Lenovo, the world’s largest PC manufacturer, has been caught installing software on its computers that undermines the security of users’ web connections in order to more effectively serve ads. Researchers have found that the adware makes users vulnerable to attacks that impersonate sites with sensitive information such as banks and email providers.
This has caused an uproar among computer security experts, many of whom see it as a serious breach of user trust. The software on your computer is supposed to protect your privacy, yet Lenovo installed software that not only shows users’ ads they probably didn’t want, but also makes their communications less secure in the process.
Lenovo says the company is looking into the matter and “do not find any evidence to substantiate security concerns.” However, it’s disabling the software in response to public outcry. Superfish, the company that makes the controversial software, says that “Superfish is completely transparent in what our software does and at no time were consumers vulnerable.” The company’s CEO insists that “there has been no wrong doing on our end.”
Others disagree. For example, the Electronic Frontier Foundation, a public interest group, says that “Lenovo’s decision to ship this software was catastrophically irresponsible and an utter abuse of the trust their customers placed in them.”
What does the Superfish software do?
Lenovo says the software was designed to “help customers potentially discover interesting products while shopping.” Superfish is an image search company. The idea behind the software is that when your web browser loads an image, Superfish identifies the image, figures out if it depicts a product, and then lists websites where you can get a better deal on that product.
Lenovo claims that “users are given a choice whether or not to use the product” when they first started up their computers. However, it seems unlikely that users understood what they were agreeing to when they first booted up their newly-purchased PC.
Superfish does one other thing that most adware does not. The company wanted to display ads on every website a user visits, but some websites — such as banks, email providers, and social media sites — use an encryption technology called SSL (short for Secure Sockets Layer) to protect users’ privacy. Because SSL scrambles communications between websites and a user’s web browser, Superfish couldn’t intercept these pages and inject ads into them.
So Superfish mounted what security officials called a man-in-the-middle attack: it intercepted SSL-based connections and impersonated the sites users were trying to reach. It unscrambled the users’ communications, injected the ads, and then re-encrypted them before delivering them to their destination.
Why is that a security risk?
The SSL technology is specifically designed to prevent this kind of man-in-the-middle attack. After all, if anyone could impersonate your bank’s website, then that little padlock you see in your address bar, indicating a secure connection, would be meaningless. So ordinarily, the browser should have recognized the subterfuge and warned the user that the connection wasn’t secure.
Browsers do this with SSL certificates, digital files that act as a kind of virtual ID card. Certificates are signed by trusted third parties, and they allow a browser to verify that they are really communicating with, say, bankofamerica.com rather than a Brazilian hacker impersonating Bank of America.
Superfish modified the software on Lenovo computers so they would trust fake certificates generated by Superfish itself. So when a Lenovo user tried to visit bankofamerica.com, the software on her laptop would create a fake certificate telling the browser that the Superfish software owned the bankofamerica.com domain.
Not only was this deceptive, it also opened Lenovo devices up to attacks from third parties. That’s because malicious third parties could obtain Superfish’s credentials and create their own fake certificates. And these certificates would be trusted by Lenovo computers afflicted with Superfish software. Our hypothetical Brazilian hacker could create a fake bankofamerica.com site that would be trusted by many Lenovo laptops.
I have a Lenovo computer! How can I tell if I’m affected?
You can check the list of model numbers at the bottom of Lenovo’s official press statement. If you purchased one of these computers in the last nine months, it may have Superfish software on it.
How has Lenovo responded?
Lenovo acknowledges that “user feedback was not positive,” and the company took action to disable the software back in January. However, reports surfaced this week suggesting that it was still hijacking some Lenovo customers’ SSL connections. (I’ve asked Lenovo to clarify and will update if they do.)
In an interview with the Wall Street Journal, Lenovo’s CTO described the attacks security researchers have identified as “theoretical concerns.” “We have no insight that anything nefarious has occurred,” he said.
The company says it has stopped preloading Superfish software on their computers and have promised not to install the software in the future. And the company is preparing to remotely remove copies of the software from computers they’ve already sold.
Why are computer security experts upset about this?
So far, there’s no concrete evidence that anyone exploited Superfish vulnerabilities to harm users, though that doesn’t mean it won’t happen. But this kind of attack can lead to serious problems.
When one piece of software deliberately opens a backdoor to a secure technology like SSL, it creates the possibility that other attackers could sneak in that back door. A foreign intelligence agency could use this vulnerability to impersonate gmail.com and read peoples’ emails. Hackers could impersonate e-commerce sites and steal peoples’ credit card numbers or other private information.
More fundamentally, we place a lot of trust in the companies that sell us electronic devices. We expect that they’ll install software that acts in our interest. Critics say Lenovo’s decision to pre-install Superfish reveals an alarming lack of concern for the interests of their own customers.