Thursday, February 19, 2015

Bad Move Lenovo

Shortcut: If you just want to see if this is something you have to worry about for your computer, skip down to the heading "So here is what to do to see if your device is vulnerable" near the bottom.

If you own a Lenovo brand laptop, you might have a problem.  If you are thinking of buying one, stop and read this first!

Recently Lenovo decided to pre-install their laptops with a program called Superfish, which in a nutshell acts at the guard dog telling you that a website's secure certificate (the thing that makes the "https://" in the address bar) is legit.

Normally this is done by a trusted authority, usually the company that issued the security certificate, but Superfish is intercepting the normal protocol and doing this itself.

So the question is why would Lenovo and Superfish go through the effort and expense to do this?  The answer is good old fashioned greed.

Lenovo wants to "enhance" your search results with brands that happen to pay them advertising dollars.  It works like this:
  1. You go to your search engine and search for an item.
  2. Your search engine returns the results to your browser (giving preference to their own paid advertisers).
  3. Superfish intercepts the page and throws in its own ads (which will probably not get caught by your ad blocking software).
  4. The edited page is sent to your browser (by the way, it makes no difference what browser you use).
This is irritating, but why is it anything more than that?  Lets jump back to the secure certificates.  When you go to a (reputable) search engine, it uses encryption (https://) to encrypt your connection and prevent hacking of your connection.  If Superfish didn't take over as the certificate watch dog, you would get a warning in the padlock section of your browser telling you that the data was altered after it was sent to you.  Superfish prevents this from happening.

Alright, so this is irritating and I don't know if my search results are legit, but is there more?  Sadly yes.  It appears that the developers of Superfish were a bit sloppy and left their program open to being hacked and abused, so what this really means is:

If you have Superfish running on your computer is it possible to have ANY "encrypted" website is being listened in on or altered without your knowledge!

Think online banking, stock trading, healthcare.  Not pretty.

So here is what to do to see if your device is vulnerable:

1. Go to this website:

It will tell you if your computer has Superfish installed.  If you do, it will help you with instructions on how to remove it, hopefully without having to reinstall Windows.

2. Send a message to Lenovo that you don't appreciate their actions.  You can use their website, the hashtag #Lenovo (they're listening) or better yet, with your wallet the next time you buy a computer.

Additional resources:

I hope that this was helpful.  Be safe out there, the internet is a wild place!


No comments:

Post a Comment

All comments require moderation, so please don't bother trying to spam.