Updated: 2/20/2015 2:53 PM
Lenovo has produced a list of systems that “may have” Superfish installed. They include.
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
It appears ThinkPad systems were spared, which is good news for enterprise users concerned about security.
Have you purchased a Lenovo computer lately? Then you may be vulnerable to a “man-in-the-middle” attack that can steal information from websites that appear secured by HTTPS. The attack is possible because of adware installed on the company’s machines at the factory.
The adware, known as Superfish, uses ad injection to place advertisements into websites that are not normally there, or interrupt loading of a site and show an additional ad. Lenovo says this function is now disabled on the server side.
More troubling still, the adware breaks HTTPS connections to achieve its goals. It does this through a self-signed security certificate that can intercept those normally used by websites. The site still appears secure, as normal, but when its certificate is examined it’s shown to belong to Superfish, rather than the site visited.
Security researchers have also discovered the Superfish-signed certification appears to be the same on every Lenovo computer, and is protected by a rather simple security password. Rob Graham, CEO of Errata Security, claims he cracked the password, and found it to be “komodia.”
See the problem? If not, here’s the basic version: malicious hackers can now potentially hijack the Superfish certificate’s credentials, and because the certificate replaces those normally used by sites that secured through HTTPS, doing so effectively lets an attacker masquerade as any HTTPS secured site on a Lenovo PC. Google, your bank, your credit card company; connections to all of these, and more, are vulnerable to man-in-the-middle attacks.
Lenovo, in its official response, states “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” Unfortunately, though, the company has not made an effort to specifically refute the vulnerability demonstrated by security researchers. No new Lenovo PCs are shipping with Superfish as of January, but that does not guarantee currently available models lack the issue, as systems sometimes linger in inventory for months.
The statement also says Superfish does not track user behavior or record user information. No security researcher has accused Lenovo of that, but it’s easy to understand why some users might believe that, too, was a possibility.
Obviously, this is a significant issue given Lenovo’s position as one of the world’s largest PC manufacturers. The company also has significant enterprise presence with its ThinkPad line, and those users are often particularly concerned with security. No one knows exactly which systems had Superfish installed besides Lenovo, but there could be millions now in the wild with this critical vulnerability.
The company’s support forums provide a way to uninstall Superfish, but users who’ve tried it so far claim it does not remove the false certification. Let’s hope Lenovo finds a way to help users patch their systems.