Lenovo Says No Security Concerns With Superfish, But Researchers Already Cracked It

Since September last year, Lenovo has been selling notebooks with pre-installed adware that would inject ads into Google searches and other websites, without the users' permission.

This is more easily done with websites that aren't encrypted, and is in fact something some ISPs have been doing as well, but it's more difficult to do with encrypted connections. In order to do this with encrypted connections ads, Lenovo also installed its own root certificate in Windows browsers, which allows the company to decrypt connections, insert its ads, and then encrypt them back to preserve the appearance of security.

For instance, Lenovo's certificate can replace Bank of America's own certificate, in essence breaking your secure connection with Bank of America, merely to insert its own ads on the website.

Lenovo responded and said that there are no security concerns with Superfish:

“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," said the company in a public statement. "But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first."

Despite Lenovo's promises, this doesn't solve the problem for people who have already had their connections hijacked and have the Superfish certificate installed in their operating systems and browsers.

The users who have been infected by Superfish have now remained vulnerable to attacks from malicious hackers. Security researchers have already shown how to take advantage of the Superfish adware to, for example, spy on Lenovo users' traffic at the local Starbucks. If you login to Bank of America's website, these malicious hackers could then steal your credentials. This attack would work on any other previously secure site, as well.

EFF reported that its SSL Observatory has found 44,000 Lenovo owners who are using the Superfish certificate, and that's just on the Firefox browser alone. Extrapolating from Firefox market share, we can assume that there are at least a few hundred thousand users who are now using insecure connections that can be exploited by attackers.

Given the grave situation here, Lenovo's response doesn't seem appropriate. The company has essentially dismissed any security concerns and hasn't even given its customers the proper instructions to completely clean their devices from this Superfish adware.

Lenovo has promised to disable its own connection to peoples' laptops (which they use to insert the ads), but as long as the root certificate remains installed, those laptops will continue to remain compromised and vulnerable to attackers.

If you're one of the people who has bought a Lenovo laptop since September last year, our sister site Tom's Guide has provided a few alternatives to help you get rid of Superfish and its certificate.

Follow us @tomshardware, on Facebook and on Google+.

This thread is closed for comments
25 comments
    Your comment
  • captaincharisma
    thankfully it wasn't on my lenovo G510 laptop, unless my spyware scanner already removed it months ago. its just like a company always trying to assure people there are no problems and instead of opting to remove and disable it permanently they keep trying to talk everyone into letting them keep it. this is why i stayed with desktops for so long because it was easy to build your own and didn't have to worry about a company pre installing crap like this on
  • bgunner
    Once it was the bloatware issue that the manufacture were adding. Now we have manufactures installing things that can compromise personal data. As if the product doesn't cost enough to start with lets let an attacker take the rest of it so that the company can make a few extra buck off the public.

    A bad business move right there. This will hurt there view in the public's eye for quite some time from now. Not to mention add supposition to if they will ever try it again.
  • dstarr3
    Reason #3,037 why you should reformat and reinstall on every laptop you buy.