February 19, 2015 1:25 pm

Lenovo under fire for pre-installing ‘malicious’ adware on laptops

Security experts say Superfish is designed to intercept encrypted connections, leaving Lenovo customers extremely vulnerable.

PHILIPPE LOPEZ/AFP/Getty Images
A A

TORONTO – Lenovo, the world’s largest PC maker, is facing fierce scrutiny for pre-installing adware on consumer laptops that experts say leaves users vulnerable to hacking and security threats.

The software, called Superfish, is designed to provide users with a “visual search” experience by showing users third-party ads in Google search results. This type of software is often called adware thanks to its ability to automatically display ads.

Story continues below

But security experts say Superfish leaves Lenovo customers extremely vulnerable.

What is SuperFish and what are the risks?

“This particular adware does some nasty things to intercept consumer traffic, it intercepts all your Secure Socket Layer (SSL) traffic [an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure], it could intercept password logins and private emails,” Robert Graham, CEO of U.S.-based security research firm Errata Security, told Global News.

According to security experts, Superfish intercepts encrypted connections leaving them open – theoretically allowing hackers to hijack the connection in a man-in-the-middle style attack.

Experts allege the adware hijacks secure connections to monitor them, collect personal data and provides users with fake security certificates when connecting to legitimate sites.

“Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can install its adverts. This means that anyone affected by this adware cannot trust any secure connections they make,” wrote cybersecurity expert Marc Rogers on his blog.

“Because Superfish uses the same certificate for every site it would be easy for another hostile actor to leverage this and further compromise the user’s connections.”

Who is affected and what can users do about it?

According to a statement from Lenovo issued Thursday, Superfish was pre-installed on some consumer laptops shipped in a “short window” between October and December 2014.

However, users on a Lenovo customer forum thread first mentioned the seeing the software in June.

Other reports suggest Lenovo has been pre-installing the adware on models manufactured over the last two years.

Lenovo said Superfish was completely disabled on all products in January.

The company added it will no longer pre-load the software on future devices.

READ MORE: Lenovo Canada cancels customer orders after online pricing error

“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.  But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software,” read the statement posted to the company’s website.

“To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior.  It does not record user information. It does not know who the user is.”

Those with affected computers would have received a notification presenting the Terms of Use and Privacy Policy the first time Superfish was activated. Users would have had the option to decline the terms – in turn, disabling the software.

Graham – who installed the adware on his on his own computer to test it – said while the software does allow users to read the privacy policy prior to their first use, the terms aren’t clear.

The researcher added that Lenovo is not being transparent about the malicious capabilities of the adware.

Meanwhile, users are taking to social media and Lenovo’s website to express their outrage over the adware.

“This is utterly disgusting, a high profile company like yourself just compromised all of our personal data, who’s gonna pay for the credit monitoring, who’s gonna insure this is dealt with,” wrote one customer on a Lenovo forum.

Many were quick to point out that Lenovo’s instructions to remove the adware do not include the steps to remove the security certificates – a key step in securing your computer. Some also allege Lenovo is not being honest about the number of affected machines.

“The statement you have posted is full of crap, and does not instruct for removal of the root certificate.  Lenovo didn’t stop preloading this software in January; my machine was manufactured first week of February and still contained it.  The certificate has been cracked and you have a giant security hole in hundreds of your machines,” wrote another user. 

How to remove SuperFish

Affected users will have to take two steps to remove the software from their computers.

First, to remove the software go to Control Panel, click “Uninstall Program” and select “Visual Discovery” and click on uninstall.

Then you will have to remove the Superfish security certificate. To do this, go back into Control Panel and search for “Certificates.” Your computer will direct you to “Administrative Tools.”

Under “Manage Computer Certificates,” click on the “Trusted Root Certification Authorities” folder and then “Certificates.” Find the one named “Superfish Inc.” and right-click to delete it.

© 2015 Shaw Media

Report an error

Comments

Want to discuss? Please read our Commenting Policy first.