WASHINGTON, February 25, 2015 – For at least a decade and probably more, purchasers of PCs loaded with the Microsoft Windows OS have complained about the in-your-face commercial software and adware that’s unhelpfully pre-loaded on their computers, generally by the manufacturers of these by now largely generic machines.
The object: fees and/or considerations from the software or adware purveyors that serve to increase the computer vendor’s profit on each machine that’s sold.
Popularly termed “bloatware,” the bulk of this stuff consists of product sales pitches and pre-loaded “trial versions” of products you likely don’t even want. The typical solution is to waste hours upon hours of your precious time going through the complicated process of completely deleting this bloatware from your machine.
This past weekend, however, the excrement hit the fan. A number of online computer geek magazines reported that part of the bloatware installed by Lenovo—the Chinese company that’s the world’s biggest PC manufacturer—on each of its new machines was a sketchy piece of adware known as Superfish.
According to articles in The Verge and elsewhere, the Superfish adware on your new Lenovo machine will leave your computer exposed and vulnerable to so-called “man-in-the-middle” attacks: attacks through which computer hackers can steal your data as you send it to supposedly secure servers, as in, perhaps, your bank account.
Writes David Auerbach in Slate,
“When Lenovo preinstalled Superfish adware on its laptops, it betrayed its customers and sold out their security. It did it for no good reason, and it may not even have known what it was doing. I’m not sure which is scarier. The various news reports of this catastrophe don’t quite convey the sheer horror and disbelief with which any technically minded person is now reacting to Lenovo’s screw-up. Security researcher Marc Rogers wrote that it’s “quite possibly the single worst thing I have seen a manufacturer do to its customer base. … I cannot overstate how evil this is.” He’s right. The Lenovo Superfish security hole is really, really bad.”
In a high dudgeon, Auerbach heartily agrees, calling Superfish “the most virulent, evil adware you could find.”
Even the currently-about-to-be-defunded Department of Homeland Security (DHS) has weighed in on the magnitude of the security hole created by Superfish, according to an Open Port report.
“SuperFish has even caught the attention of the US Department of Homeland Security, which has deemed the software, officially ‘makes PCs vulnerable to attack…’ SuperFish is the product of Komodia.com, a software development company.”
Perhaps unsurprisingly, Open Port notes
“The company’s website has since been the victim of Distributed Denial of Service (DDOS) attacks, likely a response by the Internet community to the much more public proclamations within the last week concerning its software.”
We checked, and Komodia.com is up and running as we write this Wednesday morning. But any direct mention of Superfish is conspicuously absent. Various websites have noted that this company has had a history of selling shady software, but we can’t reliably verify the stories at this point.
Superfish is/was allegedly designed to give computer users what were described as “better” ads. We’ve been around long enough to suspect this is code for a product that tracks every movement of a PC user while browsing the Internet, the better to mine big chunks of your personal data with the objective of shoving ads in your face for products that you, presumably, will be eager to buy. It’s sort of like advertising jiu-jitsu, as it employs your own actions against you.
This kind of targeted data mining and advertising has become ubiquitous, even being deployed on cable TV where most viewers seem blissfully unaware of it.
But here’s the big problem with Superfish. It runs even on secure sites. Why? Simple, and this is the evil part: it replaces what’s called a “self-signed single root certificate” on your infected Lenovo (or other) machine, making your computer vulnerable but also enabling it, when interfacing with an encrypted site, to replace that site’s certificate with its own version.
The Verge elaborates, noting that by installing “a single self-signed root certificate…across all of Lenovo’s affected machines, Superfish intentionally pokes a gigantic hole into your browser security and allows anyone on your Wi-Fi network to hijack your browser silently and collect your bank credentials, passwords, and anything else you might conceivably type there.”
Lifehacker picks up the story.
“Usually when you visit an encrypted site—say, Bank of America’s—your web browser uses a certificate to confirm that you are in fact visiting the real Bank of America site. That certificate is signed by whichever certificate company the website owner contracted with; in Bank of America’s case, it’s Verisign. On a computer with Superfish installed, however, the certificate from the Bank of America site comes back signed not by Verisign but by Superfish. And your computer has been brainwashed to treat the certificate as legitimate, thereby routing your encrypted data not through the proper and secure certificate, but through Superfish’s.
“To make matters worse, the encryption key is the same for all Superfish certificates, so all a hacker needs to do to gain access to tons and tons of secure data is find a single key—which, according to Errata Security’s Robert David Graham, is pretty easy.”
Lenovo apparently knew about the problem around the turn of the new year, but may have actually known about it sooner. As far as we can confirm, Superfish-affected Lenovo computers were sold approximately during the fourth quarter of 2014, i.e., between October 1 and December 31, 2014.
Lenovo claims to have stopped loading Superfish on its new machines in January, but the company doesn’t say precisely when. However, Lenovo has posted a list of those machines that were affected, which is, at least a start.
Given the sales path of new machines, however, we’d suspect any new machines sold from September 1, 2014 until (perhaps) this weekend and, perhaps beyond as affected machines move unevenly through sales channels.
Additionally, since those self-signed certificates can propagate elsewhere, it’s probably not a bad idea to check your own PC, whomever the manufacturer, just to make sure you haven’t picked something up.
Lenovo has belatedly been trying to address the issue, claiming the company had no idea that installing Superfish would create a blatant security hole in each of its new machines. That’s perhaps believable, but it’s also lame, indicating Lenovo was going for every last buck of profit, putting that task in front of creating a machine loaded with software that put the company’s users first, not executive bonuses.
The New York Times’ online tech section put key questions concerning this tech and PR debacle to Lenovo’s top tech guru:
In an interview on Tuesday, Peter Hortensius, Lenovo’s chief technology officer, tried to explain to the Times “how this could have happened and what the company planned to do next.” By way of background, Hortensius stated
“The original motivation for this [software install] was that the product team was being asked, ‘Can we do something to improve our consumer experience?’ Someone had the idea to improve their shopping experience in a novel way — not to own their experience, but just, if the consumer is looking at a desk, can we suggest an alternative product that looks like that desk? The motivation was to enhance the experience. Obviously, in retrospect, if we had known what that meant in terms of how it was implemented, we would have never done it.”
Given the magnitude of Lenovo’s blunder from both a technical and a marketing point of view, the Times asked the Big Question: “Why would anyone trust a Lenovo product ever again, knowing that this program was buried so deep in your operating system, and nobody remembers having opted in to this?”
“All we can say is we made a mistake and we apologize. That’s not nearly enough. So our plan is to release, by the end of this week, the beginning of our plan to rebuild that trust.
“Our first action was to remove this thing, to eradicate it. This week we begin the plan to make sure this never happens again. We’ll release that plan by the end of the week.”
Looks like beleaguered Lenovo users will have to wait a little longer for the ultimate solution, whatever that may be.
Meanwhile, in our next post, we’ll share some things you can do right now to discover whether your Lenovo or other computer is affected by this issue and, if so, how to remove this garbageware albatross from your own computer.