Skip to content

Superfish was a super-bad idea Lenovo!

February 20, 2015

lenovo-superfish

By Thursday evening Lenovo’s reputation as a trusted computer maker was dying the death of a thousand cutlines.

Lenovo has been shown up down and sideways to have deliberately installed a security-breaching bit of adware called Superfish on many of its consumer laptops in the last quarter of 2014.

Superfish inserts unwanted adverting into web pages, breaks the security of encrypted web transactions and creates a security hole that malicious hackers can easily exploit just by sitting next to an affected Lenovo laptio in a coffee shop.

Thursday evening Lenovo’s chief technical officer (CTO) Peter Hortensius was willing to admit that the company “messed up” and declared that an application would be released by Friday morning to cleanly and completely remove Superfish and the fake security certificate which make affected Lenovo computers so vulnerable to digital attacks.

As of Friday afternoon, Lenovo had yet to release the one-step removal tool but they had released much-improved instructions for dealing with the “Superfish vulnerability”, including:

  • determining if your Lenovo laptop has Superfish installed
  • removing the Superfish Application
  • removing the fake root security certificate
NOTE: Lenovo has now released the Superfish Automatic Removal tool.

Something fishy going on with search results

Superfish is the name of a company, based in Isreal and Palo Alto, California, and the product they make: a visual search engine that can find matches based on a supplied image.

According to an explanation by a Forbes writer, Lenovo was using Superfish to place ads into Google search results that the computer maker whanted users to see.

Actually, I think the only money Lenovo was making was whatever Superfish was paying to have its adware — alternately called Superfish or VisualDiscovery — pre-installed on Lenovo laptops.

How Superfish works

A Google search on an affected Lenovo laptop showing the ads inserted by SuperFish.

A Google search on an affected Lenovo laptop showing  SuperFish ads.

The Superfish application watches any searches the user performs, say in Google, and examines the image results. It then transmits those results back to the Superfish servers, where a database of products is maintained — numbering 110 million in 2010, according to Superfish’s Joe Dew.

The database returns a selection of ads offering identical and visually similar products, which are seamlessly inserted into the Google search results.

Ka-Ching! Snapfish earns a fee for each product displayed.

How Superfish puts Lenovo computers at risk

To function, the Superfish application needs to intercept any transaction between the browser and websites, including transactions encrypted for security, as with e-commerce or online banking.

Your web browser trusts that it is securely connected to say, Ebay, because the website presents a valid security certificate to that effect, duly issued and signed by a trusted certificate authority.

Superfish goes so far as to set up a fake root certificate authority on the computer hard drive in order to control the data in a secure connection.

Pictured below is one of several images tweeted over the last two days. This one clearly shows the Superfish root certificate impersonating a Bank of America’s security certificate on a Lenovo computer.

In computer security lingo Superfish is committing a man-in-the-middle attack.

How hackers can easily exploit Superfish

To make matters so much worse, the root certificate authority used by every copy of Superfish pre-installed on every Lenovo laptop, is protected by the exact same private key, or password.

Yesterday a security professional explained the process of cracking the password — “komodia” — and how he could use it to spy on the encrypted traffic of affected Lenovo laptops just by being near them in a coffee shop.

Komodia is the name of an Israeli company that makes an SSL “redirector” for doing interception and ad injection, just like Superfish is doing. Since yesterday, Komodia’s website has been “offline due to DDOS with the recent media attention”.

How Superfish may just be the beginning

Superfish has been available under various names as a browser plugins for Chrome, Firefox, Internet Explorer and Safari since 2009 and is also available in various forms for Windows, Android and iOS.

I’m not getting how the security hole caused by Superfish on Lenovo laptops isn’t a fundamental strategy used by any implementation of Superfish. So I’m expecting to hear about more affected systems in the days to come.

Already we are finding out that the SSL Decoder/Digestor made by Komodia, and used by Superfish, is also used by many other programs.

Otherwise, this is an amazing illustration of how much difference a day or two can make, not to mention how much can turn on a single stupid decision.

If someone had asked me two days ago, whether a Lenovo laptop was a good choice I’d have probably said yes.

After all, having purchased IBM’s PC business in 2005 —  the China-based computer company has continued to make a damn fine version of Big Blue’s no-nonsense ThinkPad — that alone earned them my respect.

However, today and for the foreseeable future, I would say no, no NO to Lenovo!

One Comment
  1. ~xtian permalink

    I feel like bagging the Chinese here.

    But bugger that – what the fuck is being pushed to the iPhone4?

    Who are the Shenzhen people responsible to? Themselves?

    Heaven forfend…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: