In what’s being called a “violation” of users’ rights by experts, Chinese computer manufacturer Lenovo has been caught installing money-making adware that hijacks user’s Internet sessions and potentially allows both hackers and advertisers to intercept everything you do online—including your passwords and a variety of other sensitive data.
The adware, known as Superfish, intercepts private data for advertising purposes. It comes as a standard pre-installed program on Lenovo’s computers.
At the core of concerns surrounding Lenovo’s actions, which were recently brought to light by security researcher Chris Palmer, is that Superfish installs itself as what’s known as an unrestricted root certificate authority, which can intercept and imitate encrypted traffic for every website a user visits, from banking to email to Facebook.
In other words, hackers may be able to use Superfish to imitate anything from a user’s bank to an update from Microsoft. The adware infects every browser on a machine, and Google Chrome specifically provides no warning that Superfish is activated.
Experts warn that the key on the Superfish certificate is the same on every Lenovo computer, making it trivially easy for hackers to attack and exploit any Lenovo users who want to make a secure connection on the Internet.
Superfish, Inc. was recently called one of the fastest growing companies in America. Its adware automatically searches the Web based on the websites you visit in an effort to find products similar to those you look at to find cheaper prices.
Lenovo told BBC that it removed Superfish preloads from new systems in Jan. 2015 and disabled activation of the product. That proclamation came after initial user complaints began in 2014. Some users have shown that Superfish was active well into Jan. 2015, though it’s not clear exactly what date Lenovo claims the program was disabled.
Lenovo has told media outlets that it is currently conducting an investigation into concerns around Superfish.
Information security experts online have been raising the alarm and attempting to spread awareness of the issue for the past day:
Not only that, the way they've done it is sloppy and designed to deceive users. There is NOTHING about their approach that isn't disturbing.— SwiftOnSecurity (@SwiftOnSecurity) February 19, 2015
"Superfish" is malware pre-installed by Lenovo that shows ads, sends your browsing to an ad company and intercepts encrypted bank websites.— SwiftOnSecurity (@SwiftOnSecurity) February 19, 2015
If this story is right—and it seems to be—Lenovo has committed an *extremely* grave and stupid assault on its users https://t.co/df6f58xztA— Parker Higgins (@xor) February 19, 2015
OMG THEIR LOGO IS A GIANT STARING EYE pic.twitter.com/K7mdedKcXL— sarah jeong (@sarahjeong) February 19, 2015
Let me get this right: I can extract the private key from my Lenovo laptop, and use it to MitM all other laptops at the local cafe hotspot?— Robᵉʳᵗ Graham 𝕏 (@ErrataRob) February 19, 2015
Lenovo was paid money to install malware by a company that couldn't pay a developer who knew what they were doing.— SwiftOnSecurity (@SwiftOnSecurity) February 19, 2015
It's hard to put in words the moral views of a culture.— SwiftOnSecurity (@SwiftOnSecurity) February 19, 2015
To the culture of computer professionals in IT and security, this is shocking.
H/T Marc Rogers | Illustration via Max Fleishman