Lenovo has just made a huge blunder by pre-installing dodgy ad software on its laptops, with the rather nasty side effect that you could be open to attacks by hackers. Called Superfish, the nasty software was first noticed mid-2014, although Lenovo has said that it stopped shipping it at the start of this year and only installed it on consumer laptops. Even so, that’s a lot of computers that are potentially at risk from this software.
What is Superfish?
Superfish is ‘Visual Discovery’ software, which is a posh way of saying that it hijacks your web connection and stuffs pages full of related pop-up ads. It does this by setting itself up as a proxy so that all of your web traffic runs through the software. By doing this, the software can sit in the middle of your connection, monitor what you’re looking at and then download and inject its own JavaScript into web pages to display ads.
Injecting JavaScript into web pages is a bad idea and can make websites unreliable, as well as breaking layouts. In fact, many Lenovo customers complained about pop-ups and other behavioural problems with it. It’s obvious from a cursory glance that this kind of behaviour is dubious at best, although most people would quite rightly think that it’s completely outrageous. Unfortunately, that’s not even the worst thing about Superfish.
Superfish could make secure connections insecure
A lot of web connections are now encrypted: go to Google and you’ll see the encryption icon is on, and the web address starts 'https'. This is designed to protect people and secure what they’re doing online. It also means that a person’s web traffic is complete nonsense to anyone that intercepts it. This principle should mean that Superfish wouldn’t work all of the time, as it wouldn’t be able to make sense of the encrypted traffic and inject its JavaScript.
Instead, Superfish has a rather nasty trick up its sleeve, which bypasses the protection that you normally get in a browser. To explain, we need to give a quick overview of how secure SSL connections work, using public key cryptography.
With this kind of encryption, there’s a public key and a private key. Anything encrypted with the public key can only be decoded with the private key and vice versa. Importantly, you can’t use the public key to decode a message encrypted with the public key.
Using this system, a website holds its private key and doesn’t share it, but it does send out its public key to your browser. Your browser uses the public key to encrypt messages, safe in the knowledge that only the website with its private key can decrypt them.
So far, so good, but this leaves one problem: if someone hijacked your connection and sent you to a fake website, say, pretending to be your bank, the fake bank could issue a fake public key and your browser wouldn’t know the difference. To protect against this, you get Certificate Authorities (CA), which store all of the public keys and their owners. CAs are known by everyone and trusted by all, and everyone has the CAs’ public keys.
When you’re issued a public key from a website, you also get a verification signature. Your browser uses a CA’s public key to send the verification signature and waits for a response. As only the CA can decode your message, and only the real website can create the proper verification signature, your browser knows that the result can be trusted. Security keys are all handled in your browser through the installation of security certificates.
To get round this Superfish installs itself as a CA on your computer, adding a new security certificate to Windows. When your computer then tries to make an SSL connection, the software steps in, issues you with a public key and then authenticates that it’s valid.
This lets the software decrypt your communications (it’s giving out the public keys, and its own private key can decrypt the software), and pull out the information it needs, while injecting its ads, before re-encrypting everything. As the CA system is all based on trust, your web browser doesn’t think that there’s anything wrong and lets the process go on.
Superfish can decode your private communications
Obviously, the big worry here is that Superfish performs what's known as a man-in-the-middle attack: it sits in the middle of your communications, decodes your private information, and then encrypts it again. This means that Superfish and the server it talks to could see exactly what you’re up to. Lenovo has been quick to dismiss claims that any of this goes on, saying in a statement, “To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent.”
We’ll bet that that statement doesn’t make you feel better about the situation. We’re sorry, but you’re going to feel worse in a minute, when we explain just how bad this is.
Superfish’s CA could leave you open to hackers
Superfish has used the same CA private key on every single computer that its software is installed on. This means that hackers can potentially use this private key to decrypt every secure bit of traffic from Lenovo laptops. Robert Graham, writing on the Errata Security blog managed to pull the certificate out of the software and break the protecting password (it’s ‘komodia’ if you’re interested).
As Graham explains, “The consequence is that I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot.”
How can Superfish so easily bypass your computer’s security?
Lenovo states, “Users are given a choice whether or not to use the product.” In other words, there’s a pop-up box that asks if you want to use the software and let it make the necessary changes to your computer. It’s a get-out used by many-a-company, as effectively you’re saying, “Yes, let Superfish access my computer and make the changes it wants.”
Perhaps there should be better warning messages from browsers and Windows about this kind of behaviour, but that’s really a discussion for another day.
How can I tell if I’m infected with Superfish?
The easiest way is to go to the Superfish CA test site, written by Filippo Valsorda. This will tell you if you’re most likely safe or not, and is a quick way to make the check. Superfish infects all major Windows browsers, including Chrome, Internet Explorer and Firefox, so it doesn’t matter which browser you use to test.
How do you remove Superfish?
First, you should uninstall the software from your computer. Go to the Control Panel and select Programs and features, and then select Uninstall. In the dialog box that appears, look for VisualDiscovery and then uninstall it. You should also install decent anti-virus software and run a scan – read our guide to the best security software 2015 to find something suitable.
Uninstalling the software can leave the dodgy certificate behind, which still leaves you open to trouble. To remove this press Windows-R to bring up the Run command, type certmgr.msc and hit Enter. This loads the Certificate Manager for your PC. You need to navigate to Trusted root certificate authorities using the left-hand panel, look for the Superfish entry in the main panel, right-click it and select Delete. Image below is via Chris Palmer.
What is Lenovo doing about this?
Lenovo has said that it has stopped installing the software and that it has shut down the server-side component of the software. Lenovo told us that: “1.) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market. 2) Lenovo stopped preloading the software in January. 3) We will not preload this software in the future.”