US government advises Lenovo to remove “Superfish” from laptops

21 Feb 2015

The US government yesterday advised Lenovo customers to remove "Superfish," a program pre-installed on some Lenovo laptops, saying it made users vulnerable to cyberattacks, Reuters reported.

According to an alert by the Department of Homeland Security, the program made users vulnerable to a type of cyber attack known as SSL spoofing, which allowed remote attackers to read encrypted web traffic, redirect traffic from official websites to spoofs, and perform other attacks.

According to the agency, systems that came with the software already installed would continue to be vulnerable until corrective action was taken.

According to a statement by Adi Pinhas, chief executive of Palo Alto, California-based Superfish, his company's software helped users achieve more relevant search results on the basis of images of products viewed by users.

He added, the vulnerability was "inadvertently" introduced by Israel-based Komodia, which built the application the government notification described.

In a statement yesterday, Lenovo apologised for "causing these concerns among our users" and said that it was "exploring every action we can" to address the issues around Superfish, including offering tools to remove the software and certificate (See: Lenovo Group apologises to customers over Superfish software).

"We ordered Superfish pre-loads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday (Thursday)," the Lenovo statement said.

Meanwhile, PC World reported that it seemed that the same poorly designed and flawed traffic interception mechanism used by Superfish was also in use in other software programs.

Superfish deployed a man-in-the-middle proxy component to interfere with encrypted HTTPS connections, undermining the trust between users and websites. It did this by installing its own root certificate in Windows and used that certificate to re-sign SSL certificates presented by legitimate websites.

Two major issues have been pointed out by security researchers with the implementation. In the first instance, the software used the same root certificate on all systems and second, the private key corresponding to that certificate was embedded in the program and was easy to extract.

Malicious hackers could launch man-in-the-middle attacks via public Wi-Fi networks with the key now public or compromise routers against users who had Superfish installed on their systems.

However, it does not stop at that and it turned out Superfish relied on a third-party component for the HTTPS interception functionality: an SDK (software development kit) called the SSL Decoder/Digestor made by an Israeli company called Komodia.

Researchers had uncovered that the same SDK was integrated into other software programs, including parental control software from Komodia itself and other companies.