Malware, Network Security

Connecticut AG asks Lenovo for details on Superfish incident


Connecticut Attorney General George Jepsen has asked PC maker Lenovo to share more details about its sale of computers pre-installed with adware.

Last month, news of Lenovo's security blunder spread online. While the company publicly apologized for the incident and said it had stopped preloading the adware, called Superfish, on its computers as of January, AG Jepsen said that there are still details the state should be aware of since the personal information of Connecticut consumers was “endangered,” Jepsen said a Monday press release.

In his letter to Lenovo's Executive Vice President Gerry Smith (PDF), the attorney general asked that the company identify the number of Lenovo PCs containing Superfish, which were sold in the U.S., as well as the dates those computers were sold. Jepsen also requested that Lenovo identify all internal communications pertaining to Superfish, along with “all agreements and/or contracts between Lenovo and Superfish pertaining to the software,” the letter, sent last Friday, said.

In total, Jepsen made 12 separate requests for information on the incident. Included in the letter, was an inquiry for the number of Connecticut residents “who registered computers or may have had Superfish software installed,” and a description of the “remedial measures Superfish has taken subsequent to its discovery of a certificate issue pertaining to the Superfish software.”

After news surfaced of the Lenovo-Superfish debacle, security experts with knowledge of the adware emphasized that, in addition to potentially subjecting consumers to unwanted ads, Superfish leaves users vulnerable to man-in-the-middle (MitM) attacks that break HTTPS security.

The incident prompted the Electronic Frontier Foundation (EFF) to publish a how-to on uninstalling Superfish and removing the certificate, as the adware installs its own root CA certificate in Windows systems. EFF noted that the self-signed root certificate allows the software to inject ads in secure HTTPS pages, leaving SSL connections vulnerable to being intercepted by attackers. 

“The use of a single certificate for all of the MitM attacks means that all HTTPS security for at least Internet Explorer, Chrome, and Safari for Windows, on all of these Lenovo laptops, is now broken,” EFF technology experts wrote in a blog post at the time.  “If you access your webmail from such a laptop, any network attacker can read your mail as well or steal your password. If you log into your online banking account, any network attacker can pilfer your credentials. All an attacker needs in order to perform these attacks is a copy of the Superfish MitM private key.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.