Lenovo on Thursday came under fire for preinstalling spyware on some of its laptops.
The software, Superfish, uses the same techniques cybercriminals often employ to crack encrypted traffic from computers to the Internet.
“Superfish is purposely designed to bypass the security of HTTPS websites in a manner that would allow malware and attackers to also bypass the security provided by HTTPS,” said Adam Ely, cofounder of Bluebox.
“Users are inherently at risk of being directed to malicious sites that appear valid,” he told TechNewsWorld, “making it much easier for attackers to steal information and further infect computers with malware.”
However, security concerns raised by malware fighters are misplaced, Lenovo insisted.
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” the company said in a statement provided to TechNewsWorld by spokesperson Brion Tingler.
No Tracking Involved
Superfish was installed on some consumer notebooks from September to December of last year to help customers potentially discover interesting products while shopping, Lenovo explained.
After receiving negative customer feedback, the company in January disabled the software on all Lenovo machines and stopped preloading it on new laptops.
“We will not preload this software in the future,” the company said.
Although it has been reported that Superfish monitors user behavior, Lenovo refuted that claim.
“To be clear,” it said in its statement, “Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior,” the company maintained.
“It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product,” Lenovo added.
Further, “the relationship with Superfish is not financially significant; our goal was to enhance the experience for users,” the company said. “We recognize that the software did not meet that goal and have acted quickly and decisively.”
Copycatting Bank Robbers
Preloading software that has more to do with marketing than utlilty is a common practice in the PC world, but what makes Superfish so disturbing to many in the security community is the program’s disregard for SSL security. SSL is used to encrypt communication between computers and websites.
“Superfish allows every bit of communication with your bank, your email provider, or your healthcare provider to be inspected,” said Kevin Bocek, vice president for security strategy and threat intelligence at Venafi.
“It uses the exact same technique that cybercriminals use for bank account takeovers,” he told TechNewsWorld.
When SSL is used to encrypt a data stream from a device, a digital certificate is used to do it. Superfish circumvents that process by substituting its own certificates for the legitimate ones.
Communication isn’t the only thing compromised by Superfish, noted Pavel Krcma, CTO of Sticky Password.
“It allows anything to be injected into the data stream from your computer,” he told TechNewsWorld. “It can install a backdoor to your computer.”
SSL Stymies Adware
Superfish can be removed from a computer through Windows uninstall, but that won’t plug all security holes created by the program, Lenovo explained in one of its forums.
“If you uninstall the software, it doesn’t remove the certificate created by it,” Venafi’s Bocek said. “That allows hackers to create malicious websites that will be trusted by those Lenovo computers.”
As more and more websites start using SSL, advertisers will be looking at ways around it.
“Adware thrives on being able to monitor a user’s activity when they visit websites,” Bocek explained. “If I can’t look inside that traffic because it’s encrypted, that’s a problem.”
Just how pernicious Superfish is may lie in the eye of the beholder.
“When it comes to Superfish as an adware provider, they are not one of the biggest and most offensive companies out there,” said Pat Belcher, director of security analytics at Invincea.
“They have a slick interface that allows for object-based searching based on photographs,” he told TechNewsWorld, “and while they may collect personal information about you for eventual advertising purposes, there are lots of companies out there that do that and much, much, much worse.”