Home computing manufacturer Lenovo has been accused of installing adware on its laptops.
Named “Superfish”, the company has suggested users uninstall if they do not find it useful, while security experts have condemned the move, suggesting it is man-in-the-middle software.
According to reports, Superfish stole all manner of web traffic using fake, self-signed, root certificates to inject advertisements into sessions, and also monitored user activity, used man-in-the-middle attack techniques to crack secure connections, collected personal information and uploaded it to its servers, and displayed pop-ups with advertising software.
The adware not only could allow an attacker to compromise the certificate, but is an application that will hijack all of your secure webconnections (SSL/TLS) by using self-signed root certificate authority, making it look legitimate to the browser.
That latter comment came from the Lenovo forum, which claims that Superfish can “collect all data unencrypted”. Named VisualDiscovery and created by developer Superfish, it is described on its website as the true promise of visual search which “image-to-image search technology analyses images from every angle and perspective”. However at the time of writing, the website was blocked by IT Security Guru’s anti-virus.
In a comment on the same forum, a Lenovo administrator named Mark Hopkins said that Superfish has been “temporarily removed” from consumer systems until such time as Superfish is able to provide a software build that addresses these issues.
“As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues,” he said. “To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.
The Superfish Visual Discovery engine analyzes an image 100 per cent algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.”
Security researcher Marc Rogers said in his blog: “We trust our hardware manufacturers to build products that are secure. In this current climate of rising cyber crime, if you can’t trust your hardware manufacturer you are in a very difficult position.
“That manufacturer has a huge role to play in keeping you safe – from releasing patches to update software when vulnerabilities are found to behaving in a responsible manner with the data the collect and the privileged access they have to your hardware.
“This is unbelievably ignorant and reckless of them. It’s quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch.”