Chinese laptop manufacturer Lenovo has warned its customers than their devices could be vulnerable to security attacks by hackers. The computer company confirmed this after reports were circulating online and on social media websites that a specific adware software installed on the devices could allow hackers and to carry out surveillance and so called "man in the middle" attacks on unsuspecting users. However, they have said that this particular security breach will only affect users who purchased Lenovo hardware between September and December last year, although this catchment is much wider than the company initially thought. So what is Superfish and how can it allow the security of your computer to be breached by hackers?
Superfish is an advertising company that develops visual search engine software. Users input images into the search engine and it displays results and adverts that are similar or related to that image from different organisations, it is also able to scan webpages for images remotely to produce related advertisements. The company is no stranger to controversy, as many experts in the computing industry have described their software as adware or malware – names given to software that disrupts computer information, gathers data and uses that for advertising and other purposes without the consent of the user. Indeed, Superfish software has been bundled with other software applications since 2010, and its first major product, WindowShopper, drew a large number of complains from users who said they didn't even know it had been installed on their computers.
Lenovo began including Superfish as standard in their laptop computers and other hardware products in September 2014, which is when the recent complaints first started to appear online and later in major print media outlets. The United States Department of Homeland Security issued an official statement on 20th February 2015 advising users to uninstall the software and its associated root certificate as it could leave their computer open to surveillance and cyberattacks through processes such as the collection of sensitive data and passwords through web browsers and other software applications. So how does it do it?
Internet privacy experts were worried about situations in which the visual search facility would scan SSL-encrypted pages in order to generate adverts and search results. These encrypted pages are usually those that contain sensitive information like passwords, card or bank details, and personal information, and as such are subject to encryption to stop their data being collected. When the software scans these pages the images are collected, used and then stored, which means that the company then has access to whatever sensitive information was on the page. Additionally, the software also came with a universal self-signed certificate authority, which means that this private and sensitive information could then be exposed to hackers and cybercriminals, necessitating what are called 'man in the middle attacks'. This is where a hacker intercepts data as it is travelling between its start and end points. This universal self-signed certificate authority also had the same private key across all laptops, which meant that one code would be able to decrypt data from every laptop with the software installed. In the event of such an attack Superfish would also not trigger any warnings or alarms. The CEO of Superfish, Adi Pinhas, said that "it appears [a] third-party add-on introduced a potential vulnerability" and that they "did not know about it" prior to these issues.
If you are currently using a Lenovo laptop and want to be sure that your connections are not being intercepted by the adware, developer Filippo Valsorda has created a free online tool to easily check the security of your computer. Simply visit https://filippo.io/Badfish/ to check if your laptop is affected by this breach.