Be the most informed person in the room with Newsy's free e-newsletter

View our privacy policy:
Trump's Conflicts of Interest
Featured Series: Trump's Conflicts of Interest
Donald Trump's international web of businesses creates unprecedented potential for conflicts of interest and corruption. And some picks for his administration might have to face their own...

Lenovo's Pre-Installed Adware Poses Severe Security Risk

Lenovo's pre-installed Superfish ad software leaves affected computers open to man-in-the-middle attacks on secure Web traffic.

Lenovo has been shipping laptops bearing pre-installed adware. But there appears to be much more at stake than just pop-ups.

The software, known as Superfish, adds third-party advertisements to Google results and other sites.

Lenovo forum users first spotted the adware in September of last year.

That's shady enough, says The Next Web, "but it's emerged over the last few hours that the very same software self-installs a highly privileged security certificate that could allow the software — or other malicious attackers — to snoop on secure connections."

Secure Internet communication uses certificates, which websites present to your Web browser as proof they are who they say they are.

Superfish creates its own certificate, which overwrites the site's actual certificate and lets it add its advertisements into the traffic. It's effectively intercepting secure communications, a tactic known as a man-in-the-middle attack.

"By creating its own SSL certificates, Superfish is able to perform its advertising tasks even on secure connections, injecting ads and reading data from pages that should be private."

Anyone could use these certificates to create fake sites with them, and a web browser compromised by Superfish won’t suspect anything’s wrong.

Worse, writes Ars Technica, "the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine," meaning anyone who hacks into one could theoretically access them all.

Security researchers and Internet activists are concerned, to say the least.

As of last month, Lenovo told users it was pushing Superfish to update its software and tone down the aggressive advertisement injection.

At time of writing, the company had not publicly addressed the security issue inherent in Superfish's certificates, though it told the BBC's Rory Cellan-Jones it was "thoroughly investigating all and any new concerns."

This video includes images from Getty Images and Edward Boatman / CC BY 3.0.

Featured Stories
Mike Pompeo and Rex Tillerson

Pompeo Confirmed For CIA Head, Rex Tillerson Approved By Senate Panel

People on the National Mall.

Supporters, Detractors Describe Hopes For Trump's Presidency In 1 Word

Donald Trump signs a memorandum.

With The Stroke Of A Pen, Trump Pulls The US From The TPP

Want to see more stories like this?
Like Newsy on Facebook for More Coverage