Own a Lenovo Laptop? It May Be Compromised.
If you own a Lenovo Thinkpad, then your online activities may be compromised.
Security blogger Marc Rogers has discovered that, up until January 2015 Lenovo has been pre-installing a piece of software called Superfish on their computers. Superfish is adware, it monitors user activity when browsing the web, and pops up adverts based upon that activity on various web pages.
Rogers reports that Superfish exhibits the following behaviors:
- Hijacks legitimate connections.
- Monitors user activity.
- Collects personal information and uploads it to it’s servers.
- Injects advertising in legitimate pages.
- Displays popups with advertising software.
- Uses man-in-the-middle attack techniques to crack open secure connections.
- Presents users with its own fake certificate instead of the legitimate site’s certificate.
While this sort of behaviour is not unknown in the computer industry, manufacturers bundle computers with bloatware as standard procedure these days, blatantly installing adware is a little eye-raising. But what's worse here is the way that Superfish works. It performs a man-in-the-middle attack.
A man-in-the-middle attack is when a (usually) malicious program intercepts the traffic between the web server and the users web browser. If then does something with that traffic data. It could be it sends user names and passwords back to the hacker, who then uses them to log in to your bank account and take your money. In this case, Superfish doesn't do anything so nefarious, it just inserts adverts (which is bad enough.)
However, the good folks at the Internet all got together and came up with HTTPS which makes sure that the traffic between your browser and the web server is a securely encrypted. It does this by using a protocol called Secure Socket Layer or SSL. This makes the man-in-the-middle attack much much harder for an attacker and has been adopted by banks and financial institutions to protect your access to your online accounts. In fact, Google is now strongly encouraging webmasters to use HTTPS for all websites, even ones that don't handle identity information.
Unfortunately, Superfish circumvents HTTPS by installing a weak security certificate on to the computer. This then fools the web-browser into thinking that it is visiting a secure, legitimate web site. The big problem here is not that Superfish or Lenovo are using this to compromise your computer, it's that the certificate they're using is weak and can be cracked very easily using any off the shelf computer hardware. In fact, this has already happened.
Not only that, the certificate isn't unique to each PC. The same certificate is installed on each and every install of Superfish, meaning that once cracked on one PC, it's cracked on all PCs, and all a hacker needs to do to get into your secure accounts is to hijack the Superfish software.
It's bad news all around.
What Can I Do?
It appears that Lenovo is responding to the backlash and has provided removal instructions for Superfish. These instructions tell how to determine if both the application and the insecure certificate are on your computer system, and provide steps for removal.
One thing to note is that some folks have reported that they followed these, and other removal instructions and haven't been successful in getting rid of Superfish.
It's important to note that Superfish hasn't been developed by Lenovo. It's a third party application, and many of these types of apps try to make themselves incredibly difficult to remove. If you're finding it difficult to remove this adware, it may be more effective to backup your important files and do a fresh install of your operating system. However, you'll need a new Windows OS disk. The installation disk originally provided by Lenovo will have Superfish on it, and you'll be back to square one.