In a move that will probably end up in the top ten technology blunders of the year, Lenovo decided, starting in September 2014, to pre-install Superfish VisualDiscovery software on some of their PCs. (Fortunately for most of the readers of this blog, it appears that it was primarily the consumer products that were affected, not the business products.) The “visual search” concept behind Superfish is interesting – the intent is that a user could hover over a picture in their browser, and Superfish would pop up links to shopping sites that sell the item in the picture. I could see where that would be some pretty cool functionality…if the user wanted that functionality, if the user intentionally installed the software, and if the user could easily turn the functionality on and off as desired. But that’s not what happened – and here’s why it’s a big problem.
In order to perform this function when a user has an SSL-encrypted connection to a Web site, Superfish has to insert itself into the middle of that encrypted connection. It has to intercept the data coming from the shopping site, decrypt it, and then re-encrypt it before sending it on to the browser. Security geeks have a term for this – it’s called a “man-in-the-middle attack,” and it’s not something you want to willingly allow on your PC. In order to do this, Superfish installs a self-signed trusted root certificate on the PC. That means Superfish has the same level of trust as, say, the VeriSign trusted root certificate that Microsoft bakes into your Operating System so you can safely interact with all the Web sites out there that have VeriSign certificates on them…for example, your banking institution, as most financial institutions I’ve seen use VeriSign certificates on their Web banking sites. (Are you frightened yet?)
But that’s not all. Superfish installs the same root certificate on every PC that it gets installed on. And it turns out that it’s not technically difficult to recover the private encryption key from the Superfish software. That means that an attacker could generate an SSL certificate for any Web site that would be trusted by any system that has the Superfish software installed. In other words, you could be lured to a Web site that impersonated your bank, or a favorite shopping site, and you would get no security warning from your browser. You try to authenticate, and now the bad guys have your user credentials. (How about now?)
Hopefully, you’re at least frightened enough to check to see if your system was one of the ones that Lenovo shipped with Superfish pre-installed. You can find that list at http://news.lenovo.com/article_display.cfm?article_id=1929. Again, it appears that the majority of the Lenovo systems on the list were consumer models, not business models. If you are one of the unlucky ones, you can find an uninstall tool at http://support.lenovo.com/us/en/product_security/superfish_uninstall [Note: This link appears to no longer be active.]
You should also note that security experts are divided as to whether simply running uninstall tools and deleting the root certificate are sufficient. Some have recommended a new, clean installation of Windows as the safest thing to do. Unfortunately, this may require you to purchase a new copy of Windows if you don’t have one lying around…as just re-installing from whatever recovery media may have come with your new PC will probably also re-install Superfish.
Meanwhile, Lenovo has stopped pre-installing Superfish, and is doing its best to control the damage to its brand. We wish them the best of luck with that – from what we’ve seen, they make some great products…and at least one really bad decision…