Story

Laptop biz CTO says there's no security risk – which is why it's labelled it 'severe' +Comment Chinese PC maker Lenovo has published instructions on how to scrub away the Superfish adware it installed on its new laptops – but still bizarrely insists it has done nothing wrong and that there's nothing to worry about.…

Uninstalling the software doesn't undo the damage it does to your system.

For the many of us that have purchased a laptop, we are somewhat used to the amount of bloatware that comes pre-installed. Most of this relates to the company specific software, or free trials for office applications or anti-virus software. I would imagine that the more technologically savvy users uninstall some of this bloat for themselves and their family and friends, but it does give an opportunity for the manufacturer to install what they want before the device gets shipped.Here at AnandTech we receive laptops on a regular basis for review, and where we can we tend to ask for retail units so we can analyze the hardware without fear of getting a ‘review-focused’ sample. The same thing goes for motherboards, SSDs, and graphics cards, which also come with their own software but the user has to specifically install everything. With a laptop, smartphone, tablet, workstation, or notebook, it all comes pre-prepared for the user to plug and play. The demand to remove the bloatware has led to smartphones and tablets being offered with pure stock versions but also carrier customized ones, and some users get the choice of both.A topic that has been in the news today, and whose symptoms date back a little further, has been with Lenovo laptops and notebooks. This software is called SuperFish and comes as a browser add-on, which Lenovo calls a ‘Visual Discover’ program that detects when a website has advertising and replaces it with targeted images based on what the user is looking at in order to make informed choices at potentially lower prices. This comes with a variety of issues.First, it replaces the advertisement(s) on the website, which offers the website a form of income (such as AnandTech and other advertiser driven models). The new advertisement redirects the link to a server that may benefit Lenovo, distorting the ad views for that particular website and shifting income back to the laptop manufacturer.Second, SuperFish is actively scanning the websites that people look at, resulting in privacy issues. Lenovo has stated that this software analyzes images in an algorithmic pattern (presumably similar to Google Goggles) rather than tracking the behavior of the user, but without access to the code most users will still not trust the software. After consistent issues regarding security and tracking in the media recently, especially with certain ‘Smart TVs’, it is understandable how users are concerned over devices that do not respect their privacy.Third, the best explanation for SuperFish comes down as adware. Malware and adware have been a common threat of the century when it comes to web browsing, where software places unwanted advertisements in the eye-line of the user to generate revenue. If we take that definition then SuperFish falls under that category, no matter how it is dressed up.The fourth issue (and arguably most severe issue) revolves around security. This is twofold – the SuperFish software will intercept any HTTPS encrypted webpage that has advertisements when it replaces them with its own, creating a mix of secure and insecure content. This allows other software to come in and potentially inject its own attack, stealing sensitive information. The second issue with security is that SuperFish issues its own SSL certificates for a large number of common sites, with severely reduced security than what is often required, such as with banks with the example that is circling the internet:This essentially amounts to a fake root certificate, necessary for SuperFish to intercept HTTPS connections to do its image analysis, but in the process giving SuperFish access any information passed via HTTPS. Any and all alarm bells should be ringing in everyone’s ears at this point, as this means the SuperFish software has the means to see bank information, personal information, and any other sensitive information. These certificates are accepted because Lenovo has pre-installed the PC with details to accept SuperFish certificates, essentially creating a 'self-signing authority'.But most damaging of all is the potential for these certificates to be used by malicious third parties. As it turns out, the security of these certificates would seem to be using SHA-1, which is insecure and can be overcome with the right software and ordinary computing hardware. The 1024-bit RSA key has also been cracked, with the private key being bundled with the software in order to execute on-the-fly digital certificate signing. Consequently researchers have already cracked the key and password with relatively little effort, exacerbating the scale of the situation. Easily repeatable by hackers, this would allow a hacker to come in and use the same password/key combination to sign their own fake SSL certificates against the SuperFish root certificate, in essence allowing anyone with network contol to execute a man-in-the-middle attack on any Lenovo system with the SuperFish root certificate installed.The reason this situation has come to the forefront today is due to a tweet on Wednesday by the co-director of the Open Crypto Audit Project and a single forum post by a Lenovo employee, describing how SuperFish works:Despite whatever good intentions Lenovo had behind the software, the implementation as well as the execution leave a lot to be desired, especially in a climate where security and privacy are key factors with their main user demographic. I doubt that any such software would ever been considered in this digital age as viable, unless it was forced upon a user at a work machine to only ever be used for that purpose. But for home users, this post waves a black flag followed by a red one – the race is being stopped and you are being disqualified.There are two elements to this story from Lenovo. Perhaps understandably, the forum post mentions that SuperFish is currently disabled on Lenovo’s end. However, the software is still present on the user machines and most importantly the weak root certificate is still installed.The next is an official response from Lenovo on SuperFish, which you can read here. A brief summary is included here:

Company backs away from earlier claim there was no merit to security concerns.

It wasn't about the money!

Here's how to zap the ad-injecting crapware Lenovo is attempting to defuse controversy over its pre-installed Superfish crapware – which appears to have run man-in-the-middle attacks against consumers in order to sling ads – by saying it has discontinued use of the visual-recognition technology on new laptops and promising to review outstanding concerns.…