The jaw-dropping saga of Lenovo’s built-in security flaw is a cautionary tale of sponsored bloatware — software packages users don’t want, but which are pre-installed on computers, tablets, and smart phones because manufacturers are paid well to distribute them.
After digesting the Lenovo story, some computer gurus are stepping up their advice for consumers to erase everything that comes pre-installed on their systems – a precaution average users have neither the time nor expertise to undertake, but it’s not entirely unreasonable counsel, given how absurd the bloatware situation has become.
In this case, the pre-installed software was outright malware, a hijacking program called “Superfish” that takes control of the user’s web browsing experience, inserts inline web page advertisements from Superfish’s partners… and, worst of all, was so sloppily written that it created a subtle, difficult-to-detect security vulnerability that hackers could use to ambush Lenovo users with “man-in-the-middle” traps.
Ars Technica explains:
The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there’s something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.
Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.
In an update, Ars Technica reported that a security expert was able to crack the encryption on the bogus Superfish root certificate in three hours flat. What this means is that hackers “could use the certificate to create fake HTTPS websites that wouldn’t be detected by vulnerable Leonovo machines.” In other words, the security messages that normally warn users about suspicious websites masquerading as legitimate sites from major companies would be be disabled. Users could be tricked into giving their credentials to phony sites pretending to be, for example, banks, secure shopping sites, or email servers.
Superfish and its security flaw are utterly invisible to all but the most experienced computer users — the only way to find out if this malware code has been pre-installed on your computer is to run software specifically designed to detect it, such as the “Badfish” web site created by one of the same researchers who found the Heartbleed security flaw last year.
Otherwise, the Superfish program stealthily goes about its business of peppering secure websites with ads for companies that paid for the privilege of hijacking your web browser… and corrupting the security certificate system users rely upon for warnings about ambush websites designed to fish for personal information. Also, the problem cannot be resolved by merely locating and uninstalling Superfish – the corrupted root certificate it drops into the operating system must be removed as well.
All of this was discovered because highly knowledgeable users detected the presence of Superfish and began complaining about it on web forums. Lenovo’s response to the crisis has been less than satisfactory to many. (Actually, it would be tough to find anyone aware of the situation who thinks they’ve handled this well.)
An earlier Ars Technica post noted that Lenovo defended the practice of dropping this adware onto unsuspecting users by claiming it was meant to “help customers potentially discover interesting products while shopping.” They insisted their relationship with Superfish was “not financially significant” – in other words, they distributed Superfish because they thought Lenovo customers would enjoy having it on their systems, not because Superfish paid them a bundle of money.
When that didn’t fly, Lenovo representatives claimed they had concluded Superfish didn’t meet their goals, and had acted “quickly and decisively” to purge it from new computers… although it has still been detected on machines recently purchased from big-box electronics retailers. The official word from Lenovo is that it stopped preloading Superfish as of January 2015, so there are probably quite a few machines still infected with it on the shelves, and if company engineers are removing Superfish from unshipped machines in their inventory, they would have to be careful to remove its corrupted root certificate as well. There have not yet been any reported instances of hackers exploiting the Superfish root certificate vulnerability… but of course, now that it’s big news and they know it could be done, the risk is likely to increase. (Critics are complaining that since neither Lenovo nor Superfish seemed to be aware of the security flaw until it was discovered and explained to them by users, their declarations that no one has been harmed by the problem ring hollow.)
Critics wonder how Lenovo engineers could have missed this security vulnerability, which was ultimately sussed out by users. They also wonder why Lenovo (and possibly other manufacturers!) would pre-install malicious software on computers. Technically, Superfish is “adware,” but many would argue its surreptitious behavior is better described as malware – it takes control of certain aspects of the web-browsing experience without the knowledge or consent of users. It’s the kind of thing people pay good money to intercept and burn off their systems with security software.
It’s bad enough that so many machines come pre-loaded with useless or annoying junk that takes up valuable space, with removal eating up the valuable time of consumers, who might not even realize that bloatware can be removed from simple user-friendly devices including tablets and smartphones. Now they have to worry about hidden adware packages that only experienced computer buffs can detect and remove… adware that could also provide a gateway for hacking, phishing, and viral attacks on their data?