Vulnerabilities and hacks are increasingly a fact of life, and they’re especially scary when they show up in mainstream products that lots of people use, like Internet Explorer. (Are you still using IE? If so, we need to have a talk.) But it really hurts when there’s a major vulnerability in something that came pre-installed on PCs for the benefit of manufacturers, not consumers. Like today, for example!
Researchers began realizing early Thursday morning that pre-installed adware on Lenovo’s consumer laptops was not only serving ads to users, but also compromising encrypted Web browsing and making users vulnerable to man-in-the-middle attacks. That’s when a third party is able to see and record data between users and the Web servers they are communicating with.
The program, called Superfish, has been on Lenovo users’ minds since around September (surfaced by Ars Technica), and proof of a potential security problem started trickling out in January. At the time, the company acknowledged that there was something weird with Superfish but referred to problems with “browser pop up behavior for example.”
More recently, researchers and other Lenovo users have been publishing evidence on Twitter and elsewhere showing fake certificates for supposedly secure browsing sessions issued by Superfish instead of a certificate authority like VeriSign. This means that behavior and data from the browsing session wasn’t actually encrypted and could be accessed by Superfish.
And even worse, Superfish seems to use the same private key for the root certificate it puts on every laptop it’s installed on. So if a hacker can obtain that key, he or she can listen in on secure sessions from users who have Superfish running. People noticed in January that Gogo inflight Wi-Fi was pulling some similar tomfoolery, but this situation is crazier because the bad actor is pre-installed on the computer and always lurking—it’s not just a Wi-Fi network people use occasionally.
Lenovo said in January:
Superfish technology … does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has [the] option not to accept these terms, i.e., Superfish is then disabled.
In a statement Thursday the company reiterated these claims. Lenovo also said that the adware shipped on consumer laptops between September and December, but that the company stopped pre-installing it in January because “user feedback was not positive.” Which, yeah, compromised HTTPS browsing is a pretty not-positive situation. Superfish was not immediately available for comment. We’ll update if the company gets back to us.
Lenovo is providing instructions and resources for uninstalling Superfish, though some are skeptical of the company’s approach.
As Dave Fayram, the director of software engineering at Capital One, tweeted, “That sound you heard was every IT department in the world canceling their Lenovo contracts.”
