Lenovo preinstalls man-in-the-middle adware that hijacks HTTPS traffic on new PCs
Major technology companies just can’t help tampering with our web traffic to deliver advertising. Security researchers recently discovered that consumer-grade Lenovo computers ship with software called Superfish Visual Discovery that injects advertising into websites on browsers such as Google Chrome and Internet Explorer.
Even worse, Superfish installs a self-generated root certificate into the Windows certificate store and then resigns all SSL certificates presented by HTTPS sites with its own certificate—the classic definition of a man-in-the-middle attack. It’s a weakness that hackers could potentially use to steal sensitive data like banking credentials or just observe your web surfing activities.
The capability is being used to inject ads on encrypted sites. Even worse, according to Chrome security engineer Chris Palmer, Superfish appears to be using the same root certificate with the same weak RSA key on all affected Lenovo PCs, rather than generating unique encryption for each computer.
Removing the Superfish adware doesn't remove the rogue security certificate, either.
Superfish has been shipping on Lenovo PCs since at least mid-2014. In late January, Lenovo said in a support forum post that it was temporarily removing Superfish from consumer laptops due to unspecified “issues.”
“Lenovo removed Superfish from the preloads of new consumer systems in January 2015,” a Lenovo representative said in an emailed statement. “At the same time Superfish disabled existing Lenovo machines in market from activating Superfish.” The company is “thoroughly investigating all and any new concerns raised regarding Superfish,” she said.
Why this matters: Shipping PCs with pre-installed software, also known as crapware or bloatware, is nothing new for Windows users. But usually this software is a free trial of anti-virus software, a productivity suite, or maybe a game. Lenovo’s adware installation takes the crapware game to a whole other level by creating an unnecessary vulnerability in new PCs.
This is the third recent example of a technology company caught tampering with a users’ browsing habits in the name of advertising dollars. In September, it was discovered that Comcast was injecting ads into user browsers at Xfinity public Wi-Fi hotspots, and Verizon is under fire for its ad-fueled super cookie that tampers with web traffic traversing the carrier’s mobile network. But those were ISPs dumping ads over web traffic—a big difference from this case, where a PC manufacturer is essentially preloading PCs with software that essentially behaves as a man-in-the-middle attack.
Lenovo installs a MITM cert and proxy called Superfish, on new laptops, so it can inject ads? Someone tell me that’s not the world I’m in.— Mike Shaver (@shaver) February 19, 2015
Superfish or Super phish?
The main purpose of Superfish is to analyze images a user is viewing in the browser and then deliver advertising based on the contents of the image. The company also produces its own mobile apps that do something similar. Superfish’s Like That Décor Furniture for Android, for example, lets you snap a photo of a couch or dresser you like. Then the app will show you similar furniture pieces from various retailers to help you find the best price.
The false website security certificates could allow Superfish to decrypt a user’s HTTPS web traffic. It’s unlikely that Superfish is out to get your banking credentials or other logins. The site certificate tampering could, however, open the door for hackers to launch phishing attacks—especially since Superfish appears to be using the same private encryption key on all Lenovo machines.
A hacker could, for example, create a phony banking site relying on the faked Superfish security certificates for authentication. Under this scenario, Lenovo PCs wouldn’t be able to detect they were visiting a forged site.
Despite concerns from critics, Lenovo believes Superfish is safe. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," a company spokesperson said via e-mail.
Without going into details, the Lenovo representative said Superfish was installed on select consumer-grade machines. A report by Myce from January said the adware was found on Lenovo Y50, Z40, Z50, G50, and Yoga 2 Pro laptops. If you’ve recently bought a Lenovo laptop, there’s a good chance your PC has Superfish pre-installed.
“Preinstalled software is always a concern because there’s often no easy way for a buyer to know what that software is doing—or if removing it will cause system problems further down the line,” said Chris Boyd, a malware intelligence analyst at Malwarebytes, via email.
Boyd advises users to uninstall Superfish, then to type certmgr.msc into the Windows search bar, open the program, and remove the Superfish root certificate from there. Apparently many anti-virus programs identify Superfish as malware and will take care of removing it—though not the root certificate—for you.
IDG News Service's Lucian Constantin contributed additional reporting for this article.