Lenovo has faced furious criticism after it admitted installing software on its laptops which inserted ads into webpages — and in the process opened its users up to huge security problems.
The adware, known as Superfish, was designed to help users find cheaper products when shopping, according to Lenovo.
It was installed on machines sold between September 2014 and January 2015, though apparently not ThinkPad laptops, desktops, or smartphones.
At first it appeared to be merely an unwanted annoyance - but it has now emerged that anyone with the password for the security certificate through which it routed internet traffic could easily attack the target computer.
This is a big problem - since the password was stored in the Superfish adware’s active memory. So getting it is beyond trivial.
The results are extremely troubling, allowing hackers to browse affected laptops more or less at their leisure via a public WiFi network, and the internet has reacted accordingly -- even taking down the creator of the tech's website via a DDoS attack.
Fortunately, there are ways to remove Superfish that dont include setting fire to your Lenovo machine (even though you might feel like doing just that).
First, test if you’re affected here. Then, if you need to:
1) Uninstall the software - instructions here.
3) Reinstall your operating system.
Lenovo has issued the following statement:
"We thought the product would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it. Superfish technology does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. "
Security experts offered a withering response. Adam Winn, manager, OPSWAT, said:
"While the intentions may not be malicious, the implementation certainly is. Superfish is more than just adware -- it’s a man-in-the-middle attack masquerading as adware. In the age of nearly constant security-related headlines, it’s shocking that Lenovo would preinstall software that breaks the SSL trust chain in such a fundamental way. This is reminiscent of the Sony BMG rootkit from 2005, but more disturbing because of it goes to the heart of privacy concerns and the fundamental trust that consumers place in SSL protected websites.
Lenovo has a dedicated following of IT professionals, as evidenced by the ubiquity of Thinkpads in enterprise, so there’s no doubt that this incident will come with a heavy hit to Lenovo’s bottom line. No IT administrator will tolerate a MITM attack on company owned or even BYOD assets."