Lenovo PCs ship with adware that puts computers at risk

Superfish software installed on Lenovo computers uses a self-generated root certificate to intercept HTTPS communications

Some Windows laptops made by Lenovo come pre-loaded with an adware program that exposes users to security risks.

The software, Superfish Visual Discovery, is designed to insert product ads into search results on other websites, including Google.

However, since Google and some other search engines use HTTPS (HTTP Secure), the connections between them and users' browsers are encrypted and cannot be manipulated to inject content.

To overcome this, Superfish installs a self-generated root certificate into the Windows certificate store and then acts as a proxy, re-signing all certificates presented by HTTPS sites with its own certificate. Because the Superfish root certificate is placed in the OS certificate store, browsers will trust all fake certificates generated by Superfish for those websites.

This is a classic man-in-the-middle technique of intercepting HTTPS communications that's also used on some corporate networks to enforce data leak prevention policies when employees visit HTTPS-enabled websites.

However, the problem with Superfish's approach is it uses the same root certificate with the same RSA key on all installations, according to Chris Palmer, a Google Chrome security engineer who investigated the issue. In addition, the RSA key is only 1024 bits long, which is considered cryptographically unsafe today because of advances in computing power.

The phasing out of SSL certificates with 1024-bit keys started several years ago, and the process has been accelerated recently. In January 2011, the U.S. National Institute of Standards and Technology said that digital signatures based on 1024-bit RSA keys should be disallowed after 2013.

Regardless of whether the private RSA key that corresponds to the Superfish root certificate can be cracked or not, there is the possibility that it could be recovered from the software itself, although this has not yet been confirmed.

If attackers obtain the RSA private key for the root certificate, they could launch man-in-the-middle traffic interception attacks against any user that has the application installed. This would allow them to impersonate any website by presenting a certificate signed with the Superfish root certificate that's now trusted by systems where the software is installed.

Man-in-the-middle attacks can be launched over insecure wireless networks or by compromising routers, which is not an uncommon occurrence.

"The saddest part about #superfish is it's only like 100 more lines of code to generate a unique fake CA signing cert for each system," said Marsh Ray, a security expert who works for Microsoft, on Twitter.

Another problem pointed out by users on Twitter is that even if Superfish is uninstalled, the root certificate it creates is left behind. This means affected users will have to manually remove it in order to be completely protected.

It's also not clear why Superfish is using the certificate to perform a man-in-the-middle attack on all HTTPS websites, not just search engines. A screen shot posted by security expert Kenn White on Twitter shows a certificate generated by Superfish for www.bankofamerica.com.

Superfish did not immediately respond to a request for comment.

Mozilla is considering ways to block the Superfish certificate in Firefox, even though Firefox does not trust certificates installed in Windows and uses it's own certificate store, unlike Google Chrome and Internet Explorer.

"Lenovo removed Superfish from the preloads of new consumer systems in January 2015," a Lenovo representative said in an emailed statement. "At the same time Superfish disabled existing Lenovo machines in market from activating Superfish."

The software was only preloaded on a select number of consumer PCs, the representative said, without naming those models. The company is "thoroughly investigating all and any new concerns raised regarding Superfish," she said.

It seems that this has been happening for a while. There are reports about Superfish on the Lenovo community forum going back to September 2014.

"Preinstalled software is always a concern because there's often no easy way for a buyer to know what that software is doing -- or if removing it will cause system problems further down the line," said Chris Boyd, a malware intelligence analyst at Malwarebytes, via email.

Boyd advises users to uninstall Superfish, then to type certmgr.msc into the Windows search bar, open the program and remove the Superfish root certificate from there.

"With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetization strategies," said Ken Westin, a senior security analyst at Tripwire. "If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers' trust, but also put them at increased risk."

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysecurityencryptionLenovoSuperfishpkiprivacymozilla

More about GoogleLenovoMalwarebytesMarshMicrosoftMozillaRSATechnologyTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place