Software pre-installed by the hardware manufacturer is rarely useful. That’s nothing new. Most system administrators are re-installing notebooks and computers before they’re using them. This is probably the reason that this security nightmare has not been discovered before.
Lenovo is a known brand for its business notebooks. Chris Palmer, a developer working for Google on Chrome, discovered that Lenovo delivers notebooks with the adware “Superfish” pre-installed. Even though that’s bad enough already, the adware also tries to insert advertisements based on images (“Visual Search”) of a couch for example. So if you’re looking for a new couch on the internet, as soon as there is a product picture, it will try to insert an ad for the couch you’re currently looking at. Research shows that it’s being pre-installed since at least September 2014, where a forums post about Superfish appeared.
Now you could think that you’re not affected because most of the shopping sites you’re visiting are already behind a HTTPS connection. That’s why this great piece of software also installs a root certificate in your windows certificate store!
But hey, if that didn’t catch your attention yet: The pre-installed certificate is the exact same on all systems as it seems. And so is obviously the private key, which seems to be part of the Superfish software as well. What it means? Well, you can just issue certificates and computers having the Superfish software installed will recognize them as valid.
Be aware that if you’re going to uninstall Superfish, it doesn’t automatically remove the root certificate they’re installing on your system. You’ll need to do that yourself. (Well, obviously. I mean hey, this certificate is so important, it needs to stay on your system!)
- Lenovo delivers adware pre-installed since at least September 2014
- The adware installs a Root certificate
- Every banking site, shopping site etc. you’re visiting is man-in-the-middled
- The private key is shared amongst all installations
- Uninstalling the Superfish adware does not resolve the issue
- You’ll need to remove the root certificate manually
To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. – Mark Hopkins, Program Manager at Lenovo
Update 1: Wugz posted a statement he received from his account manager this morning.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. – Lenovo statement on Superfish
In advance, Superfishs private key was extracted by Errata Security. The blog post is worth a read and shows how it was extracted.
Got more Information? Please let me know in the comments below. I’m interested. This post will be updated as soon as new information arises.