Lenovo is in hot water today after a significant security hole was unearthed, potentially affect its entire consumer PC range.
Superfish, an adware program that ships with all consumer PCs from Lenovo, uses a man-in-the-middle certificate to inject ads into internet browsers. If compromised, the service could grant third-parties access to a user’s browser data.
We contacted Lenovo for comment but did not hear back from the company at the time of writing.
Writing on a customer forum in January, company representative Mark Hopkins confirmed customers’ suspicions that Lenovo pre-loads software from the ‘visual search’ company, as The Next Web reported. He further explained that the software had been “temporarily removed” due to “some issues,” which apparently included unexplained pop-ops. Superfish had been told to push an update to existing devices in the market, he added.
Pre-installs are unpopular with consumers, who understandably want their devices to be clean running out of the box, but in reality some hardware companies do broker such arrangements for financial benefit. Beyond the inconvenience of Superfish popping up in browsers and the need to install it, the software appears to pose a serious security threat because it uses a self-signed root that could allow it to collect data from within a user’s web browser.
Furthermore, it is possible that third parties could generate the key to the Superfish certificate and take advantage of it for nefarious activities, as pointed out on Hacker News.
Personal data areas like banking would be one obvious area of concern, and a spoofed bankofamerica.com certificate, per this tweet — just one of the many on the subject — shows what is possible:
To make matters worse, it appears that deleting the Superfish software doesn’t remove the certificate (and threat) from a Lenovo machine.
Hopkins made claims about how the Superfish integrate works and doesn’t work:
Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent.
However, the fact that user data and security is at stake is rightly raising alarm among Lenovo customers and security experts.
On a related note, British spy agencies are reported to have banned the use of Lenovo devices in their organizations on account of vulnerabilities that could allow devices to be hacked.