By Perry Vandell
Revelations that Lenovo PCs shipped between September and December of last year include adware that could leave users open to data theft should be a wake-up call to solutions providers.
The malware, dubbed ‘Superfish,’ after the adware company that paid Lenovo to install the software, could allow attackers to hijack even encrypted connections that display as protected by HTTPS. It does so via a man-in-the-middle exploit, where the malware issues its own HTTPS certificate rather than using the cert from the sites to which users believe they are connected. That allows Superfish – or an attacker who takes advantage of the software – to intercept encrypted traffic while tricking users into believing they’re on a secure connection.
According to Ars Technica, “the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet." The technology site reports that the encryption key has already been cracked, meaning anyone using a computer with Superfish installed is taking a serious risk.
Lenovo issued a statement saying that Superfish disabled server-side interactions on all Lenovo products shipped since January, and that the adware is no longer preloaded onto its products. Lenovo also gave a partial defense for its decision to include the adware in the first place, saying today that, “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns." The company cited negative user reaction as the reason for pulling the software. Lenovo further said that Superfish’s inclusion was meant solely to “help customers potentially discover interesting products while shopping," and that its relationship with Superfish was “not financially significant."
Andrew Bagrin, CEO of security provider My Digital Shield, considers this to be a real intrusion on privacy.
“As the PC/laptop market has grown and become so competitive recently, the manufacturers probably don’t make significant funds on the sale of laptops themselves," Bagrin told Channel Partners. “Instead, they are looking to new routes as way to grow financially. Having trial software is bothersome, but still tolerable. Having ads automatically come up without being granted permission from the end user? The line has been crossed. This tactic should be categorized as ...