Skip to main content

Lenovo Says No Security Concerns With Superfish, But Researchers Already Cracked It

Since September last year, Lenovo has been selling notebooks with pre-installed adware that would inject ads into Google searches and other websites, without the users' permission.

This is more easily done with websites that aren't encrypted, and is in fact something some ISPs have been doing as well, but it's more difficult to do with encrypted connections. In order to do this with encrypted connections ads, Lenovo also installed its own root certificate in Windows browsers, which allows the company to decrypt connections, insert its ads, and then encrypt them back to preserve the appearance of security.

For instance, Lenovo's certificate can replace Bank of America's own certificate, in essence breaking your secure connection with Bank of America, merely to insert its own ads on the website.

Lenovo responded and said that there are no security concerns with Superfish:

“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," said the company in a public statement. "But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first."

Despite Lenovo's promises, this doesn't solve the problem for people who have already had their connections hijacked and have the Superfish certificate installed in their operating systems and browsers.

The users who have been infected by Superfish have now remained vulnerable to attacks from malicious hackers. Security researchers have already shown how to take advantage of the Superfish adware to, for example, spy on Lenovo users' traffic at the local Starbucks. If you login to Bank of America's website, these malicious hackers could then steal your credentials. This attack would work on any other previously secure site, as well.

EFF reported that its SSL Observatory has found 44,000 Lenovo owners who are using the Superfish certificate, and that's just on the Firefox browser alone. Extrapolating from Firefox market share, we can assume that there are at least a few hundred thousand users who are now using insecure connections that can be exploited by attackers.

Given the grave situation here, Lenovo's response doesn't seem appropriate. The company has essentially dismissed any security concerns and hasn't even given its customers the proper instructions to completely clean their devices from this Superfish adware.

Lenovo has promised to disable its own connection to peoples' laptops (which they use to insert the ads), but as long as the root certificate remains installed, those laptops will continue to remain compromised and vulnerable to attackers.

If you're one of the people who has bought a Lenovo laptop since September last year, our sister site Tom's Guide has provided a few alternatives to help you get rid of Superfish and its certificate.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.