Lenovo shipping laptops with pre-installed adware that kills HTTPS

Software conducts Man-in-the-Middle attack to display ads; Lenovo says users had to opt-in before this could happen

lenovo n20p chromebook 3qtr
Credit: Michael Homnick

Lenovo is in hot water after it was revealed on Wednesday that the company is shipping consumer laptops with Superfish (Adware) pre-installed. Security experts are alarmed, as the software performs Man-in-the-Middle attacks that compromises all SSL connections.

It's a fact of life; PC manufacturers are paid to install software at the factory, and in many cases this is where their profit margin comes from. However, pre-installed software is mostly an annoyance for consumers. Yet, when this pre-installed software places their security at risk, it becomes a serious problem.

Lenovo, in comments posted to a company support forum, said they have partnered with a company called Superfish Inc. to deliver software "that helps users find and discover products visually."

This is done by injecting ads on the sites displayed by Internet Explorer and Chrome; Firefox doesn't seem to be impacted in this instance, but complaints that date back to last summer surrounding Superfish do include Mozilla's browser. Others are more recent, including one posted Thursday morning on Twitter, which says Superfish installs WindowShopper on Firefox.

Researchers have discovered that not only does Superfish inject ads; it also breaks SSL by installing a self-signed root certificate that can intercept encrypted traffic for any secured website a user visits.

This Man-in-the-Middle attack is what drives the visual ad displays across all websites, no matter what their encryption status may be.

"Superfish technology is purely based on contextual/image and not behavioral. It does not profile, nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked, nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled," commented Mark Hopkins, Program Manager for Lenovo Social Media Services.

Most experts have taken exception to Lenovo's pre-installed business deal, and the fact that consumers had to first opt-in to the Man-in-the-Middle attack doesn't change the flawed security involved.

Even if the user removes the Superfish software, the certificate remains trusted and installed on the system. As for the opt-in requirement, most users agree to everything when configuring a new system, assuming they even notice the Superfish TOS to begin with.

The Superfish certificate is the same for each laptop it's installed on, and this certificate is used for each SSL connection. A criminal would have little difficulty in using this setup to further compromise a person's connections – and the Superfish certificate's trust level on the system would only help. Moreover, Superfish uses a SHA1 certificate, with1024-bit RSA key.

"We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you can't trust your hardware manufacturer you are in a very difficult position," wrote security researcher Marc Rogers.

"When bad guys are able to get into the supply chain and install malware it is devastating. Often users find themselves with equipment that is compromised and are unable to do anything about it. When malware is installed with the access a manufacturer has it buries itself deep inside the system often with a level of access that often takes it beyond the reach of antivirus or other countermeasures. This is why it is all the more disappointing – and shocking – to find a manufacturer doing this to its customers voluntarily."

Salted Hash has reached out to Lenovo for comment, and will update once they respond.

Update:

A Lenovo spokesperson responded to questions earlier this morning. The company says that Superfish hasn't been installed on laptops since January, and that all server side interactions have been disabled since then as well. The full statement is below.

Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

1) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.

2) Lenovo stopped pre-loading the software in January.

3) We will not pre-load this software in the future.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first...

The statement goes on to repeat what was said originally on the support forums, adding that the relationship with Superfish Inc. is not financially significant Lenovo; "our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively," the statement concluded.

Additional updates are on the following page...

1 2 Page 1
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.