Lenovo Drops Superfish AdwarePC Manufacturer Does About-Face, Issues Mea Culpa
Lenovo, the world's largest PC manufacturer, says it will cease adding Superfish adware to its devices and help customers delete the software from their computers as quickly as possible. That represents a sharp about-face by Beijing-based Lenovo, which until Feb. 19 was defending the add-on software as a feature (see Lenovo Slammed Over Superfish Adware).
Lenovo faced mounting criticism from information security researchers over its attempt to downplay its decision to pre-install the Superfish Visual Discovery adware in its Windows builds. Critics also targeted remarks from Lenovo officials, who had continued to assert that any risk posed by the software - which installed the same root certificate on all devices - is only "theoretical."
Now, however, Lenovo has shifted gears, issuing a "Superfish vulnerability" security warning, which notes that it included Superfish Visual Discovery "on some consumer notebook products shipped between September 2014 and February 2015," and that it poses a "man-in-the-middle attack" risk for any system on which it has been installed. Lenovo rates the severity of the potential security threat as "high," and notes that while the software itself can be easily removed from any device, "the current uninstaller does not remove the Superfish root certificate." Lenovo says that after poor user feedback regarding Superfish, it had deactivated the related server in January, meaning that no more Superfish-powered results were being injected into users' search queries.
Lenovo also issued the following mea culpa via Twitter: "We're sorry. We messed up. We're owning it. And we're making sure it never happens again." It also released detailed instructions for removing the adware, as well as determining if the risky Superfish digital certificate is installed, and how to remove it. The company also published a full list of all machines on which Superfish was installed.
We're sorry. We messed up. We're owning it. And we're making sure it never happens again. Fully uninstall Superfish: http://t.co/mSSUwp5EQE" Lenovo United States (@lenovoUS) February 20, 2015
"Affected users will need to first manually remove the Superfish application and subsequently to revoke and remove the Superfish root certificate," warns Rik Ferguson, vice president of security research for security software vendor Trend Micro, and a cybersecurity adviser to Europol, in a blog post that characterizes the Superfish software not as adware, but spyware.
In response to a request for comment on the matter, Adi Pinhas, CEO of Palo Alto, Calif.-based Superfish, tells Information Security Media Group: "Superfish has not been active on Lenovo laptops since December. It is important to note: Superfish is completely transparent in what our software does, and at no time were consumers vulnerable - we stand by this today."
Researchers Demonstrate Risks
Security researchers say the risk posed by Superfish is that it installs the same root certificate onto all Windows machines on which it resided, which it then uses to sniff - by decrypting and then re-encrypting - all SSL-encrypted traffic. As a result, would-be attackers who possess a copy of this certificate could launch a man-in-the-middle attack. "If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages," CloudFlare principal security researcher Marc Rogers warns.
Robert David Graham, who heads information security research firm Errata Security, says this problem is not academic, because he - and other researchers - have cracked the Superfish digital certificate. "The consequence is that I can intercept the encrypted communications of SuperFish's victims - people with Lenovo laptops - while hanging out near them at a cafe WiFi hotspot."
While the digital certificate installed by Superfish was encrypted, Graham says that by using a dictionary-based attack, he was able to crack the password - "komodia" - in just 10 seconds.
Komodia: Warnings Sounded
A Komodia spokesman declined to comment about whether Superfish is one of its customers. But since that potential connection came to light, Komodia has been at the receiving end of distributed denial-of-service attack attacks, with its website resolving to the following error message: "Site is offline due to DDOS with the recent media attention."
CloudFlare's Rogers says the exact same certificate - with the same password - appears to also be used in a range of products, including the "Keep My Family Secure" parental control software and the Kurupira Webfilter. "This means that those dodgy certificates aren't limited to Lenovo laptops sold over a specific date range," Rogers warns. "It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer, should probably check to see if they are affected."
Lenovo spokeswoman Wendy Fung confirmed that Lenovo received financial compensation for bundling Superfish software onto PCs. But she declined to detail the specifics of that arrangement, telling Information Security Media Group that "the relationship with Superfish is not financially significant."
Lenovo has promised to avoid pre-installing adware moving forward, with chief technology officer, Peter Hortensius, telling The Wall Street Journal that "we didn't do enough" due diligence before bundling Superfish. But he has continued to downplay the real-world risk posed by the tool as being security researchers' "theoretical concerns."
Hortensius says Lenovo is now preparing a tool "that removes all traces of the app from people's laptops," including the digital certificate that it installs. "Once the app-wiping software is finished ... we'll issue a press release with information on how to get it," he says.
But Lenovo declined to comment on queries about whether it would offer a product recall. Instead, it appears that eliminating the software from affected PCs will require users to first know that there's a problem, and then find and run the related update. Given the number of people who never manually update their PCs - not least for a piece of software they may never know was installed in the first place, never mind what it does - that means the risky Superfish root certificate may persist indefinitely on numerous systems.
Demand: Bare-Metal PCs
If there's one upside to the Superfish spyware saga, it's the potential for consumer outrage to make PC manufacturers rethink their "bloatware"-bundling ways. "Longer term, I believe manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system pre-installed," Trend Micro's Ferguson says. "Not only would this reduce cost to the user, it would also increase freedom of choice of operating system and hand full control back to the owner of the device."
In the Android smart phone and tablet ecosystem, for example, Google does this via its Nexus devices. All other major OEMs, however, "skin" their devices and install a customized version of Android.
But Lenovo has dismissed that possibility. "In general, we get pretty good feedback from users on what software we pre-install on computers," Lenovo CTO Hortensius tells The Wall Street Journal. "What we're going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers' computers. The outcome could be a clearer description of what software is on a user's machine, and why it's there."