Lenovo, SuperFish and Security
by Ian Cutress on February 19, 2015 6:55 PM ESTFor the many of us that have purchased a laptop, we are somewhat used to the amount of bloatware that comes pre-installed. Most of this relates to the company specific software, or free trials for office applications or anti-virus software. I would imagine that the more technologically savvy users uninstall some of this bloat for themselves and their family and friends, but it does give an opportunity for the manufacturer to install what they want before the device gets shipped.
Here at AnandTech we receive laptops on a regular basis for review, and where we can we tend to ask for retail units so we can analyze the hardware without fear of getting a ‘review-focused’ sample. The same thing goes for motherboards, SSDs, and graphics cards, which also come with their own software but the user has to specifically install everything. With a laptop, smartphone, tablet, workstation, or notebook, it all comes pre-prepared for the user to plug and play. The demand to remove the bloatware has led to smartphones and tablets being offered with pure stock versions but also carrier customized ones, and some users get the choice of both.
A topic that has been in the news today, and whose symptoms date back a little further, has been with Lenovo laptops and notebooks. This software is called SuperFish and comes as a browser add-on, which Lenovo calls a ‘Visual Discover’ program that detects when a website has advertising and replaces it with targeted images based on what the user is looking at in order to make informed choices at potentially lower prices. This comes with a variety of issues.
First, it replaces the advertisement(s) on the website, which offers the website a form of income (such as AnandTech and other advertiser driven models). The new advertisement redirects the link to a server that may benefit Lenovo, distorting the ad views for that particular website and shifting income back to the laptop manufacturer.
Second, SuperFish is actively scanning the websites that people look at, resulting in privacy issues. Lenovo has stated that this software analyzes images in an algorithmic pattern (presumably similar to Google Goggles) rather than tracking the behavior of the user, but without access to the code most users will still not trust the software. After consistent issues regarding security and tracking in the media recently, especially with certain ‘Smart TVs’, it is understandable how users are concerned over devices that do not respect their privacy.
Third, the best explanation for SuperFish comes down as adware. Malware and adware have been a common threat of the century when it comes to web browsing, where software places unwanted advertisements in the eye-line of the user to generate revenue. If we take that definition then SuperFish falls under that category, no matter how it is dressed up.
The fourth issue (and arguably most severe issue) revolves around security. This is twofold – the SuperFish software will intercept any HTTPS encrypted webpage that has advertisements when it replaces them with its own, creating a mix of secure and insecure content. This allows other software to come in and potentially inject its own attack, stealing sensitive information. The second issue with security is that SuperFish issues its own SSL certificates for a large number of common sites, with severely reduced security than what is often required, such as with banks with the example that is circling the internet:
This essentially amounts to a fake root certificate, necessary for SuperFish to intercept HTTPS connections to do its image analysis, but in the process giving SuperFish access any information passed via HTTPS. Any and all alarm bells should be ringing in everyone’s ears at this point, as this means the SuperFish software has the means to see bank information, personal information, and any other sensitive information. These certificates are accepted because Lenovo has pre-installed the PC with details to accept SuperFish certificates, essentially creating a 'self-signing authority'.
But most damaging of all is the potential for these certificates to be used by malicious third parties. As it turns out, the security of these certificates would seem to be using SHA-1, which is insecure and can be overcome with the right software and ordinary computing hardware. The 1024-bit RSA key has also been cracked, with the private key being bundled with the software in order to execute on-the-fly digital certificate signing. Consequently researchers have already cracked the key and password with relatively little effort, exacerbating the scale of the situation. Easily repeatable by hackers, this would allow a hacker to come in and use the same password/key combination to sign their own fake SSL certificates against the SuperFish root certificate, in essence allowing anyone with network contol to execute a man-in-the-middle attack on any Lenovo system with the SuperFish root certificate installed.
The reason this situation has come to the forefront today is due to a tweet on Wednesday by the co-director of the Open Crypto Audit Project and a single forum post by a Lenovo employee, describing how SuperFish works:
Despite whatever good intentions Lenovo had behind the software, the implementation as well as the execution leave a lot to be desired, especially in a climate where security and privacy are key factors with their main user demographic. I doubt that any such software would ever been considered in this digital age as viable, unless it was forced upon a user at a work machine to only ever be used for that purpose. But for home users, this post waves a black flag followed by a red one – the race is being stopped and you are being disqualified.
There are two elements to this story from Lenovo. Perhaps understandably, the forum post mentions that SuperFish is currently disabled on Lenovo’s end. However, the software is still present on the user machines and most importantly the weak root certificate is still installed.
The next is an official response from Lenovo on SuperFish, which you can read here. A brief summary is included here:
- SuperFish was previously included in some consumer notebooks shipped between September and December 2014.
- User Feedback was not positive.
- SuperFish has been disabled server-side since January.
- Lenovo stopped preloading the software in January.
- Lenovo will not preload this software in the future.
- Lenovo is providing support on its forums for any user with concerns. If users still wish to take further action, detailed information is available here.
As noted, the response from the community about SuperFish has been negative. Marc Rogers writes a particularly scathing post about the situation, and mainstream media such as the BBC is actively picking up on the issue. Over 30 models are affected by this software, all of which are noted in the official Lenovo response, and details are provided on how to remove the software. If you think you are affected, @FiloSottile is hosting a SuperFish detector at https://filippo.io/Badfish/. There are also extra instructions to remove malicious certificates from a system at the bottom of the page here.
Lenovo has stated that new units are no longer preloaded with SuperFish. However, there are most likely units still in the supply chain from before January that have the software. Lenovo is issuing an update to SuperFish to disable itself if the user accepts the user agreement on first use.
