Incident Response, Malware, TDR, Vulnerability Management

Lenovo PCs shipped with ‘Superfish,’ adware that opens users to MitM attacks

Computer manufacturer Lenovo has come under fire for shipping adware-laden laptops to consumers. Worse yet, data security experts warn that the pre-installed adware, called Superfish, leaves users vulnerable to man-in-the-middle (MitM) attacks that break HTTPS security.

Late Wednesday night, The Next Web published an article on the news, which was initially pointed out by customers in a Lenovo community forum last September. In January, a Lenovo admin tried to calm user concerns by posting that the Superfish Visual Discovery browser add-on had been “temporarily removed” from consumer systems, and that the company had requested that Superfish push an auto-update for consumers who already received computers installed with the software.

According to technology experts at the Electronic Frontier Foundation (EFF), users should move quickly to rid their systems of the program.

While Superfish is detected as adware by many firms, EFF explained in a Thursday blog post that users have much more to worry about than unwanted advertisements appearing on their screens while they browse the web. Superfish uses a self-signed root certificate to inject ads in secure HTTPS pages, meaning the software could allow an attacker to intercept encrypted SSL connections, and ultimately eavesdrop and steal data during any number of online activities, including checking webmail or signing into online banking applications, EFF said.

In a Thursday interview with SCMagazine.com, Jeremy Gillula, a staff technologist at EFF, further explained the security dilemma introduced by Superfish.

“The issue is that they are installing the Superfish certificate as if it was from a certificate authority," Gillula said. “Normally the CA would have signed it,” he continued, adding later that “Anyone could pretend to be Superfish,” if they have a copy of the Superfish MitM private key.

On Thursday, Robert Graham, CEO of Errata Security, revealed on his blog that he was able to extract the Superfish certificate via reverse engineering and crack the password encrypting it. In an earlier post published Thursday, Graham provided a breakdown of the security issue.

“SuperFish installs its own root CA certificate in Windows system. It then generates certificates on the fly for each attempted SSL connection. Thus, when you have a Lenovo computer, it appears [that] SuperFish is the root CA of all the websites you visit. This allows SuperFish to intercept an encrypted SSL connection, decrypt it, then re-encrypt it again,” he wrote.

“This means that hackers at your local cafe Wi-Fi hotspot, or the NSA eavesdropping on the Internet, can use that private-key to likewise intercept all SSL connections from SuperFish users,” he added later.

SCMagazine.com reached out to Lenovo, and on Thursday, a spokeswoman for the company directed the outlet to Lenovo's statement on Superfish (also published that day).

The company revealed that Superfish had been included on “some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively,” the statement continued.

Lenovo confirmed reports that, as of January, Superfish has not been active on its products. In the announcement, the PC manufacturer also listed all its product models that were potentially packaged with Superfish.

On his blog, Robert Graham noted that uninstalling Superfish will still leave behind the root certificate, so users should go into the Windows system and remove the cert manually.

UPDATE: On Thursday, EFF published a how-to on uninstalling Superfish and removing the cert. Users can, first, do a Superfish CA test to see if they are impacted by the adware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.