Lenovo’s Superfish Casts Light on Security Concerns About Pre-Installed Software

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Email this to someone

A controversy brewed on the internet this week when security researchers found that Lenovo had been shipping laptops with a pre-installed app called Superfish, criticized as annoying, intrusive adware by users, and as a major security vulnerability by experts. Lenovo has announced in response that it will stop adding Superfish to its laptops and will provide a tool for its removal to the public.

Discontent with Lenovo’s out-of-the-box laptops and their preinstalled adware had been building on forums for a few months. Laptop owners were finding what were clearly ads lurking among search results in their browsers. More worrying, some were concerned that Superfish was actually revealing users’ browsing history to third-parties.

In response, Lenovo issued a statement on February 18:

The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.

It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.

The uproar about Superfish peaked when security experts found that the app makes it easier for these machines to be hacked. Superfish works by injecting itself into web browser traffic, and more critically, into encrypted (“HTTPS”) traffic via a self-signed certificates. If an attacker were to compromise the self-signed certificate’s keys, she could eavesdrop on other Superfish users on public networks. After the outcry continued, Lenovo announced that it will be doing away with the app altogether.

Although laptops from most manufacturers frequently come with pre-installed programs that users and IT departments don’t want, adding adware seems to have crossed a line. Adware typically makes its way onto computers when free software, applications, or plug-ins are installed, to the annoyance of users everywhere. Factory-installed nefarious programs, however, are something new and, unfortunately, something we may be seeing more often. For this reason, Kraft Kennedy always recommends our clients replace the manufacturer’s installation of Windows with an enterprise version of the Windows operating system. This will ensure that only firm-approved applications and certificates are included in the image.

Programs such as Superfish that come pre-installed and embedded into computers can be attractive targets for hackers, and are even placed there by the hacking parties themselves sometimes, according to a recent New York Times article:

In the past, security experts have warned about “the race to the bare metal” of a machine. As security around software has increased, criminals have looked for ways to infect the actual hardware of the machine. Firmware is about the closest to the bare metal you can get — a coveted position that allows the attacker not only to hide from antivirus products but also to reinfect a machine even if its hard drive is wiped.

Future installations of Superfish seem to have been effectively blocked by public criticism, which may also have the effect of casting light on the presence of such apps hiding  in areas of computers that are not easily detected by consumers.