TechCentralTechCentral
    Facebook Twitter YouTube LinkedIn
    Facebook Twitter LinkedIn YouTube
    TechCentral TechCentral
    NEWSLETTER
    • News

      New Openview channels coming as platform turns profitable

      27 May 2022

      Wapa’s Paul Colmer on why Icasa should open up 6GHz for Wi-Fi

      27 May 2022

      How Broadcom’s blockbuster VMware deal happened

      27 May 2022

      The cost for South Africa to quit its coal habit: R4-trillion – study

      26 May 2022

      Apple is feeling the smartphone industry chill

      26 May 2022
    • World

      Musk sued by Twitter investors for stock ‘manipulation’

      27 May 2022

      Broadcom agrees to buy VMware for $61-billion

      26 May 2022

      Musk pledges more equity to fund Twitter deal

      26 May 2022

      Sony looks beyond the console to PC and mobile gaming

      26 May 2022

      Andreessen Horowitz raises world’s largest crypto fund

      26 May 2022
    • In-depth

      Bernie Fanaroff – the scientist who put African astronomy on the map

      23 May 2022

      Chip giant ASML places big bets on a tiny future

      20 May 2022

      Elon Musk is becoming like Henry Ford – and that’s not a good thing

      17 May 2022

      Stablecoins wend wobbly way into the unknown

      17 May 2022

      The standard model of particle physics may be broken

      11 May 2022
    • Podcasts

      Spectrum auction opens up big growth opportunities – Ruckus Networks

      26 May 2022

      Everything PC S01E03 – ‘The story of Intel – part 1’

      25 May 2022

      The rewarding and lucrative careers to be had in infosec

      23 May 2022

      Dean Broadley on why product design at Yoco is an evolving art

      18 May 2022

      Everything PC S01E02 – ‘AMD: Ryzen from the dead – part 2’

      17 May 2022
    • Opinion

      A proposed solution to crypto’s stablecoin problem

      19 May 2022

      From spectrum to roads, why fixing SA’s problems is an uphill battle

      19 April 2022

      How AI is being deployed in the fight against cybercriminals

      8 April 2022

      Cash is still king … but not for much longer

      31 March 2022

      Icasa on the role of TV white spaces and dynamic spectrum access

      31 March 2022
    • Company Hubs
      • 1-grid
      • Altron Document Solutions
      • Amplitude
      • Atvance Intellect
      • Axiz
      • BOATech
      • CallMiner
      • Digital Generation
      • E4
      • ESET
      • Euphoria Telecom
      • IBM
      • Kyocera Document Solutions
      • Microsoft
      • Nutanix
      • One Trust
      • Pinnacle
      • Skybox Security
      • SkyWire
      • Tarsus on Demand
      • Videri Digital
      • Zendesk
    • Sections
      • Banking
      • Broadcasting and Media
      • Cloud computing
      • Consumer electronics
      • Cryptocurrencies
      • Education and skills
      • Energy
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Motoring and transport
      • Public sector
      • Science
      • Social media
      • Talent and leadership
      • Telecoms
    • Advertise
    TechCentralTechCentral
    Home»Opinion»Alistair Fairweather»Superfish blows up in Lenovo’s face

    Superfish blows up in Lenovo’s face

    Alistair Fairweather By Alistair Fairweather23 February 2015
    Facebook Twitter LinkedIn WhatsApp Telegram Email

    Alistair-Fairweather-180-profileOne in five of the personal computers sold worldwide in the last quarter of 2014 may have security holes so serious that even an amateur hacker could easily and silently penetrate its defences. All of the compromised computers were manufactured by Lenovo, whose gross negligence directly resulted in this mess.

    How could this happen? Simple: Lenovo partnered with a shady advertising company called Superfish and installed its software on millions of new PCs before it shipped them to customers. This software sits between your Web browser and the sites you visit and injects its own adverts into search results from sites such as Google and Amazon.

    While this behaviour is irritating and unethical, it’s not necessarily dangerous. Plenty of PC manufacturers ship their machines with custom software, most of it irritating or downright obstructive. This “bloatware” is aimed at making you a loyal customer by offering you additional value, but generally just slows down your computer.

    What makes Superfish different, apart from its unusually invasive approach, is that it intentionally and recklessly compromises the security of any computer on which it is installed. It essentially opens a back door in the defences of a computer, and then leaves it wide open for anyone else who wants to use it.

    This back door is in the most important part of a computer’s defence systems, the authentication certificates. When you visit your bank’s website or your Web-based e-mail account, your computer uses a digital key called a certificate to check whether the site you’re visiting is trusted by the rest of the Web. You know a site is trusted because the little padlock in your browser’s address bar turns green.

