Lenovo shipped PCs with adware vulnerable to man-in-the-middle attacks

Lenovo has been shipping consumer PCs with pre-installed adware from a company called Superfish. The Virtual Discovery software inserts its own ads into some websites based on an analysis of images on the page, a behavior that's shady at best.

But that's not the worst part.

As Ars Technica explains, Virtual Discovery installs a "self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits." This certificate reportedly makes sytems vulnerable to man-in-the-middle attacks, and there's more:

Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.

According to Ars, all browsers are vulnerable once Virtual Discovery is installed. Getting rid of the software doesn't necessarily help, either. At least one user reports on Twitter that the certificate remains after the adware is uninstalled. The certificate has to be deleted manually to cleanse the system fully. Even then, you might want to perform an exorcism—just to be sure.

This Lenovo forum post from January indicates that the PC maker has "temporarily removed Superfish from [its] consumer systems." This suspension was due to unintended pop-up behavior rather than security concerns, but Lenovo told The Verge this morning that it's "thoroughly investigating" the new allegations.

In any case, affected infected machines are still selling. Security researcher Chris Palmer was able to buy one yesterday, and there's no telling how many others remain on store shelves and in e-tail stocks. And then there are all the afflicted systems already in the wild. Lenovo's damage control department is going to be working overtime on this one.

Update: Text100 account executive Carly Moore just sent us the following Lenovo statement regarding the Superfish situation.

Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

1) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
2) Lenovo stopped preloading the software in January.
3) We will not preload this software in the future.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.

To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.

We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detail information is available at http://forums.lenovo.com.

Although Lenovo claims it has found no evidence to "substantiate security concerns," the statement doesn't mention secure certificates or potential man-in-the-middle attacks. In fact, it reads more like a defense of Superfish's ad-injecting behavior and the motivations behind installing the software on Lenovo systems.

Update 2: Lenovo CTO Peter Hortensius has called the Superfish situation a "serious mistake" and promised to release a removal utility.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.