Reports from multiple outlets have brought to light a post by a Lenovo customer from January 21 of this year showing that Lenovo has been preloading Superfish spyware onto its Windows laptops. Most troubling is the evidence of Superfish being caught in the act of compromising the security of connections between customers and their personal banking providers.
This is a serious development, potentially far more so than the Sony rootkit debacle of several years ago, mostly because the activity described may be criminal. Executives and staff at Lenovo are going to have a lot more explaining to do, and in light of the angry reaction from customers this is one scandal that isn’t likely to “just go away”. It wouldn’t surprise me if Lenovo’s contracts with the U.S. government, particularly the military, inherited from IBM, could (or rather should) now be at risk. Enterprise IT organizations are going to have to give them another look as well. At the very least, Lenovo’s President of U.S. operations may want to consider amending a year or more’s worth of Sarbannes-Oxley certifications.
The article in The Register, Lenovo shipped lappies with man-in-the-middle ad/mal/bloatware: ‘Superfish causes almighty stink, and Microsoft-owned Ars Technica, Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections, recount the damning details first published by a customer almost a month ago on Lenovo’s own forum.
In essence Superfish kept tags on users logged in to Lenovo’s laptops and injected advertising material into web sessions through man-in-the-middle attacks that included using its own trusted certificates (installed by Lenovo into the common Windows truststore used by Internet Explorer and Chrome — but not Firefox) to stealthily get between them and secure sites like Bank of America’s for personal banking. Both the Register and Ars articles include the graphic evidence showing these certificates and the software in action, irrefutably reproducing the results noted by users in Lenovo’s own customer forums starting as far back as September, 2014 (see discussion threads here and here). The addition of the Superfish certificates to the Windows truststore is probably the most egregious act by Lenovo in all this, as it seriously (possibly catastrophically) undermines the security of the machine itself.
Lenovo’s response has been to advise customers that: (a) Superfish’s server-side operations with respect to their product have ceased; (b) They stopped preloading it in January; (c) They would not be preloading it in the future; and (d) To provide instructions to customers on how to remove the software. Lenovo also unequivocally denied that the software posed a threat to system security.
In my opinion (A) the only effective fix to a Superfish-infected Windows machine is a complete wipe (delete, repartition and reformat) of the hard drive and a fresh install of the operating system from Microsoft branded media (definitely NOT a restore from a Lenovo or any other kind of backup image); and (B) Lenovo is either lying or clueless when they state Superfish hasn’t compromised the security of every machine it has been installed on. Further, nearly every report on this scandal has included the information that customer’s began complaining to Lenovo about Superfish as early as June of 2014, at least 4 months before Lenovo claims they began preloading the software.
Really too little, too late, in my mind, and something that a boatload of three-letter agencies should now investigate. Hey, National Security Agency in the U.S. Department of Defense, I’m talking to you! Maybe you could earn your keep as defender of U.S. “cyber” interests by actually dealing with a bad actor for a change (rather than treating your own citizens as the enemy).
For those who own Lenovo product still configured with its preloaded software, now might be a good time to consider repartitioning, reformatting and reinstalling your operating system from the original publisher (e.g. Microsoft for Windows, Lenovo’s laptops should ship with the necessary MS product key tag — usually located under the removable battery). All of us might also look for any Superfish certificate or certificate authority in your browser, operating system and other SSL-enabled applications and remove if found.
Thomas Fox-Brewster of Forbes wrote a post that begins with the words, “Lenovo might have made one of the biggest mistakes in its history.” Uh-oh, now the markets know! There’s a follow up by Fox-Brewster that provides background Superfish and its technology, characterizing the company’s CEO as having once been a member of the “surveillance industrial complex”. Sort of like former NSA chief Keith Alexander, who now makes million(s) a month providing security tips to big corporations. Hope none of them let him anywhere near their networks with a thumb drive!
Security researcher Robert Graham has demonstrated how easy it is to compromise the unsurprisingly insecure Superfish trusted cert itself, which means that it can now be leveraged by a third-party attacker. This is the same, predictable, result we’ve seen from fundamental system security exploits like those mounted by military intelligence agencies such as the NSA. It’s what I’m now calling the “vandal burglar” effect (the burglar who breaks into your home and then leave the door open, allowing other bad actors and the elements to invade).
Lenovo now says Superfish was shipped on their laptops from September to December, 2014. Of course, an end date of December, 2014 contradicts the earlier assertion by Lenovo that they stopped preloading the software in January, 2015.