A Lenovo forum user noted last fall that adware advertisements were being inserted into search results, and narrowed the source down to adware from visual search company Superfish, which had been installed one month before he purchased his laptop.
“Bloatware is one thing… but adware that scans what [you’re] searching for and then changes the search so that you buy through their company affiliate is very different,” the user wrote.
On January 23, 2015, a forum admin posted the following: “Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.”
In a blog post, the same admin offered removal instructions for the Superfish application and stated, “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”
Still, Surrey University professor Alan Woodward told BBC News that Superfish is unusually dangerous because it has the authority to issue its own certificates, enabling a man-in-the-middle attack. “If someone went to, say, the Bank of America [website], then Superfish would issue its own certificate pretending to be the Bank of America and intercept whatever you are sending back and forth,” he said.
Errata Security researcher Robert Graham explained in a blog post that Superfish installs its own root CA certificate in the Windows system. “It then generates certificates on the fly for each attempted SSL connection,” he wrote. “Thus, when you have a Lenovo computer, it appears as Superfish is the root CA of all the websites you visit. This allows Superfish to intercept an encrypted SSL connection, decrypt it, then re-encrypt it again.”
Even worse, security researcher Marc Rogers noted in a blog post that the private key bundled with the software uses a simple dictionary word as its password.
“Armed with the private key and its password, you can now sign websites and even software in a way that any affected Lenovo user will trust,” Rogers wrote. “What’s worse is you can do it under any fake name that you like. Want to sign a virus so that it looks like legitimate Microsoft software? Go ahead, this will let you do exactly that. Want to set up a fake banking site and pretend to be HSBC? Yup, you can do that too.”
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told eSecurity Planet that Lenovo’s actions are an unfortunate example of good guys doing what the bad guys do. “In this case, they’re breaking everything that’s been built over 20 years to create trust and privacy on the Internet, by inserting a CA into systems that can impersonate any trusted site,” he said. “This is exactly what bad guys do with Trojans and other malicious software to trick users to access fake sites to surveil/monitor private communications.”
“Online trust is near the breaking point,” Bocek added. “Bad guys (and seemingly good guys) are misusing the trust established by keys and certificates. Businesses need to be ready to defend against bad guys (and now even the good guys) that try and misuse keys and certificates.””