Lenovo is facing a firestorm of criticism over the pre-installed Superfish software it has included on the laptops of millions of customers. The software inserts ads into web pages and severely compromises the security of thoseaffected — and now the computer company’s initial response has been slammed as totally inadequate.
Installed by default on Lenovo laptops, the Superfish technology is meant to “help users find and discover products visually… instantly [analysing] images on the web and [presenting] identical and similar product offers that may have lower prices.” But what it actually ends up doing is serving up unwanted adverts on existing web pages. (This kind of software is often called adware.)
But in order to show ads, Lenovo has been breaking all encrypted traffic for millions of customers who bought laptops over the two years Superfish has been included. Secure websites — like a bank, or a form for entering passport details — will have a security certificate, which proves to your browser that the site is who it says it is. These certificates stop rogue sites and hackers impersonating trusted websites and stealing your sensitive details. Superfish also inserts ads into these secure web pages, and it does so by installing a new certificate authority onto users laptops which lets it produce fake certificates that appear to the user to be valid.
This kind of technology is better known as a kind of hacking technique for stealing people’s details, and it has a name: A “man-in-the-middle” attack.
Here’s a tweet showing Superfish software spoofing Bank Of America’s security certificate:
If Superfish was simply making use of nefarious hacker techniques to serve up ads, that would be serious cause for alarm. But security experts have managed (easily) to break their encryption. This means that anyone is now able to exploit Superfish in order to impersonate secure websites, and steal confidential information from the millions of Lenovo customers believed to be affected.
“It is hard to overstate how catastrophically bad this design is,” writes Paco Hope, Principal Consultant at software security company Cigital in an email. “It doesn’t merely insert advertisements into web pages. It undermines every secure connection the Windows computer might make… Everything on a Lenovo computer that says it is ‘making a secure connection’ is now lying.”
After we ran our initial story yesterday, Lenovo emailed us a statement. It said the company has stopped preloading the software, and will not do so in future. But it also say it has “thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”
However, that doesn’t seem to be true. Every Lenovo customer affected — a figure believed to be in the millions — is vulnerable to man-in-the-middle attacks directly because of the company’s failure to vet its software partners properly. WIRED’s Robert McMillan called this response “astonishingly clueless.”
Superfish took the same line as Lenovo, telling McMillan that the company is “completely transparent in what our software does and at no time were consumers vulnerable.”
Digital rights advocacy group the Electronic Frontier Foundation (EFF) says that “Lenovo’s false/clueless statements further damage their brand.”
As the Guardian’s Alex Hern pointed out on Twitter, Lenovo has subsequently updated the online version of its statement to remove the claim that there’s no evidence of “security concerns,” without acknowledging the change.
In an interview with the Wall Street Journal, Lenovo’s chief technology officer Peter Hortensius said the security community’s fears as “theoretical concerns,” and that the company has “no insight that anything nefarious has occurred.” But as journalist Glenn Fleishman pointed out, “all attacks are hypothetical until the moment they happen.”
Komodia is another company that is linked to Superfish — the adware makes use of its software. In a sign of how angry some are about Superfish’s actions, Komodia is allegedly experiencing a DDoS attack on its website, taking it offline, Forbes’ Thomas Fox-Brewster reports.
After its early denials, Lenovo has now tweeted an apology to its customers:
If you’ve been affected by Superfish, the EFF has put together a comprehensive guide on how to remove the dangerous adware from your computer. You can check it out here.
NOW WATCH: Tech Insider videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.