    These certificates are vital because they stop hackers from masquerading as trusted organisations. When you get those e-mails allegedly from the South African Revenue Service that claim you have a refund of R15 978 waiting for you, or from “Standerd Bank” (sic) warning you to “change your password now”, hackers are hoping you will click on the link to their fake site and fill in your username and password.

    Nowadays even the barely computer literate know to check that the URL of the page they’re visiting is correct. If a site called “var1t8.co.us” is asking you for Gmail password, you’re not likely to to fall for its tricks.

    As hacking has become a global plague, more and more websites have started to require certificates for everything they do online. Even Google searches now have that friendly green padlock that reassures you that your browsing experience is safe.

    This has made things harder for software like Superfish. It wants to inject adverts into your search results, but the browser will not let it do that because it does not have the correct certificate. Its solution is either complete genius or reckless idiocy, depending on your perspective.

    As soon as it is installed, Superfish creates a self-signed certificate in the root of the computer’s security system. In other words, it creates a master key that allows it to pretend to be any website that you visit. This is how it injects adverts into Google search results — it intercepts those results on their way from Google to your computer and manipulates them to suit its needs.

    On its own, this behaviour would be bad enough — not just unethical but also a flagrant invasion of privacy. But the back door that Superfish opens can be used by literally anyone who knows it is there. That means any hacker who realises you have a Lenovo computer can sit in between you and your bank’s legitimate website and steal your log in details. They can also reverse the flow and inject viruses and other malicious software into your computer.

    And it gets worse: it appears that  Superfish uses exactly the same certificate for every single computer on which it is installed. Normally every certificate requires a different password before it can be used, but Superfish has used the same certificate with the same password on tens of millions of computers.

    Lenovo is the biggest PC manufacturer in the world by volume
    Lenovo is the biggest PC manufacturer in the world by volume

    This is like installing security gates in millions of homes with a single, identical master key for all of them, and then leaving the key out for anyone to find and copy. So hacking a Lenovo computer has gone from a few hours of work to a few seconds of work.

    After first denying that the security hole existed, and then trying to downplay its seriousness, Lenovo has finally released a tool that allows its customers to remove Superfish from their computers and close the back door it has opened.

    If you bought a Lenovo new laptop between September 2014 and January 2015, you should visit this link immediately and run the uninstall tool. I promise, I’m not a hacker trying to steal your information. Pinky swear.

    What’s truly extraordinary is that Lenovo has spent three decades overcoming its reputation as a low-quality Chinese PC manufacturer. Over the last decade, since it acquired IBM’s personal computer business in 2005, it has grown in leaps and bounds and is now the world’s largest PC manufacturer by volume. The revenue it would have earned from the Superfish deal might have totalled a few tens of millions of dollars at most; perhaps 0,1% of its yearly turnover. And for that it has put its entire global brand at risk.

    And this at a time when PC sales are in terminal decline. In the last quarter of 2014, the PC industry sold just less than 80m computers worldwide. That’s 10m fewer than the same quarter in 2012. Lenovo is already the one-eyed king in the land of the blind, and now it has thrown acid in its own face.

    There is clearly no malice here on Lenovo’s part. The company did not set out to compromise its customers security intentionally. But its behaviour makes it at best a dupe and at worst a greedy accomplice. Either way, Lenovo has a lot of work ahead of it.

    • Alistair Fairweather is chief technology officer for integrated advertising agency Machine
    • This column was first published in the Mail & Guardian Online, the smart news source
    Alistair Fairweather Lenovo Superfish
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email
    Previous ArticleANC pleased with gov’t stance on e-tolls
    Next Article Apple to pump billions into green DCs

    Related Posts

    A proposed solution to crypto’s stablecoin problem

    19 May 2022

    From spectrum to roads, why fixing SA’s problems is an uphill battle

    19 April 2022

    How AI is being deployed in the fight against cybercriminals

    8 April 2022
    Add A Comment

    Comments are closed.

    Promoted

    Financial advisers: manage your commission and analyse revenue effortlessly

    27 May 2022

    BT, MTN Business form strategic alliance in Africa

    26 May 2022

    Think like a start-up: how to build a competitive digital enterprise

    26 May 2022
    Opinion

    A proposed solution to crypto’s stablecoin problem

    19 May 2022

    From spectrum to roads, why fixing SA’s problems is an uphill battle

    19 April 2022

    How AI is being deployed in the fight against cybercriminals

    8 April 2022

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2022 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.