Lenovo has come under fire this week for pre-installing a piece of adware on some of its consumer devices that inserts third-party ads into users’ web browsing sessions and may open those computers up to attack.
The software, called Superfish, was pre-installed on some Lenovo consumer laptops during a period from September to December 2014. If users choose to turn it on the first time they start up their computer, it watches a user’s browsing and serves contextually-relevant ads. It also installs a self-signed root SSL certificate that will allow the software to monitor even a user’s secure web browsing sessions.
In a statement emailed to GeekWire, Lenovo spokesperson Wendy Fung said that the software didn’t “profile or monitor user behavior,” or record users’ information. Lenovo has since disabled the server-side interaction with Superfish, rendering the ad serving part of the software moot.
That doesn’t solve the security hole Superfish created, according to security researchers. Chris Palmer, a Google engineer who works on Chrome’s security, purchased a new Lenovo Yoga at Best Buy after allegations surfaced about Superfish’s capabilities. When he went to Bank of America’s website, his browser used a Superfish-signed certificate rather than one signed by VeriSign to secure the connection. Errata Security’s Rob Graham was able to crack the password for the certificate’s private key in three hours, and according to him, attackers who do the same should be able to intercept secure communications from computers with the Superfish certificate installed.
Lenovo, for its part, is unconcerned about Superfish’s security implications.
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” Fung said. (Update: Lenovo has since removed the sentence about security concerns from its statement online.) “But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.”
Fung did not respond to further questions about Superfish’s security problems.
People who want to see if they’re affected by Superfish can use this website set up by Filippo Valsorda. Lenovo has a guide available for users interested in uninstalling Superfish on its support forums, but be warned: it doesn’t uninstall the root security certificate. (Update: Lenovo has updated removal instructions that include the certificate here.)
Update: Lenovo has provided a list of computer models that may have Superfish pre-installed:
Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
People who are affected should follow Lenovo’s new removal instructions here.
Update 2: Lenovo has issued a new statement on the Superfish fiasco:
At Lenovo, we make every effort to provide a great user experience for our customers. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks.
We thought the product would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.
We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January, and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. Detailed information on these activities and tools for software removal are available here:
http://support.lenovo.com/us/en/product_security/superfish
http://support.lenovo.com/us/en/product_security/superfish_uninstall
To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any Lenovo desktops or smartphones. This software has never been installed on any enterprise product — servers or storage — and these products are in no way impacted. And, Superfish is no longer being installed on any Lenovo device. In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort.
Update 3: Lenovo has released another statement about the issue.
As we said yesterday, Lenovo is exploring every action we can to help our users address the concerns around Superfish. So today we are taking two additional actions:
1) In addition to the manual removal instructions currently available online, we have released an automated tool to help users remove the software and certificate. That tool is here: http://support.lenovo.com/us/en/product_security/superfish_uninstall
2) We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies. These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem.
We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday. Now we are focused on fixing it.
Since that time we have moved as swiftly and decisively as we can based on what we now know. While this issue in no way impacts our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognize that all Lenovo customers need to be informed. We apologize for causing these concerns among our users for any reason – and we are learning from experience and improve what we do and how we do it. We will continue to take steps to make removal of the software and underlying vulnerable certificates in question easy for customers so they can continue to use our products with the confidence that they expect and deserve.
