1. Home >
  2. Extreme

Lenovo PCs ship with adware that destroys system security, breaks HTTPS

Lenovo's consumer laptops are loaded with adware that fundamentally compromises system security and transmits encrypted information to a third-party vendor. Lenovo's response thus far is to pretend the problem doesn't exist and that consumers knowingly chose to buy hardware with non-functioning browser safeguards.
By Joel Hruska
Lenovo Ideapad

Lenovo is selling PCs equipped with a pre-installed adware package that destroys the security of HTTPS and creates a perfect man-in-the-middle (MTM) scenario against the host PC. The software in question is called Superfish Visual Discovery, and its basic function -- it injects advertising into browser sessions -- is bad enough. Superfish's five-alarm functionality is that it installs its own signed root certificates to a user's operating system. What this means, in essence, is that Superfish substitutes its own signed certificate for the certificate that's supposed to be provided by the actual website.

Here's how the system is supposed to work. When you connect to your bank's website using HTTPS, the bank sends its certificate information back to the browser. The bank's certificate must be issued by a valid Certificate Authority. If it isn't, your browser is supposed to warn you that the data you're about transmit may be insecure and that it can't verify the authenticity of the certificate itself.

ssl-info-ssl-certificateA properly signed certificate

What Lenovo and Superfish have done(Opens in a new window) is configure shipping systems with a certificate signed by Superfish rather than a Certificate Authority like Verisign or Symantec. Worse, the certificate key that Lenovo is distributing with its PCs appears to be identical across all systems.

boa-superfish-lenovoSuperFish's certification Here's what this means in aggregate:
  • Superfish can decrypt all data that you send via HTTPS connections.
  • It uses the same root key for every Lenovo system, which means every Lenovo system with this key installed connecting over WiFi at a public hotspot can theoretically be snooped.
  • It injects Javascript into web pages to perform its functions, which can cause its own compatibility problems.
Toss in the fact that you can't download Superfish's software (the company's website only lists products available in the App Store or Google Play) and it's obvious that the intent was to turn a quick buck to fund the development of other products with zero mind paid to user security or data access.

Lenovo's no-win scenario

Lenovo apparently doesn't ship Superfish on its business systems, only on consumer products, but no complete product list has been released thus far. There's no good answer for how this product ended up deployed on Lenovo computers. Consider the options:
  • Lenovo knew that the product fatally compromised browser security by creating a MTM attack but didn't care.
  • Lenovo didn't know the product compromises browser security because it didn't bother to analyze the software it sells to customers.
  • Lenovo only installed Superfish on consumer systems because it knew the product was an unacceptable corporate security risk (but didn't care what happened to consumer data).

Lenovo's response to all of this is to claim that users consented to the software because they accepted the license agreement when they first booted up their systems (I'd be surprised if the front page of that agreement included the phrase "Nothing you transmit on your PC using HTTPS will be encrypted or secure, ever." Uninstalling Superfish does not fix the problem(Opens in a new window), users will need to remove the root certificate manually. Instructions on how to do so are available here(Opens in a new window). Superfish is now distributing an "update" that literally keeps the entire original function of the software (including the MTM attack possibilities) but includes a string(Opens in a new window) to disable certain functions if a Lenovo user is detected.

In other words, Lenovo's "apology" for this behavior is to push for a patch that solves nothing but papers over the issue. The horse, however, is apparently out of the barn(Opens in a new window) -- the private key for Superfish has already been decrypted. What is it, you ask? Komodia.What's komodia? A TCP/IP redirector(Opens in a new window) and "a brand new technology that allows you to access data that was encrypted using SSL and perform on-the-fly SSL decryption."

Anybody smell a rat yet?

Tagged In

Lenovo Man In The Middle Superfish Security PCS

More from Extreme

Atlas yellow ring
Boston Dynamics Dumps Hydraulics, Unveils All-Electric Atlas Robot
By Ryan Whitwam
The Milky Way as captured by NASA's Spitzer Space Telescope.
What Is Dark Matter?
By Adrianna Nine, Graham Templeton
SK Hynix Platinum P41
How Do SSDs Work? The Inner Details, Explained
By Joel Hruska, ExtremeTech Staff
A graphic showing a brain and sci-fi-style computer circuits
What Is Artificial Intelligence? From Generative AI to Hardware, What You Need to Know
By Jessica Hall
Starship and Super Heavy on the launchpad
SpaceX Starship, Explained: What You Need to Know About Elon Musk's Biggest Project of Them All
By Ryan Whitwam
Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use(Opens in a new window) and Privacy Policy. You may unsubscribe from the newsletter at any time.
Thanks for Signing Up