LenovoHave you bought a Lenovo laptop or PC in the last two years or so? If so, you need to read this post, as you may have a very unwanted virus dwelling within your computer. In late January, the Chinese computer-maker admitted that it had placed hidden adware on its laptops and PCs.  This software, called Superfish, is alleged to have been designed to steal web traffic using fake, self-signed, root certificates to inject advertisements into sessions.  It appears that Lenovo laptops manufactured in the last two years have had Superfish pre-installed on them, which means millions are likely affected across the globe, given the manufacturer shipped 113 million PCs over that period.  If concerns about Superfish are true, Lenovo may not have not only betrayed their customers’ trust, but also put them at increased risk.   It also raises a more disquieting set of questions about the deals that computer manufacturers do with third parties and the amount of software that comes pre-installed on machines.   But first, let’s explore the little known software called “Superfish”.

Lenovo argues that it placed Superfish on its consumers in order to place adverts into Google search results that the laptop manufacturer wants them to see. On January 23rd, a Lenovo spokesperson indicated that: “Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.” But it turns out that Superfish is more than just a benign piece of tracking software. Such adware is widely regarded in the industry as a form of malware because of the way it interacts with a person’s laptop or PC.

Superfish appears to install a man-in-the-middle certificate that allows outside parties to take a peek at secure websites you might be visiting, according to a number of news reports.  To make matters worse, the problem with Lenovo consumer laptops running Windows 8.1 sold between September 2014 and January 2015, was shown to be even worse than expected.  Putting what very much looks to be malware on machines is pretty brazen. The Next Web reports that antivirus software companies have labeled Superfish as a virus and suggests removal.   Lenovo user forums have been buzzing about the potential abuses posed by Superfish.

But there’s a bigger concern that Lenovo is intercepting encrypted traffic so it can show ads on people’s computers. In the security world, this is known as a man-in-the-middle attack. If Lenovo was doing this, it would have to interrupt what’s known as the certificate chain. This is a chain of trust, whereby companies who run the machines that users visit on their way to a particular website provide certificates to prove they’re a legitimate party and not a malicious actor, like a criminal or a spy. With Superfish, it’s been claimed Lenovo is using a self-signed certificate to appear as a trusted party (which it no doubt considers itself to be) along the chain. In theory, it is therefore able to see users’ traffic and alter it in whatever way it sees fit. This makes Superfish the root Certificate Authority (CA) – essentially the link that decides what encrypted communications to trust.  This is really nasty stuff!

According to ZD News, on February 19th, things got even worse when a noted security hacker extracted the password that Superfish uses for its CA and published it.  He proved, fairly convincingly, that he could intercept the encrypted communications of SuperFish’s victims through a shared wifi connection.  This makes any Lenovo laptop user subject to having passwords stolen directly off their computers.

The biggest fear from a security standpoint is that a criminal-minded hacker could use Superfish’s encryption methods and abuse them to intercept other people’s traffic. That’s why some have been reminded of Sony’s malware installations from the mid-2000s, when it attempted to stop people pirating its software but opened up a backdoor for hackers to abuse customers’ PCs. Anyone who can extract the private key that Superfish supposedly uses to sign its certificate could use it to sign their own certificates to spy on those running Lenovo laptops if they’re on the same network, like those sitting on the same public Wi-Fi in a coffee shop. Another fear raised by observers is that the hidden software was also injecting adverts on to browsers using techniques more akin to malware.

It isn’t clear how many Lenovo computers have Superfish on it.  The company told the BBC in a statement: “Lenovo removed Superfish from the preloads of new consumer systems in January 2015.  It has released a list of effected computers.  At the same time Superfish disabled existing Lenovo machines in the market from activating Superfish”.   However, the company has been very coy with what consumers can do if they feel their computers are infected.  Removing this software is not easy.   Some bloggers have indicated that the only way to remove it is to reinstall a clean version of Windows.  Lenovo claims that Superfish disabled its server-side interactions and therefore has disabled the software…..however, the dangerous certificate remains on your computer and you need to get rid of it.   ZD Net recommends uninstalling “Virtual Discovery” through Windows Control Panel uninstall process.   You would also need to run the Management Console and remove remove the Superfish certificate.   The process for doing it is outlined here.

The last word is from Lenovo itself:  “Lenovo is thoroughly investigating all and any new concerns regarding Superfish.”   That sentence probably says it all; the company hasn’t denied the concerns raised and has, so far, declined to take any action other than to suspend preloading it on computers sold after January 15th.   This offers little comfort to millions of Lenovo owners who are having to decide whether they can trust their computers.  And, given the series of accusations about the Chinese government’s exploitation of software flaws,  Lenovo will have the added burden of proving that Superfish isn’t a gateway for government-sponsored surveillance.

Post note:  On February 20th, Lenovo’s CTO admitted that the company had “messed up badly”.  He indicated that the company was going to release a “clean up tool” to “make things right”.  It has created a SuperFish uninstall page on its website for this purpose.  It is almost identical to the process recommended by ZD Net  (good on ‘ya, guys).  Lenovo also claims to be investigating ways to deliver the tool as an automatic patch, possibly through partners such as Microsoft and McAfee, instead of relying on users to download it from its website. And it’s looking at how it might be able to remove the software from the “preload” of the affected laptops—the Windows deployment preloaded with drivers and software that’s stored on the hidden recovery partition and used for factory resets.

Again, we’ll give Lenovo the last word, except these words ring far truer:   “At the end of the day, we messed up badly,” Hortensius is reported to have said. “There is no other way to say it. We’re not trying to hide. We’re trying to do everything we can do to solve the problem for people and subsequently make sure this doesn’t happen again.”