Lenovo Caught Preinstalling Adware on Laptops
PC maker Lenovo has come under fire for reportedly bundling its laptops with security-compromising adware. According to Lenovo users and security researchers, the preinstalled software, known as Superfish, injects third-party ads into Google search results and other websites without the user knowing.
To inject ads, Superfish relies on a man-in-the-middle attack where it installs a self-generated certificate into the Windows certificate store. Then, Superfish resigns all SSL certificates with its own certificate. But if this weren’t bad enough, Superfish installs the exact same root certificate on all affected Lenovo PCs with the same weak RSA key instead of generating a unique certificate for each device.
Users have reported Superfish being preloaded on Lenovo laptops since mid-2014, though the news only recently received media attention. Since then, security researchers like Kenn White have analyzed the adware and seen just how problematic it is.
Superfish issues its own proxy certificates to websites and hijacks HTTPS traffic to inject ads. Furthermore, since the same private key is used for all root certificates, cracking the key would allow an attacker to create a malicious certificate that all affected Lenovo machines would trust. In fact, researchers have already cracked the private key. With a rogue certificate, an attacker could easily masquerade as a secure site like Bank of America, and the Lenovo machine would have no way to detect the forgery.
Lenovo has responded to its criticism in the style of a classic non-apology. According to Lenovo, Superfish was installed on some computers to “help customers potentially discover interesting products while shopping.” However, since user feedback was “not positive,” Lenovo ended the partnership with Superfish in January. Interestingly, Lenovo claims,
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,
despite the overwhelming amount of evidence suggesting otherwise presented in the previous section.
Lenovo stated that Superfish was installed on laptops shipped between October and December 2014. If you own an infected Lenovo laptop, simply uninstalling Superfish doesn’t actually remove the troublesome certificate. That has to be removed manually. Most (if not all) PC manufacturers bundle bloatware with new computers, something that Windows users have grown accustomed to. However, preloading security-compromising adware is an entirely different story. The best way to not have to deal with OEM crapware is to do a clean reinstall of Windows when you first buy your PC, build your own PC, or buy a Mac.
Images from Shutterstock.