One in five of the personal computers sold worldwide in the last quarter of 2014 may have security holes so serious that even an amateur hacker could easily and silently penetrate its defences. All of the compromised computers were manufactured by Lenovo, whose gross negligence directly resulted in this mess.
How could this happen? Simple: Lenovo partnered with a shady advertising company called Superfish and installed its software on millions of new PCs before it shipped them to customers. This software sits between your Web browser and the sites you visit and injects its own adverts into search results from sites such as Google and Amazon.
While this behaviour is irritating and unethical, it’s not necessarily dangerous. Plenty of PC manufacturers ship their machines with custom software, most of it irritating or downright obstructive. This “bloatware” is aimed at making you a loyal customer by offering you additional value, but generally just slows down your computer.
What makes Superfish different, apart from its unusually invasive approach, is that it intentionally and recklessly compromises the security of any computer on which it is installed. It essentially opens a back door in the defences of a computer, and then leaves it wide open for anyone else who wants to use it.
This back door is in the most important part of a computer’s defence systems, the authentication certificates. When you visit your bank’s website or your Web-based e-mail account, your computer uses a digital key called a certificate to check whether the site you’re visiting is trusted by the rest of the Web. You know a site is trusted because the little padlock in your browser’s address bar turns green.
These certificates are vital because they stop hackers from masquerading as trusted organisations. When you get those e-mails allegedly from the South African Revenue Service that claim you have a refund of R15 978 waiting for you, or from “Standerd Bank” (sic) warning you to “change your password now”, hackers are hoping you will click on the link to their fake site and fill in your username and password.
Nowadays even the barely computer literate know to check that the URL of the page they’re visiting is correct. If a site called “var1t8.co.us” is asking you for Gmail password, you’re not likely to to fall for its tricks.
As hacking has become a global plague, more and more websites have started to require certificates for everything they do online. Even Google searches now have that friendly green padlock that reassures you that your browsing experience is safe.
This has made things harder for software like Superfish. It wants to inject adverts into your search results, but the browser will not let it do that because it does not have the correct certificate. Its solution is either complete genius or reckless idiocy, depending on your perspective.
As soon as it is installed, Superfish creates a self-signed certificate in the root of the computer’s security system. In other words, it creates a master key that allows it to pretend to be any website that you visit. This is how it injects adverts into Google search results — it intercepts those results on their way from Google to your computer and manipulates them to suit its needs.
On its own, this behaviour would be bad enough — not just unethical but also a flagrant invasion of privacy. But the back door that Superfish opens can be used by literally anyone who knows it is there. That means any hacker who realises you have a Lenovo computer can sit in between you and your bank’s legitimate website and steal your log in details. They can also reverse the flow and inject viruses and other malicious software into your computer.
And it gets worse: it appears that Superfish uses exactly the same certificate for every single computer on which it is installed. Normally every certificate requires a different password before it can be used, but Superfish has used the same certificate with the same password on tens of millions of computers.
This is like installing security gates in millions of homes with a single, identical master key for all of them, and then leaving the key out for anyone to find and copy. So hacking a Lenovo computer has gone from a few hours of work to a few seconds of work.
After first denying that the security hole existed, and then trying to downplay its seriousness, Lenovo has finally released a tool that allows its customers to remove Superfish from their computers and close the back door it has opened.
If you bought a Lenovo new laptop between September 2014 and January 2015, you should visit this link immediately and run the uninstall tool. I promise, I’m not a hacker trying to steal your information. Pinky swear.
What’s truly extraordinary is that Lenovo has spent three decades overcoming its reputation as a low-quality Chinese PC manufacturer. Over the last decade, since it acquired IBM’s personal computer business in 2005, it has grown in leaps and bounds and is now the world’s largest PC manufacturer by volume. The revenue it would have earned from the Superfish deal might have totalled a few tens of millions of dollars at most; perhaps 0,1% of its yearly turnover. And for that it has put its entire global brand at risk.
And this at a time when PC sales are in terminal decline. In the last quarter of 2014, the PC industry sold just less than 80m computers worldwide. That’s 10m fewer than the same quarter in 2012. Lenovo is already the one-eyed king in the land of the blind, and now it has thrown acid in its own face.
There is clearly no malice here on Lenovo’s part. The company did not set out to compromise its customers security intentionally. But its behaviour makes it at best a dupe and at worst a greedy accomplice. Either way, Lenovo has a lot of work ahead of it.
- Alistair Fairweather is chief technology officer for integrated advertising agency Machine
- This column was first published in the Mail & Guardian Online, the smart news source