The end result is that this comes at the expense of Lenovo’s reputation. As a brand that has made it into most of the largest markets around the world, there’s an element of trust that takes years to build and a single action to erode. I suspect there will be some calls for investigations or forms of compensation, and at this point it is difficult to estimate if any legal action will be sought or anything illegal can be proven due to compromised systems. Lenovo at this time is treading carefully, only providing an official statement on the issue despite the initial furor caused over a single forum post that has now been viewed over 100,000 times.
I’m sitting at my work desk with a Core-M based Yoga 3 Pro and fortunately it is not one of the models affected. Loading up a detection website confirms this. Normally on AnandTech our testing is directed mostly at the hardware, the performance and the design choices made, but rarely the politics. It is a difficult subject for a website like AnandTech to tackle, and given the amount of information around, it is important to stick to the facts here. There has already been a backlash over social media about SuperFish, and Lenovo has acted quickly. Some users will be expecting an apology, rather than the attempted justification, and we will have to see how this situation develops. I can imagine Lenovo not stating anything except through official channels for a while. They will be presenting and have a booth at Mobile World Congress in March, so we may (or may not) see any development then.
Sources: Lenovo, Marc Rogers, Errata Security, @FiloSottile
Update 2/20: It is now being reported that Windows Defender is taking a grim view of SuperFish and knocking it out of the frying pan and into the fire. Anyone for baked cod? Defender will now remove SuperFish as well as the installed certificate authority and the certificates still on the system. @FiloSottile has screenshots showing Defender in action:
Update 2/23: Lenovo has now launched its own tool for removing SuperFish and all certificates for major browsers. Also available is the source code for the software, and manual instructions for users who do not wish to install the tool. I can all be found here.
42 Comments
View All Comments
MonkeyPaw - Thursday, February 19, 2015 - link
So maybe this should have been called SuperPhish?Mondozai - Friday, February 20, 2015 - link
Even if Lenovo backtracks, the question that will linger is: why did you even do this in the first place? The only reason they are backtracking is because they got caught. If they haven't gotten caught doing this by consumers, they wouldn't have backtracked. It makes you wonder what their next step will be.Trust has been destroyed and it will take years to rebuild. I got myself an Apple rMBP 13" last year. I'm guessing it'll last me at least 3 years. If I was ever going to go back to Windows, it'd probably be Dell at this stage.
Antronman - Tuesday, February 24, 2015 - link
The real question is: If today's consumers are so tech-savvy, how is Apple selling any Macbooks and iMacs?Dell has always been the way to go. Reliable construction, decent customer service (there's no such thing as good customer service in the tech world), and fairly cheap prices compared to other OEMs.
Michael Bay - Thursday, February 26, 2015 - link
Apple does not sell devices per se, Apple sells feeling of belonging, and does so really damn good.Historically, professionals in video editing chose Apple mainly out of inertia, but that time has passed.
WorldWithoutMadness - Thursday, February 19, 2015 - link
Lenovo. For those who do (love to get robbed).Maybe OEM should just sell stock OS instead of their useless bloatware, most of the time they don't know what they're making anyways.
willis936 - Friday, February 20, 2015 - link
"Hey boss man you can make a million dollars by putting shitware on this laptop and only lose $300,000 in sales from upset customers." What do you think boss man will do?WaltFrench - Thursday, February 19, 2015 - link
@Ian wrote, <i>“Despite whatever good intentions Lenovo had behind the software…”</i>Let's be REALLY clear here: the purpose of Superfish adware was to supersede the ads that finance many indie websites, including this site, it'd seem. Lenovo was undercutting the financial viability of sites that depend on either impressions (seems some ads were replaced?) and/or clicks (which would be lessened by having ads in front of, blocking existing ads).
The result is to harm the finances of sites that Lenovo users find most useful.
The privacy angle is pretty serious, too: when Superfish tells <b>ITS</b> ad servers to bring up an ad for guns, drug paraphernalia, security systems or … heck, home pregnancy tests, your profile is going back to the Lenovo partner. Given how sloppy the security angle is (an easily-cracked certificate password, opening all users to MITM attacks using the same certificate number as on EVERY Lenovo machine), there's no reason to think your personal details aren't getting abused, exposed to criminals or snoops.
And of course, the utterly unthinking indifference to user security that was evident.
The only good intention Lenovo had was to make a few bucks by cutting corners on its users' productivity, privacy and security. Dunno how they thought that would work out, so it was just low-grade money-grubbing that'll make any careful person look gimlet-eyed at every other product from them.
eanazag - Thursday, February 19, 2015 - link
There's a reason why they did not target any of their business computer lines. It is because it is totally shady. There is no justification for this software to be installed except to take advantage of users who don't know any better. This is simply theft of advertising money. There is a responsibility for a company to know what is being added to their products. It is easy to wipe and install Windows from an MS derived disc, and is how I always have treated PCs I have bought. I simply can't trust their non-PC mobile devices, because it is generally not as simple.This is a chinese company selling machines with security exploits and even naming appropriately like malware.
I'd expect the EU to jump all over this because they do what's best for their citizens even if they really do it to make the most of every opportunity rob companies of the earnings and deposit into coffers.
I wholly expect the US govnerment to ignore it totally because our politicians just take the money direct into their pockets to turn the other way.
Just means we need more vigilance. It was enevitable that a company would take advantage of how numb people are to usage agreements. No one reads them and basically clears the company of liability for users who don't read what they agree to.
adamrussell - Thursday, February 19, 2015 - link
http://arstechnica.com/security/2015/02/how-to-rem...How to remove.
Well written and easy enough.
Not that I had it, but I went through the procedure just in case.
TheLight - Thursday, February 19, 2015 - link
I wrote a quick powershell script to help search for the superfish certificate across a windows domain. Hope it helps people track this down quickly.http://www.theendofthetunnel.org/2015/02/19/search...