Security researchers are taking Lenovo to task for authorising the installation of a browser add-on to its consumer PC line that is akin to adware and could be used to eavesdrop on victim communications.
A Lenovo spokesperson told CRN USA its investigation found no security issues with the add-on, but the company has stopped installing the program in January.
The Superfish Visual Discovery add-on injects advertising into websites on browsers and is enabled in Google Chrome and Internet Explorer. The company received complaints about the add-on and its ability to gain unfettered access to Lenovo systems.
Superfish installs a root certificate into Windows, enabling it to display advertising on SSL-protected websites. But researchers said the tactic acts as a man-in-the-middle attack and could be used to view encrypted communications, including bank account details, account credentials and webmail messages.
"I can intercept the encrypted communications of SuperFish's victims [people with Lenovo laptops] while hanging out near them at a cafe Wi-Fi hotspot,” said Robert Graham, a noted security researcher and CEO of Atlanta-based consultancy Errata Security. "It's designed to intercept all encrypted connections -- things I shouldn't be able to see. It does this in a poor way that leaves the system open to hackers or NSA-style spies."
Superfish installs a proxy to monitor all communications and a root certificate to decrypt encrypted communications.
In a blog post explaining how he cracked Superfish's encryption, Graham said Superfish intercepts SSL traffic using technology from Komodia, an Israeli-based company. Komodia created a tool that can decrypt SSL traffic and modify or inject code into the browser to display adds without any warning messages from the user. Komodia also markets its technology as a way for parents to monitor their children's browsing activity.
Solution providers said they have seen similar complaints in the past with "bloatware" installed on consumer systems. One Lenovo partner said his firm works with consumers to customise new laptops, often removing unwanted programs such as Superfish. In addition to monitoring user activity, the software can collect personal information and upload it to Superfish servers, inject advertising and crack secure connections, said Marc Rogers, a security researcher at secure hosting provider CloudFlare, who analysed the browser add-on functionality.
"When malware is installed with the access a manufacturer has, it buries itself deep inside the system often with a level of access that often takes it beyond the reach of antivirus or other countermeasures," Rogers wrote. "This is why it is all the more disappointing -- and shocking -- to find a manufacturer doing this to its customers voluntarily."
In an email message, a Lenovo spokesperson told CRN USA that the adware was installed on consumer notebook products shipped between September and December. The aim was "to help customers potentially discover interesting products while shopping," said Brion Tingler, Lenovo’s corporate communications lead. "User feedback was not positive, and we responded quickly and decisively," Tingler said.
Superfish disabled its server side interactions since January on all Lenovo products to disable the add-on. Lenovo also stopped preloading the software in January and Tingler added that the computer maker would not preload the software in the future.
Lenovo is downplaying the security threat posed by the program. Tingler said Superfish does not profile or monitor user behavior. Users are not tracked or targeted.
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software," he said. "We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first."