Breach Preparedness , Cybersecurity , Data Breach

Lenovo Slammed Over Superfish Adware

Adware Leaves Encrypted Traffic Vulnerable, Experts Warn
Lenovo Slammed Over Superfish Adware

The Yoga 2 laptop may have earned plaudits from reviewers for its convertible design and touch screen. But according to information security experts, it's just one of many different types of consumer-focused and BYOD Windows devices sold by Beijing-based PC manufacturer Lenovo that comes with a non-obvious feature built in: adware from a company called Superfish.

See Also: Security Shouldn't be Boxed: The Cloudified Edge & End of an Era for Hardware Box Providers

Lenovo claims that the "Superfish Visual Discovery" engine is installed by default to give users an automatic price-comparison shopping engine. But numerous experts have slammed Lenovo for quietly adding the installed-by-default adware, especially because it provides would-be hackers with an easy technique for launching encryption-busting man-in-the-middle attacks against any Lenovo system that runs Superfish. So far, however, they've seen no evidence of such attacks.

"The company claims it's providing a useful service, helping users do price comparisons. This is false. It's really adware," says Robert David Graham, head of research firm Errata Security, in a blog post.

"What on earth were Lenovo thinking?" tweets Europol cybersecurity advisor Alan Woodward, who's a visiting professor at the Department of Computing at the University of Surrey. "We'll be using this as an example of MiTM attacks with the students."

Man-in-the-Middle 'Feature'

In a technical teardown of the Superfish software, Graham reports that it "installs a transparent-proxy (MitM) service on the computer, intercepting browser connections," and that it works with Internet Explorer and Google Chrome browsers, which use the default Windows certificates, although not with Firefox, which does not. But the Superfish MiTM service cannot decrypt SSL traffic. Accordingly, the software installs its own root certificate in Windows, and then issues on-the-fly certificates - allowing it to sniff all traffic by decrypting and then encrypting it again - whenever an SSL connection gets attempted.

Superfish, however, installs the same exact root certificate on every PC on which it resides, Graham warns. "This means that hackers at your local cafe WiFi hotspot, or the NSA eavesdropping on the Internet, can use that private key to likewise intercept all SSL connections from Superfish users."

Superfish didn't immediately respond to a request for comment on such warnings.

User Reports: Superfish Bugs

Adding potential insult to injury for buyers of Lenovo hardware, some users also report that the software interferes with their attempts to access the Internet. Others say that when it does work, it's a nuisance, disguising the add-on search results - which it injects via JavaScript - to make them look normal. "It injects itself into your browser session, offering 'deals' similar to pictures you're looking at, and also suggests ads," complains one user on the System Explorer website, which tracks software installed on Windows devices.

"Visual Discovery messed up my WebSocket," another user said in a Jan. 3, 2015, post to the Lenovo support forums. WebSockets are used for handling real-time communication between servers and clients. "After uninstalling VisualDiscovery, WebSockets worked fine. Lenovo needs to get rid of this VisualDiscovery," the user said. "I spent 4 days trying to figure out this. I'm a new Yoga 2 13 owner."

Lenovo Defends Superfish

Based on posts to Lenovo support forums, users began reporting complaints with Superfish in September 2014. But Lenovo continued to defend Superfish, although on Jan. 23, it did say it would suspend installing the software on new machines, pending Superfish resolving some problems that users were reporting, for example, with browser pop-ups. "To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually," said Mark Hopkins, a Lenovo Social Media program manager, on a Lenovo support forum. "The technology instantly analyzes images on the Web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine."

Hopkins also claims that when users encounter Superfish for the first time, they are presented with a "terms of service" - and privacy policy - that they have the option to not accept, which will then disable Superfish. But many privacy experts have long contended that users rarely read such terms of service, thus rendering them meaningless.

Visual Search: Business Move

Graham argues that Lenovo adding Snapfish to its Windows machines wasn't an altruistic move, noting that businesses such as Superfish earn a commission on any sale their software generates. "Their business comes from earning money from those ads, and it pays companies - like Lenovo - to bundle the software against a user's will," he says. "They rely upon the fact that unsophisticated users don't know how to get rid of it, and will therefore endure the ads."

If the software is so useful, Graham adds, then why doesn't Lenovo offer it as a stand-alone download from its website, where there's no mention made of it? Likewise, users have reported having difficulty finding or removing the software from their Lenovo PCs, noting that it doesn't get listed in their system's program list or features.

In fact, the software only came to light after users began complaining: "Lenovo why are you adding adware to your y50 [laptop] that hijacks search results on any browser?" one user asked in September 2014. "Is it not enough that customers buy a laptop from you?"

How to Kill Superfish

To eliminate Superfish from PCs, the System Explorer website notes that the related "visualdiscovery.exe" process can be found running - and stopped - in the Windows Task Manager. To remove the software, it says users can navigate to the "LenovoVisualDiscovery" folder - found in Program Files - and "run Uninstall.exe."

But security experts have warned that even after uninstalling Superfish, its root certificate will remain, and that this certificate must also be manually removed using the Windows "Certificate Manager."

On Lenovo support forums, some Windows experts recommend that to be extra safe and avoid all of the bloatware that so many PC manufacturers - not just Lenovo - install by default, users should always wipe new machines and install a "clean" version of Windows.

Lenovo Responds

Lenovo tells Information Security Media Group that in January, it stopped preloading Superfish on all systems and also disabled the server that handles related search queries.

"Superfish was previously included on some consumer notebook products shipped in a short window between September and December [2014] to help customers potentially discover interesting products while shopping," says Lenovo spokeswoman Wendy Fung. "However, user feedback was not positive, and we responded quickly and decisively." She says the company will no longer preload the software on any Lenovo systems.

Lenovo has dismissed related security warnings. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

But it's not clear how Lenovo, by deactivating its Superfish server, has addressed the root certificate that was installed by the Superfish client software onto Lenovo devices, and about which information security experts have been warning. Lenovo did not immediately respond to a request for comment about whether it has a mechanism to reliably remove Superfish root certificates from all consumer systems that shipped between September and December 2014, and if not, whether it would launch a product recall.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network