A vulnerability has been discovered in a piece of software that ships pre-loaded onto Lenovo computers that could grant hackers access to a user's secure browser data, allowing third parties to potentially collect passwords, bank details, and other sensitive information.
Superfish, an adware program that Lenovo admitted in January it included as standard on its consumer PCs, reportedly acts as a "man-in-the-middle" so it can access private data for advertising purposes. The adware makes itself an unrestricted root certificate authority, installing a proxy capable of producing spurious SSL certificates whenever a secure connection is requested. SSL certificates are small files, used by banks, social networks, retailers such as Amazon, and many others to prove to incoming connections that the site is legitimate. By creating its own SSL certificates, Superfish is able to perform its advertising tasks even on secure connections, injecting ads and reading data from pages that should be private.
According to a statement by Lenovo, the partnership was discontinued in January, but many earlier computers may still have the software installed. Lenovo dismissed the outcry in the same statement, saying, "we have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."
Security expert Kenn White showed Superfish's proxy certificates in action in a Twitter post today. White's photo shows a certificate issued to Bank of America, but issued by Superfish, rather than by a trusted root certificate authority such as VeriSign. The nature of Superfish, a program capable of checking web traffic and sending that data onwards for advertising purposes, means that hackers could potentially access information transmitted across supposedly secure connections — online stores and banking sites, for example, that have https:// in their URLs, and display a lock in users' browsers.
It's troubling that Superfish and Lenovo are using such proxies to see secure data for advertising purposes, but third parties may also be able to get their hands on private information. It appears as though Superfish has used the same private key for its spurious root certificate on every machine. As Eric Rand, researcher at Brown Hat Security, explained to The Verge, if someone was able to crack the key, nefarious individuals could create certificates that all Lenovo machines inherently trust, or write malicious software that all Lenovo machines see as trusted programs. In fact, a number of security researchers have already cracked the password, and Errata Security's Robert Graham has published it for open use.
It looks like the Superfish service might store the SSL key upside down, just so that it's extra hard to reverse pic.twitter.com/rj1KzJVwVl— Karl (@supersat) February 19, 2015
Superfish itself was recently ranked fourth on a list of the fastest growing companies in the United States. The program it produces analyzes the images you see during your browsing sessions and scours more than 70,000 stores to find similar products that might have lower prices. The company calls itself a "pioneer in visual search technology," but Lenovo users have railed against its inclusion as standard.
Lenovo has responded to The Verge, saying it is "thoroughly investigating all and any new concerns raised regarding Superfish." The company also confirmed that Superfish disabled activation on existing machines last month and that it had been removed from new machines. In January, the company said the technology was innocuous, but the company's defense of the adware failed to take into account the glaring security hole the world's largest PC manufacturer has apparently built into thousands of its PCs.
2/19 4:44AM ET: Article updated with Lenovo response.
2/19: 9:45am ET: Article updated to include news that the Superfish password had been cracked.