Lenovo Slammed Over Superfish AdwareAdware Leaves Encrypted Traffic Vulnerable, Experts Warn
The Yoga 2 laptop may have earned plaudits from reviewers for its convertible design and touch screen. But according to information security experts, it's just one of many different types of consumer-focused and BYOD Windows devices sold by Beijing-based PC manufacturer Lenovo that comes with a non-obvious feature built in: adware from a company called Superfish.
See Also: The Global State of Online Digital Trust
Lenovo claims that the "Superfish Visual Discovery" engine is installed by default to give users an automatic price-comparison shopping engine. But numerous experts have slammed Lenovo for quietly adding the installed-by-default adware, especially because it provides would-be hackers with an easy technique for launching encryption-busting man-in-the-middle attacks against any Lenovo system that runs Superfish. So far, however, they've seen no evidence of such attacks.
"The company claims it's providing a useful service, helping users do price comparisons. This is false. It's really adware," says Robert David Graham, head of research firm Errata Security, in a blog post.
"What on earth were Lenovo thinking?" tweets Europol cybersecurity advisor Alan Woodward, who's a visiting professor at the Department of Computing at the University of Surrey. "We'll be using this as an example of MiTM attacks with the students."
In a technical teardown of the Superfish software, Graham reports that it "installs a transparent-proxy (MitM) service on the computer, intercepting browser connections," and that it works with Internet Explorer and Google Chrome browsers, which use the default Windows certificates, although not with Firefox, which does not. But the Superfish MiTM service cannot decrypt SSL traffic. Accordingly, the software installs its own root certificate in Windows, and then issues on-the-fly certificates - allowing it to sniff all traffic by decrypting and then encrypting it again - whenever an SSL connection gets attempted.
Superfish, however, installs the same exact root certificate on every PC on which it resides, Graham warns. "This means that hackers at your local cafe WiFi hotspot, or the NSA eavesdropping on the Internet, can use that private key to likewise intercept all SSL connections from Superfish users."
Superfish didn't immediately respond to a request for comment on such warnings.
User Reports: Superfish Bugs
"Visual Discovery messed up my WebSocket," another user said in a Jan. 3, 2015, post to the Lenovo support forums. WebSockets are used for handling real-time communication between servers and clients. "After uninstalling VisualDiscovery, WebSockets worked fine. Lenovo needs to get rid of this VisualDiscovery," the user said. "I spent 4 days trying to figure out this. I'm a new Yoga 2 13 owner."
Lenovo Defends Superfish
Based on posts to Lenovo support forums, users began reporting complaints with Superfish in September 2014. But Lenovo continued to defend Superfish, although on Jan. 23, it did say it would suspend installing the software on new machines, pending Superfish resolving some problems that users were reporting, for example, with browser pop-ups. "To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually," said Mark Hopkins, a Lenovo Social Media program manager, on a Lenovo support forum. "The technology instantly analyzes images on the Web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine."
Visual Search: Business Move
Graham argues that Lenovo adding Snapfish to its Windows machines wasn't an altruistic move, noting that businesses such as Superfish earn a commission on any sale their software generates. "Their business comes from earning money from those ads, and it pays companies - like Lenovo - to bundle the software against a user's will," he says. "They rely upon the fact that unsophisticated users don't know how to get rid of it, and will therefore endure the ads."
If the software is so useful, Graham adds, then why doesn't Lenovo offer it as a stand-alone download from its website, where there's no mention made of it? Likewise, users have reported having difficulty finding or removing the software from their Lenovo PCs, noting that it doesn't get listed in their system's program list or features.
In fact, the software only came to light after users began complaining: "Lenovo why are you adding adware to your y50 [laptop] that hijacks search results on any browser?" one user asked in September 2014. "Is it not enough that customers buy a laptop from you?"
How to Kill Superfish
To eliminate Superfish from PCs, the System Explorer website notes that the related "visualdiscovery.exe" process can be found running - and stopped - in the Windows Task Manager. To remove the software, it says users can navigate to the "LenovoVisualDiscovery" folder - found in Program Files - and "run Uninstall.exe."
But security experts have warned that even after uninstalling Superfish, its root certificate will remain, and that this certificate must also be manually removed using the Windows "Certificate Manager."
On Lenovo support forums, some Windows experts recommend that to be extra safe and avoid all of the bloatware that so many PC manufacturers - not just Lenovo - install by default, users should always wipe new machines and install a "clean" version of Windows.
Lenovo tells Information Security Media Group that in January, it stopped preloading Superfish on all systems and also disabled the server that handles related search queries.
"Superfish was previously included on some consumer notebook products shipped in a short window between September and December  to help customers potentially discover interesting products while shopping," says Lenovo spokeswoman Wendy Fung. "However, user feedback was not positive, and we responded quickly and decisively." She says the company will no longer preload the software on any Lenovo systems.
Lenovo has dismissed related security warnings. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."
But it's not clear how Lenovo, by deactivating its Superfish server, has addressed the root certificate that was installed by the Superfish client software onto Lenovo devices, and about which information security experts have been warning. Lenovo did not immediately respond to a request for comment about whether it has a mechanism to reliably remove Superfish root certificates from all consumer systems that shipped between September and December 2014, and if not, whether it would launch a product recall.