Superfish Adware: Should We Send Lenovo To The Naughty Step?

It has been reported that Lenovo laptops have been coming pre-installed with Superfish, software that injects third-party ads onto Google searches and websites without the user’s permission. This has raised clear trust and privacy issues, as well as major security concerns.

As you might imagine, it’s got Lenovo customers worried and outraged in equal doses. So what exactly should be make of this news? Here’s what security specialists have been saying:

Roy Tobin, threat researcher at Webroot

“Some manufacturers give the option of not having these installed, however, you have to know about such software before you can opt out. Whatever the decision around how ethical it is to do this, the increased awareness will at least give consumers the knowledge they need to opt out or un-install such programs. Hopefully, this story will be a wake-up call for consumers. Whether its unwanted adware from the manufacture or hackers using malicious apps, they need to take precautions to know who is watching them on their own device.”

Simon Crosby, co-founder and CTO, Bromium

“It is high time for PC OEMs to accept that adware and other junk software installed in consumer devices is precisely the opposite of what their customers want, and that delivering a secure, non intrusive, high quality product is valued by consumers. The Microsoft Surface Pro 3 is perhaps the antidote to the foolish behaviour of PC vendors. It delivers the best that Microsoft offers, with no hidden scams.”

TK Keanini, CTO, Lancope

“I’m happy to see consumers pushing back and demanding greater security out of the box. Unless the market steps up and ask for more secure systems, vendors will keep doing silly and sometimes irresponsible things.

“I remember purchasing a laptop for my daughter a few years back and the retailer wanted me to pay extra to remove all the adware and ‘extra’s from the unit. This is not right. Pay extra so that I can get rid of all the advertising software and programs that slow my experience down? It is like buying a car and paying extra to remove the ads painted on the side of the vehicle”

Chris Wysopal, co-founder, CISO and CTO at Veracode

“More and more internet providers, such as Google and Yahoo, are moving to encrypted web sessions as users demand privacy for what they view on the web. These secure connection become opaque to software that wants to intercept and inject content into the users session, such as AdWare. The Lenovo Superfish bundled software seems to be using a technology from Komodia called SSL Digester that installs its own SSL certificate and uses it performs a Man-In-The-Middle (MITM) attack between the content provider and the user’s browser without alerting the user.

“Security researchers have already extracted and decrypted the certificate used which enables them to also perform MITM attacks on users with the Lenovo Superfish software installed. Using this certificate and readily available attack tools, attackers could intercept secure banking, email, and ecommerce sessions or inject malware while victims use public WiFi. All Lenovo users should be checking to see if they have this software installed and remove it now. A test site for checking if you are effected is available here.”

Adam Winn, manager, OPSWAT

“While the intentions may not be malicious, the implementation certainly is. Superfish is more than just adware – it’s a man-in-the-middle attack masquerading as adware. In the age of nearly constant security-related headlines, it’s shocking that Lenovo would preinstall software that breaks the SSL trust chain in such a fundamental way. This is reminiscent of the Sony BMG rootkit from 2005, but more disturbing because of it goes to the heart of privacy concerns and the fundamental trust that consumers place in SSL protected websites.

“Lenovo has a dedicated following of IT professionals, as evidenced by the ubiquity of Thinkpads in enterprise, so there’s no doubt that this incident will come with a heavy hit to Lenovo’s bottom line. No IT administrator will tolerate a MITM attack on company owned or even BYOD assets.”

Ken Westin, senior security analyst at Tripwire

“It will be interesting to see what affect this has on Lenovo’s sales and brand reputation. With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetization strategies. If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk.”

How much do you really know about Lenovo? Take our quiz to find out!