Thursday 19 February 2015

Lenovo's Superfish is Adware at Best and Malware at Worst

Since the middle of 2014, Lenovo have been pre-installing a piece of software commonly known as 'Superfish' onto its new laptops and PCs. In recent days the "Cyber Security" press has questioned the validity of Superfish, saying that it invades personal privacy, and that it exposes Lenovo users to data theft, they do have a point. Although Lenovo aren't the first to covertly push the privacy boundary for commercial gain, and they won't be the last either.

Adware at Best
Superfish operates fairly covertly in the background of the operating system, as you search online the software returns related advertisements back onto the desktop. These advertisements are chosen by Lenovo, and provide revenue to Lenovo when clicked upon. This is in affect adware, namely a user unwanted and unnecessary piece of software running on the operating system, it appears to be of no benefit or aid to the user, its main purpose is to provide an income for Lenovo. If we needed any additional help with our online searches, I am sure Google would have thought of it first and have provided it. Therefore I can only conclude, Superfish has to join the long list of adware software, which includes every browser search toolbar under the sun, as they simply aren't necessary, if anything they slow your web browser and searches down, for what? to make money for a non-welcome third party. Yes, adware is unwelcome on any system.

Malware at Worst
Superfish goes beyond being just adware, and has a more serious privacy and security concern, the software opens up users to the possibility ofprivacy snooping directly by Lenovo and by malicious third parties.  When you access a encrypted (https) website through a web browser, the browser sets up an end-to-end encrypted communication channel directly to the website, protecting all traffic sent to and from. This encrypted communication is vital security requirement to protect online banking, e-commerce, social media, and even web searches from being spied upon and stolen by third parties. Superfish installs a self-sign root certificate on the operating system, this allows Lenovo to intercept web traffic between the web browser and with any https protected website. The reason behind this is to allow the Lenovo advertising system to read and analyse the data, as sent by the user over the encrypted channel, so appropriate advertisements of interest can be placed onto the desktop. In wake of the Snowden relations, the internet has rapidly adopted encrypted website connectivity, even search engines like Google now provide https encryption connectivity by default to protect their user's privacy, this is why Lenovo need to use this dodgy method to break the Google website encryption to access their customer's search data, a goldmine of commercial exploitation for Lenovo.

The Superfish method of breaking https is nothing new, and has been used by malicious actors for years, it is commonly known as a "man in the middle" (MITM) attack. 

The Superfish method, as with any MITM attack, most users are oblivious that their secure https web connection has been compromised, and their private data is being snooped upon by a third party. With Superfish, we need to trust Lenovo, a Chinese company, will be completely ethical with this power, and not use Superfish to snoop people's private information. Given Lenovo's keen interest in directing advertisements for profit at its customers, the abuse of this power has to be a concern. But it gets worse, Superfish opens up the possibility of malicious actors taking advantage, by creating malware that exploits the Superfish software, cyber criminals may be able to use the Superfish root level certificates to MITM attack any website accessed through the Lenovo host system by the user.

Current Situation with Superfish
After receiving user complaints Lenovo announced it had "temporarily removed Superfish from consumer systems". 

Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues. - Lenovo Forum AdminThere have been a few other statements made by Lenovo since the negative publicity, saying they will remove Superfish from new machines and disabling it from others. However Lenovo are being far too coy for my liking. Therefore I suggest Lenovo users check for the presence of Superfish, and if it is there, remove it themselves.

How to Detect and Remove Superfish
Not all new Lenovo Laptops and PCs had Superfish pre-installed, so first determine if you have Superfish installed, there are several methods, here are three...

  • This website will test for the presence of Superfish https://filippo.io/Badfish/
  • If you notice while searching a "Visual Search Results" section and "powered by Visual Discovery", it is certain you have Superfish running.
  • Press the "Windows Key" & "R" to open the Run tool, then enter certmgr.msc and run to launch Window's Certificate Manager. Then click the "Trusted Root Certificate Authorities", next click "Certificates". if you see a certificate which says "Superfish, inc".

Example of the Superfish Certificate

There are several methods to stop and to remove Superfish, but the sure fire way to make sure your Lenovo system safe is to delete the Superfish Trusted root certificate..
  • Press the "Windows Key & R" for the Run tool, enter certmgr.msc and run to launch the Certificate Manager, then select "Trusted root certificate authorities", next click "Certificates", find the Superfish entry, right click it and select "Delete".  Also make sure to check under each user account on the system. I recommend using a registry cleaner to make sure all instants of Superfish Certificate are gone. Finally to ensure it has gone, visit the test website https://filippo.io/Badfish/