TechCentralTechCentral
    Facebook Twitter YouTube LinkedIn
    Facebook Twitter LinkedIn YouTube
    TechCentral TechCentral
    NEWSLETTER
    • News

      E.tv: ‘We know we must vacate broadband spectrum bands’

      29 June 2022

      E-commerce is killing shopping malls – but, curiously, not in South Africa

      29 June 2022

      Eskom warns recovery from strike chaos could take weeks

      29 June 2022

      Eskom offers workers 7% increase: sources

      29 June 2022

      Eskom employees returning to work

      29 June 2022
    • World

      Napster plots crypto comeback

      29 June 2022

      Pictures: Chinese spacecraft acquires images of entire planet of Mars

      29 June 2022

      Arm aims for leg-up in smartphone games with new chip tech

      29 June 2022

      Warnings of a final bitcoin ‘washout’

      29 June 2022

      Sony launches into PC gaming hardware

      29 June 2022
    • In-depth

      The great crypto crash: the fallout, and what happens next

      22 June 2022

      Goodbye, Internet Explorer – you really won’t be missed

      19 June 2022

      Oracle’s database dominance threatened by rise of cloud-first rivals

      13 June 2022

      Everything Apple announced at WWDC – in less than 500 words

      7 June 2022

      Sheryl Sandberg’s ad empire leaves a complicated legacy

      2 June 2022
    • Podcasts

      How your organisation can triage its information security risk

      22 June 2022

      Everything PC S01E06 – ‘Apple Silicon’

      15 June 2022

      The youth might just save us

      15 June 2022

      Everything PC S01E05 – ‘Nvidia: The Green Goblin’

      8 June 2022

      Everything PC S01E04 – ‘The story of Intel – part 2’

      1 June 2022
    • Opinion

      Has South Africa’s advertising industry lost its way?

      21 June 2022

      Rob Lith: What Icasa’s spectrum auction means for SA companies

      13 June 2022

      A proposed solution to crypto’s stablecoin problem

      19 May 2022

      From spectrum to roads, why fixing SA’s problems is an uphill battle

      19 April 2022

      How AI is being deployed in the fight against cybercriminals

      8 April 2022
    • Company Hubs
      • 1-grid
      • Altron Document Solutions
      • Amplitude
      • Atvance Intellect
      • Axiz
      • BOATech
      • CallMiner
      • Digital Generation
      • E4
      • ESET
      • Euphoria Telecom
      • IBM
      • Kyocera Document Solutions
      • Microsoft
      • Nutanix
      • One Trust
      • Pinnacle
      • Skybox Security
      • SkyWire
      • Tarsus on Demand
      • Videri Digital
      • Zendesk
    • Sections
      • Banking
      • Broadcasting and Media
      • Cloud computing
      • Consumer electronics
      • Cryptocurrencies
      • Education and skills
      • Energy
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Motoring and transport
      • Public sector
      • Science
      • Social media
      • Talent and leadership
      • Telecoms
    • Advertise
    TechCentralTechCentral
    Home»Opinion»Alistair Fairweather»Superfish blows up in Lenovo’s face

    Superfish blows up in Lenovo’s face

    Alistair Fairweather By Alistair Fairweather23 February 2015
    Facebook Twitter LinkedIn WhatsApp Telegram Email

    Alistair-Fairweather-180-profileOne in five of the personal computers sold worldwide in the last quarter of 2014 may have security holes so serious that even an amateur hacker could easily and silently penetrate its defences. All of the compromised computers were manufactured by Lenovo, whose gross negligence directly resulted in this mess.

    How could this happen? Simple: Lenovo partnered with a shady advertising company called Superfish and installed its software on millions of new PCs before it shipped them to customers. This software sits between your Web browser and the sites you visit and injects its own adverts into search results from sites such as Google and Amazon.

    While this behaviour is irritating and unethical, it’s not necessarily dangerous. Plenty of PC manufacturers ship their machines with custom software, most of it irritating or downright obstructive. This “bloatware” is aimed at making you a loyal customer by offering you additional value, but generally just slows down your computer.

    What makes Superfish different, apart from its unusually invasive approach, is that it intentionally and recklessly compromises the security of any computer on which it is installed. It essentially opens a back door in the defences of a computer, and then leaves it wide open for anyone else who wants to use it.

    This back door is in the most important part of a computer’s defence systems, the authentication certificates. When you visit your bank’s website or your Web-based e-mail account, your computer uses a digital key called a certificate to check whether the site you’re visiting is trusted by the rest of the Web. You know a site is trusted because the little padlock in your browser’s address bar turns green.

