to hate that Norton piece of crap 🙂

    Steve Gibson did a bit of digging and found the culprit for the horrible tech – a library used by a number of spyware/adware apps – http://web.archive.org/web/20150220003144/http://www.komodia.com/products/komodias-ssl-decoderdigestor

    While Lenovo has to take ultimate responsibility, and initially handled it badly, they did the right thing eventually.

    >And this at a time when PC sales are in terminal decline

    Puzzling statement – I thought it was common knowledge that PCs are making a fight back right now after their little 3-year wobble; tablets are the one that are having problems. As per the Gartner link, 2007 shipments were 271mil in 2007 for the YEAR not the quarter, unless I’m reading that wrong? In 2014 it was 315mil units for the year – http://www.gartner.com/newsroom/id/2960125

  2. Wow, I might have bought a laptop from them when I was due for a new one, but now I will think twice… This is seriously going to hurt them

© 2009 – 2020 NewsCentral Media