If you've bought a Lenovo laptop anytime since August, it may have shipped with a dangerous bit of adware known as Visual Discovery by Superfish. It's the kind of software add-on that computer makers are often paid to include with their hardware. Superfish exists to serve up ads, but it does so in such a maddeningly dangerous way that it creates a real security problem for Lenovo users.
Worse, Lenovo appears completely clueless about the problem. The company issued a statement shortly after security experts raised the issue, saying it stopped shipping the adware last month and customers need not worry about the thing compromising their security. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," Lenovo said.
Robert Graham, the CEO of internet security firm called Errata Security, doesn't mince words in assessing the situation. "This is a bald-face lie," he says of Lenovo's statement. "It's obvious that there is a security problem here." And Graham knows what he's talking about. He runs a security consultancy and has documented very real security problems with Superfish.
The adware works, he says, by monitoring your web traffic while you're shopping and then shows you similar products to the images that pop up in your browser. To do this while you're securely connected to a website with an address beginning with https, Graham explains, Superfish intercepts traffic from the site and makes it searchable by tinkering with the Windows operating system and granting itself the ability to masquerade as any web site on the internet.
And here's the really bad part: The way Superfish does this is so badly designed that a tech-savvy person could take advantage of the changes Superfish makes to your computer and do the same kind of masquerading. This is what's called a man-in-the-middle attack.
For these attacks to work, the victim must first connect to the bad guy's malicious network. Such attacks have been made, however, in coffee shops or hotels, for example.
According to Graham, it took him about three hours to crack Superfish's security and determine the password he'd need to make such an attack. It's "komodia," which happens to be the Greek goddess of happiness and amusement, and the name of a company that writes software that intercepts secure web traffic. A spokeswoman for Superfish says that the Lenovo software uses Komodia's technology. "We used it for the Lenovo test project," she says, "but that is the only time we used it."
"I can intercept the encrypted communications of Superfish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot," Graham wrote in a blog post detailing how he did this.
Note to Lenovo: This makes Superfish a legitimate security concern. If you're wondering if you might be affected by it, there a couple of websites where you can check to see if the malware is installed. One of them is here. Let's hope you don't have it, because it looks like even removing the Superfish software doesn't address the core security problem. PC World has some instructions on what to do if you need to go Superfishing to fix the issue.
But Superfish tells us it stands by Lenovo's assessment. "Superfish is completely transparent in what our software does and at no time were consumers vulnerable---we stand by this today." a company spokeswoman said. "Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end."
Superfish was only preinstalled on Lenovo PCs, not other devices, she said. "This was a small scale test to see if consumers would like the feature."
The Superfish issue had been percolating in online forums for a few months, but really caught everyone's attention yesterday when security experts started analyzing it.
Galen Ward learned about Superfish last month after buying a new Lenovo Flex 2 laptop for a member of his tech team. He's the CEO of the real estate search portal Estately, where they use the popular web-based messaging tool Slack for internal communications. But something was breaking Slack on the Lenovo.
"It would be constantly be flickering online, offline, offline, online," he says. They got in touch with Slack's support team, which instantly recognized the problem and asked: "Do you have a recent-model Lenovo? We have trouble with those."
Slack told us it's been seeing this problem with Lenovo laptops since October. The problem is that Slack is designed not to work when there is a man-in-the-middle attack going on, a company spokeswoman told us, adding, "but we were not aware of how Superfish worked and had not designed Slack to specifically defend against Superfish: they just turned out to be incompatible."
Ward removed Superfish, but now that he knows about the security issue, he's concerned. Estately is cloud-based. They use Box, GitHub, and Gmail, all of which could be compromised on his employee's laptop due to the security problems introduced by Superfish. Now he must poke around in the Windows computer and revoke a digital certificate associated with Superfish.
He's not happy about it, but he's going to do it himself. "It's really crappy that Lenovo is installing this," he says. "If I had all the time in the world, I'd just take it back to them to make them do it right, but we have a business to run. So we'll do the five-minute fix and keep moving."
UPDATED: 4:20 PM EDT 02/19/15 -- This story was updated to include Superfish's comment on the Komodia software.
