Lenovo finds itself at the center of a security storm today over concerns related to the so-called Superfish adware that was included on some of the company’s PCs.
The concern is that Superfish bypasses SSL/TLS (Secure Sockets Layer/Transport Layer Security) best practices and could potentially enable man-in-the-middle (MiTM) attacks. For its part, Lenovo denies consumers were ever at risk and Superfish was intended only to help consumers discover new products.
In a statement, Lenovo admitted that Superfish was on some of its consumer notebooks that shipped between October and December. Lenovo added that since January it has also disabled Superfish’s server-side interactions and has pledged not to preload Superfish on its hardware in the future.
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” Lenovo stated.
Concerns over the Superfish security implications bubbled up on Lenovo’s support forums in January. Among the serious concerns voiced is a post that alleges that Superfish uses a self-signed root certificate. The potential risk is that, with such a root certificate in place, Superfish could have intercepted what would have otherwise been secure communications.
Lenovo stated that Superfish doesn’t monitor user behavior nor does it record user information. “It does not know who the user is,” Lenovo stated. “Users are not tracked nor re-targeted.”
Though Lenovo has denied any malicious capabilities associated with Superfish, security researchers contacted by eWEEK were quick to point out the risks.
The Superfish program is injecting advertisements on Google searches, and since those searches are over HTTPS, the only way to do that is with a SSL MiTM, said Esteban Pellegrino, senior security researcher from Zimperium Mobile Security Labs.
“Basically, on a computer, there is a repository of CA [Certificate Authority] certificates that the browser uses as validation of Websites,” Pellegrino told eWEEK. “In order to avoid warnings from the browser, Superfish is likely issuing a certificate for every secure Web page that the user enters and installing the certificate on that repository.”
If Superfish is able to sniff users’ searches and inject information in a secure connection, there is nothing that prevents it from seeing a user’s confidential information, such as passwords and credit cards, Pellegrino said. The way Lenovo deployed Superfish is not different than malware that tries to sniff all of a user’s credentials, he added.
Kevin Bocek, vice president of security strategy and threat intelligence at cyber-security specialist Venafi, agreed that it’s not a surprise to see the use of digital certificates to gain trusted status to perform completely transparent and successful man-in-the-middle attacks. Online banking thieves and other criminals use this tactic, and it’s very effective, he explained. “SSL/TLS is meant to protect the privacy and security of customers,” Bocek told eWEEK. “This is the opposite interest of adware.”
Ian Trump, security lead at IT service management specialist LogicNow, voiced similar sentiments about the Lenovo Superfish revelations. “It does not surprise me at all, the amount of crap-ware that comes preinstalled on a SOHO [small office, home office] or home system is ridiculous,” Trump told eWEEK. “I spend a great deal of time with close friends and family members advising them to uninstall most of it.”