Lenovo's Pre-Installed Adware Poses Severe Security Risk

Lenovo's pre-installed Superfish ad software leaves affected computers open to man-in-the-middle attacks on secure Web traffic.

Lenovo's Pre-Installed Adware Poses Severe Security Risk
Getty Images / Joe Raedle
SMS

Lenovo has been shipping laptops bearing pre-installed adware. But there appears to be much more at stake than just pop-ups.

The software, known as Superfish, adds third-party advertisements to Google results and other sites.

Lenovo forum users first spotted the adware in September of last year.

That's shady enough, says The Next Web, "but it's emerged over the last few hours that the very same software self-installs a highly privileged security certificate that could allow the software — or other malicious attackers — to snoop on secure connections."

Secure Internet communication uses certificates, which websites present to your Web browser as proof they are who they say they are.

Superfish creates its own certificate, which overwrites the site's actual certificate and lets it add its advertisements into the traffic. It's effectively intercepting secure communications, a tactic known as a man-in-the-middle attack.

"By creating its own SSL certificates, Superfish is able to perform its advertising tasks even on secure connections, injecting ads and reading data from pages that should be private."

Anyone could use these certificates to create fake sites with them, and a web browser compromised by Superfish won’t suspect anything’s wrong.

Worse, writes Ars Technica, "the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine," meaning anyone who hacks into one could theoretically access them all.

Security researchers and Internet activists are concerned, to say the least.

As of last month, Lenovo told users it was pushing Superfish to update its software and tone down the aggressive advertisement injection.

At time of writing, the company had not publicly addressed the security issue inherent in Superfish's certificates, though it told the BBC's Rory Cellan-Jones it was "thoroughly investigating all and any new concerns."

This video includes images from Getty Images and Edward Boatman / CC BY 3.0.