Superfish Vulnerability – Free Gift from Lenovo
This week saw some staggering news, which even now a couple of days later I still find hard to believe. It’s something you might expect happening in North Korea or China, but not here!
The hardware manufacturer Lenovo, who sell millions of laptops and PC all over the world has been installing an adware program called Superfish on all their new machines. That’s right, no longer do you have to worry about getting malware installed from visiting dodgy porn or torrent sites, just buy a Lenovo laptop and they’ll pre-install them for you.
So let’s just state that again –
A computer manufacturer called Lenovo is pre-installing adware on new computers.
It’s that incredible, I think it’s worth repeating. It doesn’t matter that it has a cute cartoony name like Superfish, this is an incredible abuse of trust powered simply by greed.
The adware installs adverts into your browsing which make Lenovo money everytime you click on them. You know adware, the stuff we all hate and go to great lengths to avoid installing.
Lenovo justified themselves in pretending that these ‘MONEY MAKING ADVERTS’ were actually for the customer’s benefit – describing Superfish as advanced technology which helps customers find different products at lower prices using image analysing techniques. I’m sure everyone capable of operating a laptop is able to see through that pathetic justification.
Unfortunately it get’s worse, not only Superfish is happily inserting damn annoying adverts into your browsing but the method it uses is actually making your computer even more vulnerable.
Superfish inserts a self-signed root certificate onto your computer giving it the capacity to intercept all your HTTPS encrypted traffic
It’s called a Man in the Middle attack and it’s something I have demonstrated on this blog previously. But basically they’re intercepting even your secure traffic so that they can insert their money making adverts. They’re apparently using the same default certificate on every single machine which effectively compromises security on each of these. Each Lenovo machine which is affected basically has a pre-installed vulnerability waiting to be used by anyone who wants to intercept your traffic.
It’s truly incredible and it’s been allegedly going on since mid-2014 so who knows how many millions of machines are riddled with this program.
Here’s a tool from the security company Last Pass which checks if you are at risk – Superfish Checker.
Hopefully Lenovo suffer a huge commercial loss due to this incredibly greedy and sneaky act – I for one will never consider buying anything from this company ever again.