BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It

Following
This article is more than 9 years old.

Lenovo might have made one of the biggest mistakes in its history. By pre-installing software called ‘ Superfish ’ to get ads on screens it’s peeved the entire privacy community, which has been aghast this morning on Twitter. There are serious security concerns about Lenovo’s move too as attackers could take Superfish and use it to ensnare some unwitting web users.

Here’s what you need to know about Superfish and what you can do to stop it chucking irksome ads on your browser and leaving you open to hackers.

Is Superfish malware?

Lenovo won’t want anyone to call it that, but Superfish has been described as a piece of malware, or an adware pusher, that the Chinese firm pre-installs on consumer laptops. Superfish is also the name of the development company, with bases in Tel Aviv and Palo Alto, behind the tool. It claims it has “developed the most advanced and scalable visual search technology in the world” and was ranked America’s 64th most promising company by Forbes.

From what’s known about it thus far, Lenovo uses Superfish to place adverts into Google search results that the laptop manufacturer wants them to see. It’s a good way to make money after all.

Users were complaining about Superfish back in mid-2014, but since then consumers have been moaning about it en masse. A Lenovo administrator finally sought to address their ire with this comment on 23 January: “Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.

“Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior.  It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted.  Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.”

That all sounds very innocent. But privacy advocates are concerned about how this might be used to intercept people’s traffic and be abused for more surreptitious means. For non-encrypted traffic (i.e. connections running over HTTP rather than HTTPS), Superfish is used to inject JavaScript into web pages.

But there’s a bigger concern that Lenovo is intercepting encrypted traffic so it can show ads on people’s computers. In the security world, this is known as a man-in-the-middle attack. If Lenovo was doing this, it would have to interrupt what’s known as the certificate chain. This is a chain of trust, whereby companies who run the machines that users visit on their way to a particular website provide certificates to prove they’re a legitimate party and not a malicious actor, like a criminal or a spy.

With Superfish, it’s been claimed Lenovo is using a self-signed certificate to appear as a trusted party (which it no doubt considers itself to be) along the chain. In theory, it is therefore able to see users’ traffic and alter it in whatever way it sees fit. This method, according to Robert Graham of Errata Security, makes Superfish the root Certificate Authority (CA) - essentially the link that decides what encrypted communications to trust.

“It means Superfish can generate a valid (from the browser's standpoint) encryption certificate for Facebook or Google, or any other site using HTTPS,” noted security analyst Andreas Lindh.

From a privacy perspective, this isn't ideal. Lenovo could easily abuse this trust to spy on its PC owners. But, as far as anyone is aware, it would never do that.

There’s a serious security concern too

The biggest fear from a security standpoint is that a criminal-minded hacker could use Superfish’s encryption methods and abuse them to intercept other people’s traffic. That's why some have been reminded of Sony's malware installations from the mid-2000s, when it attempted to stop people pirating its software but opened up a backdoor for hackers to abuse customers' PCs.

Anyone who can extract the private key that Superfish supposedly uses to sign its certificate could use it to sign their own certificates to spy on those running Lenovo laptops if they’re on the same network, like those sitting on the same public Wi-Fi in a coffee shop.

“It's the same root CA private-key for every computer. This means that hackers at your local cafe Wi-Fi hotspot, or the NSA eavesdropping on the internet, can use that private-key to likewise intercept all SSL [encrypted] connections from Superfish users,” said Graham. He told Forbes this amounted to “an egregious security failure”. “It's intent is so that Superfish can 'hack' you, and it opens the system up to hacks by others.”

This would take some effort (though not much reverse engineering skill... and Graham has now extracted the key to prove that point) and may have limited application, but if an attacker has the wherewithal and can find a place where Lenovo consumers like to get online, they might have some luck scooping up people’s data, whether that’s banking login details or emails.

Who is affected and what can you do about it?

Lenovo has taken Superfish offline for now as it plans to issue some “fixes”. “Lenovo removed Superfish from the preloads of new consumer systems in January 2015.  At the same time Superfish disabled existing Lenovo machines in market from activating Superfish.  Superfish was preloaded onto a select number of consumer models only.  Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish,” a spokesperson said in an email sent to Forbes. Superfish had not yet responded to a request for comment.

According to the spokesperson, Lenovo only installed Superfish on consumer laptops between September and December last year. Chrome and Internet Explorer are affected, as they use Microsoft's Windows store of trusted certificates. Though Firefox has its own list of certificate providers, the Electronic Frontier Foundation found as many as 44,000 Superfish certificates were run at some point by users of Mozilla's browser.

To find out if you're affected, locate Windows' list of trusted certificates by opening up the Control Panel and searching for "certificates". This will bring up Administrative Tools and a "manage computer certificates" option. Click on the "Trusted Root Certification Authorities" option and then "Certificates". This will bring up a list of certificates. If you see one with Superfish Inc attached to it, you may be vulnerable.

Even users who do find it, uninstalling the program does not get rid of the problem, as that will not remove the certificate. So for anyone concerned that Superfish is still swimming around their computer, the best option might be to back everything up on their systems and install a new operating system. It might be a good excuse to upgrade to a more secure OS anyway.

Security expert Troy Hunt recommends just that: “I recently bought a new Lenovo machine myself and the first thing I did was to install a clean version of Windows. That’s the only way you’re going to have confidence that it hasn’t come pre-installed with anything nasty (potential monitoring in device firmware aside) and that’ what I’d be suggesting to anyone concerned about this.”

There's also a YouTube video found by The NextWeb that looks to help people stop the "Visual Discovery" software working, though it won't deal with the underlying security issue here.

Superfish also has intriguing links to the surveillance industrial complex and history in the "crapware" space. Read more about it here...

UPDATE: Information added on the timeframe in which Lenovo added Superfish to PCs. It was a four month gap in last year, when Lenovo shipped a total of 16 million PCs, not all of which were consumer laptops.