Lenovos Superfish a Supersize Problem

By Perry Vandell

Revelations that Lenovo PCs shipped between September and December of last year include adware that could leave users open to data theft should be a wake-up call to solutions providers.

The malware, dubbed ‘Superfish,’ after the adware company that paid Lenovo to install the software, could allow attackers to hijack even encrypted connections that display as protected by HTTPS. It does so via a man-in-the-middle exploit, where the malware issues its own HTTPS certificate rather than using the cert from the sites to which users believe they are connected. That allows Superfish – or an attacker who takes advantage of the software – to intercept encrypted traffic while tricking users into believing they’re on a secure connection.

According to Ars Technica, “the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet.” The technology site reports that the encryption key has already been cracked, meaning anyone using a computer with Superfish installed is taking a serious risk.

Lenovo issued a statement saying that Superfish disabled server-side interactions on all Lenovo products shipped since January, and that the adware is no longer preloaded onto its products. Lenovo also gave a partial defense for its decision to include the adware in the first place, saying today that, “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” The company cited negative user reaction as the reason for pulling the software. Lenovo further said that Superfish’s inclusion was meant solely to “help customers potentially discover interesting products while shopping,” and that its relationship with Superfish was “not financially significant.”

Andrew Bagrin, CEO of security provider My Digital Shield, considers this to be a real intrusion on privacy.

“As the PC/laptop market has grown and become so competitive recently, the manufacturers probably don’t make significant funds on the sale of laptops themselves,” Bagrin told Channel Partners. “Instead, they are looking to new routes as way to grow financially. Having trial software is bothersome, but still tolerable. Having ads automatically come up without being granted permission from the end user? The line has been crossed. This tactic should be categorized as …

… a form of hacking.”

Lenovo is not the first OEM to install questionable software for profit; most consumer-class PCs come with “bloatware” and often disable the handy rest and refresh utility that Microsoft first released in Windows 8, precisely to let consumers restore systems to a clean state. Antivirus suites can’t be depended on to remove adware.

What now?

Near term, Adam Ely, the co-founder of Bluebox Security, recommends IT teams locate and cleanse Superfish from infected systems — hopefully before any damage is done.

“While the overall threat is real and it is already expected that we’ll see malware taking advantage of Superfish installations, teams do have time to get ahead of the greater problem,” Ely told Channel Partners. “IT teams should focus on removing the Superfish software using their system management tools.”

A simple uninstall is not sufficient — this is no time to let users DIY; Superfish reportedly installs even in Safe mode. Look for an eventual patch from Microsoft; for now, pay attention to certificates.

“It has been seen in at least some cases that the root certificate installed by Superfish is not removed upon uninstall, so teams must take measures to remove these certificates, otherwise users will remain at risk,” said Ely.

Longer term, solutions providers that do not wipe all PCs to bare metal and do clean OS installs before distributing systems to customers – or their own staffs – should revaluate that decision. And while Superfish poses the biggest threat to those who buy their PCs direct rather than from channel partners, MSPs should be ready to help small business owners who have purchased them from the retail giants.