Lenovo is in the storm one again, security experts discovered that the company is shipping laptops with Superfish malware , a malware that allows to steal web traffic using man-in-the-middle attacks. SuperFish is considered by many antivirus companies as a potentially unwanted program, adware, or a trojan.
The “Superfish” malware was installed on laptops sold until late last month, it was able to steal web traffic using fake, self-signed, root certificates to inject advertisements into sessions. Lenovo has removed Superfish the malicious software after numerous users reported the embarrassing discovery on its forums by claiming to be victims of attacks.
“A blatant man-in-the-middle attack malware breaking privacy laws. I have requested return of the laptop and refund as I find it unbelievable that … Lenovo would facilitate such applications pre bundled with new laptops,” the user wrote on the Lenovo forums.
“I just bought a Lenovo G50 Notebook. And as you might guess it’s also “infected” with PUP (a SuperFish Software (that’s the one which displays ads on webpages)). So, now i try to clean up a brand new device. Sounds a bit absurd. What do you think?” said another user.
In the following image posted by one of the Lenovo users is visible a certificate masquerading as being issued by Bank of America.
Another victim posted a purported screenshot of the program showing it as a trusted root certificate and claiming a web connection to their bank was intercepted.
“One screenshot taken by an unhappy user shows a certificate masquerading as being issued by Bank of America. Another user posted a purported screenshot of the program showing it as a trusted root certificate and claiming a web connection to their bank was intercepted.” states The Register.
The Forum administrator Mark Hopkins explained that the new laptops will no longer be sold with Superfish. Lenovo has also asked the company behind the program to provide a software update to address these issues.
“Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,” Hopkins said.
“As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.” “The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.”
I don’t want to play with Hopkins’s statements, but it is evident that Lenovo has “temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues”. What does it mean?
Why not eliminate the malware definitively?
Facebook engineering director Mike Shaver raised the alarm about the ad/bloatware on Twitter, and found SuperFish certificates posted by different users had shared the same RSA key.
Lenovo installs a MITM cert and proxy called Superfish, on new laptops, so it can inject ads? Someone tell me that’s not the world I’m in.
— Mike Shaver (@shaver) 19 Febbraio 2015
Unfortunately Factory pre-installed malware is not a new issue, it is already happened in the past, in some cases due to the poisoning of the supply chain, but in this case it seems to be that Lenovo was aware of the absurd practice. Have you bought a Lenovo computer recently? Check your system asap.
UPDATE FROM CSOONLINE
A Lenovo spokesperson responded to questions earlier this morning. The company says that Superfish hasn’t been installed on laptops since January, and that all server side interactions have been disabled since then as well. The full statement is below.
Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:
1) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
2) Lenovo stopped pre-loading the software in January.
3) We will not pre-load this software in the future.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first…
The statement goes on to repeat what was said originally on the support forums, adding that the relationship with Superfish Inc. is not financially significant Lenovo; “our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively,” the statement concluded.
(Security Affairs – Lenovo, Factory pre-installed malware)
Update September 28th, 2015
Statistical data collection by Lenovo has been the subject of press reports and social media discussion. Similar to other companies in the PC, smartphone and tablet industries and as disclosed in the End User License Agreement, Lenovo products collect non-personally identifiable statistical usage data that is not tracked to any single customer or device. This data helps Lenovo improve both existing and future products.
In preparation for Windows 10, all programs preloaded on Lenovo PCs were reviewed by Lenovo and independent 3rd parties from privacy and technical perspectives and are listed in the “programs directory” in Windows, under “settings”. Customers who do not want to participate, can remove the program by going into the “Control Panel”, opening “Add / Remove Programs”, clicking on the program and selecting “uninstall”.”