Lenovo Says No Security Concerns With Superfish, But Researchers Already Cracked It

Since September last year, Lenovo has been selling notebooks with pre-installed adware that would inject ads into Google searches and other websites, without the users' permission.

This is more easily done with websites that aren't encrypted, and is in fact something some ISPs have been doing as well, but it's more difficult to do with encrypted connections. In order to do this with encrypted connections ads, Lenovo also installed its own root certificate in Windows browsers, which allows the company to decrypt connections, insert its ads, and then encrypt them back to preserve the appearance of security.

For instance, Lenovo's certificate can replace Bank of America's own certificate, in essence breaking your secure connection with Bank of America, merely to insert its own ads on the website.

Lenovo responded and said that there are no security concerns with Superfish:

“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," said the company in a public statement. "But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first."

Despite Lenovo's promises, this doesn't solve the problem for people who have already had their connections hijacked and have the Superfish certificate installed in their operating systems and browsers.

The users who have been infected by Superfish have now remained vulnerable to attacks from malicious hackers. Security researchers have already shown how to take advantage of the Superfish adware to, for example, spy on Lenovo users' traffic at the local Starbucks. If you login to Bank of America's website, these malicious hackers could then steal your credentials. This attack would work on any other previously secure site, as well.

EFF reported that its SSL Observatory has found 44,000 Lenovo owners who are using the Superfish certificate, and that's just on the Firefox browser alone. Extrapolating from Firefox market share, we can assume that there are at least a few hundred thousand users who are now using insecure connections that can be exploited by attackers.

Given the grave situation here, Lenovo's response doesn't seem appropriate. The company has essentially dismissed any security concerns and hasn't even given its customers the proper instructions to completely clean their devices from this Superfish adware.

Lenovo has promised to disable its own connection to peoples' laptops (which they use to insert the ads), but as long as the root certificate remains installed, those laptops will continue to remain compromised and vulnerable to attackers.

If you're one of the people who has bought a Lenovo laptop since September last year, our sister site Tom's Guide has provided a few alternatives to help you get rid of Superfish and its certificate.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • captaincharisma
    thankfully it wasn't on my lenovo G510 laptop, unless my spyware scanner already removed it months ago. its just like a company always trying to assure people there are no problems and instead of opting to remove and disable it permanently they keep trying to talk everyone into letting them keep it. this is why i stayed with desktops for so long because it was easy to build your own and didn't have to worry about a company pre installing crap like this on
  • bgunner
    Once it was the bloatware issue that the manufacture were adding. Now we have manufactures installing things that can compromise personal data. As if the product doesn't cost enough to start with lets let an attacker take the rest of it so that the company can make a few extra buck off the public.

    A bad business move right there. This will hurt there view in the public's eye for quite some time from now. Not to mention add supposition to if they will ever try it again.
  • dstarr3
    Reason #3,037 why you should reformat and reinstall on every laptop you buy.
  • dgingeri
    I despise adware under any circumstances. Any manufacturer that would actually ADD the stuff to their PCs are going to get an "avoid like the plague" recommendation from me. One that actually breaks secure connections in order to put those ads in web sites they have no business dealing with gets a "you're stupid if you even consider it" rating from me.
  • d_kuhn
    Always Always Always wipe the hdd of new consumer machines and reinstall windows... always. If you don't have a clean windows disk then make sure the machine you buy sends you the oem install disk (their 'reinstall' disk just reinstall the crapware).
  • kenjitamura
    Reason #3,037 why you should reformat and reinstall on every laptop you buy.

    I always do. Bloatware and adware are unacceptable to me and wiping the thing before using it is time well spent.
  • OneFai
    Shame on Lenovo. I installed some Asus software to prioritize the PC's Lan traffic. After installation, all my secure http connections were hijacked. I couldn't even uninstalled it. I had to wipe my PC clean. No more Asus software for me.
  • Innocent_Bystander
    Wiping and reinstalling a clean system is absolutely fundamental on any OEM product. Having said that, anyone who rewards this behaviour with a repeat purchase deserves more of the same
  • Theretoohsprahs
    I work at Best Buy in computer sales, and this makes me sick knowing that I've probably unknowingly sold some people a compromised computer.
  • ethanolson
    This is why I prefer to use HP Zbook workstations. They're made near Pittsburgh in the good ol' USA. No Superfish. Just a vanilla Windows installation.