    These certificates are vital because they stop hackers from masquerading as trusted organisations. When you get those e-mails allegedly from the South African Revenue Service that claim you have a refund of R15 978 waiting for you, or from “Standerd Bank” (sic) warning you to “change your password now”, hackers are hoping you will click on the link to their fake site and fill in your username and password.

    Nowadays even the barely computer literate know to check that the URL of the page they’re visiting is correct. If a site called “var1t8.co.us” is asking you for Gmail password, you’re not likely to to fall for its tricks.

    As hacking has become a global plague, more and more websites have started to require certificates for everything they do online. Even Google searches now have that friendly green padlock that reassures you that your browsing experience is safe.

    This has made things harder for software like Superfish. It wants to inject adverts into your search results, but the browser will not let it do that because it does not have the correct certificate. Its solution is either complete genius or reckless idiocy, depending on your perspective.

    As soon as it is installed, Superfish creates a self-signed certificate in the root of the computer’s security system. In other words, it creates a master key that allows it to pretend to be any website that you visit. This is how it injects adverts into Google search results — it intercepts those results on their way from Google to your computer and manipulates them to suit its needs.

    On its own, this behaviour would be bad enough — not just unethical but also a flagrant invasion of privacy. But the back door that Superfish opens can be used by literally anyone who knows it is there. That means any hacker who realises you have a Lenovo computer can sit in between you and your bank’s legitimate website and steal your log in details. They can also reverse the flow and inject viruses and other malicious software into your computer.

    And it gets worse: it appears that  Superfish uses exactly the same certificate for every single computer on which it is installed. Normally every certificate requires a different password before it can be used, but Superfish has used the same certificate with the same password on tens of millions of computers.

    Lenovo is the biggest PC manufacturer in the world by volume
    Lenovo is the biggest PC manufacturer in the world by volume

    This is like installing security gates in millions of homes with a single, identical master key for all of them, and then leaving the key out for anyone to find and copy. So hacking a Lenovo computer has gone from a few hours of work to a few seconds of work.

    After first denying that the security hole existed, and then trying to downplay its seriousness, Lenovo has finally released a tool that allows its customers to remove Superfish from their computers and close the back door it has opened.

    If you bought a Lenovo new laptop between September 2014 and January 2015, you should visit this link immediately and run the uninstall tool. I promise, I’m not a hacker trying to steal your information. Pinky swear.

    What’s truly extraordinary is that Lenovo has spent three decades overcoming its reputation as a low-quality Chinese PC manufacturer. Over the last decade, since it acquired IBM’s personal computer business in 2005, it has grown in leaps and bounds and is now the world’s largest PC manufacturer by volume. The revenue it would have earned from the Superfish deal might have totalled a few tens of millions of dollars at most; perhaps 0,1% of its yearly turnover. And for that it has put its entire global brand at risk.

    And this at a time when PC sales are in terminal decline. In the last quarter of 2014, the PC industry sold just less than 80m computers worldwide. That’s 10m fewer than the same quarter in 2012. Lenovo is already the one-eyed king in the land of the blind, and now it has thrown acid in its own face.

    There is clearly no malice here on Lenovo’s part. The company did not set out to compromise its customers security intentionally. But its behaviour makes it at best a dupe and at worst a greedy accomplice. Either way, Lenovo has a lot of work ahead of it.

    • Alistair Fairweather is chief technology officer for integrated advertising agency Machine
    • This column was first published in the Mail & Guardian Online, the smart news source
    Alistair Fairweather Lenovo Superfish
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email
    Previous ArticleANC pleased with gov’t stance on e-tolls
    Next Article Apple to pump billions into green DCs

    Related Posts

    Has South Africa’s advertising industry lost its way?

    21 June 2022

    Rob Lith: What Icasa’s spectrum auction means for SA companies

    13 June 2022

    A proposed solution to crypto’s stablecoin problem

    19 May 2022
    Add A Comment

    Comments are closed.

    Promoted

    Think herding cats is tricky? Try herding a cloud

    29 June 2022

    How your business can help hybrid workers effectively

    28 June 2022

    Hands off our satellite spectrum!

    27 June 2022
    Opinion

    Has South Africa’s advertising industry lost its way?

    21 June 2022

    Rob Lith: What Icasa’s spectrum auction means for SA companies

    13 June 2022

    A proposed solution to crypto’s stablecoin problem

    19 May 2022

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2022 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.