Oh no, Lenovo. Users are reporting on the company's forums that its computers are coming installed with adware straight out of the box—adware that can spy on your secure transactions.
According to a number of Lenovo users, the software called Superfish is installed on factory-fresh laptops. The adware injects third-party ads into Google searches and on to websites without the user's permission—on Chrome and Internet Explorer, at least. That, alone, is bad but not awful. But other users have pointed out that the adware can also install its own self-signed certificate authority—creating spurious SSL certificates—allowing it to monitor secure connections.
Security expert Kenn White has posted images on Twitter showing that, as an example, the software provides a certificate issued to Bank of America, but issued by Superfish—whereas usually that would be done by a trusted body like VeriSign. Given Superfish's whole purpose is to check and forward browsing data to ad companies, allowing it access secure content in this way is clearly a Bad Thing. But it gets worse. It seems Superfish uses the same private key for its root certificate on every machine it's installed on, explains The Verge. If someone could crack that key, it would be possible to create certificates that any Superfish-fueled Lenovo computer—probably, at this point, most of them—would trust, allowing malicious code to wriggle in unannounced.
Appearing in forums in January, a Lenovo community administrator called Mark Hopkins wrote that Lenovo has "temporarily removed Superfish from our consumer systems" but defended its presence, explaining that it "helps users find and discover products visually" and "instantly analyzes images on the web and presents identical and similar product offers that may have lower prices." Now that a rather serious security hole has been identified, it might think differently.
We're reaching out to Lenovo to find out its current stance on Superfish. [TNW, The Verge]
Update: Good news and bad news. The bad news is that the cryptographic key protecting the problematic Superfish certificate has been cracked by Rob Graham of Errata Security. That means that any Lenovo PC's with that ever had Superfish installed can now actively be attacked. If you have a Lenovo PC, you should go here to check and see if you've got the Superfish problem. Right now.
The good news is that Lenovo has released a statement about this whole Superfish mess, highlighting three main things:
- Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
- Lenovo stopped preloading the software in January.
- We will not preload this software in the future.
Definitely good news, but it doesn't fix the problem for people who already have (or have had) Superfish on their PCs; the bad root certificate—that is to say the weak point where attacks can come in—will still be there either way. Not good! So if you get a Yes on this Superfish checker, the best solution is to back up all your stuff, and do a fresh install of Windows, or go in and delete the certificate from your registry manually.
What's worse is that Lenovo is saying the following about the whole thing:
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software.
Which sooooorta flies directly in the face of...all the evidence out there. Even if Superfish isn't functioning anymore and isn't getting put on any new PCs, the one's it's already fucked up are vulnerable and there's no way to dance around how horrible that is.