Lenovo has been accused of deploying a new kind of malicious software that, by hijacking a user's Internet connection, forces them to see ads approved by the company. The malware, known as “Superfish,” renders encryption irrelevant and makes it possible for hackers to easily pose as Google, Bank of America and other institutions that users implicitly trust with their most sensitive information.
Lenovo customers have been complaining about Superfish since last year, claiming that there is no way for them to stop the company from interfering with their Web activity. Superfish broke the HTTPS connection, which protects users when they enter their log-in credentials or financial information on any major website. However, while doing so, Lenovo failed to adequately cover its own tracks and left users vulnerable to victimization from nefarious third parties.
This type of attack, known as a Man In The Middle hack, undermines the entire idea of HTTPS protection, a fundamental piece of online encryption.
“This means that hackers at your local cafe WiFi hotspot, or the NSA eavesdropping on the Internet, can use that private-key to likewise intercept all SSL [encrypted] connections from Superfish users,” Robert Graham of Errata Security told Forbes, adding that Superfish is “an egregious security failure.”
Mark Hopkin, a Lenovo community administrator, announced late in January that the company would no longer install the malware onto new computers, at least until the company can “build a software that addresses these issues.”
Yet Superfish dates back by at least two years and Lenovo, which is the biggest PC manufacturer in the world, sold 16 million computers in the 4th quarter of 2014 alone.
Google Chrome and Internet Explorer users are most vulnerable, while the Firefox browser appears to be largely unaffected as it has its own list of SSL certificate providers.
However, the good news is that it's not difficult to find out if you've been targeted. To find out if you've been affected by Superfish:
1. Open the Windows Control Panel. Search for “certificates.”
2. Follow the Administrative Toolds link to “manage computer certificates option.”
3. Follow the “Trusted Root Certification Authorities” link, then the “Certificates” link.
4. Try to find a certificate that includes mention of “Superfish Inc.” If it's there, you're vulnerable.
The bad news for anyone affected by the security flaw is that there is no sure-fire way to delete the certificate. The safest option, according to multiple security experts, is to back up your computer's most sensitive files and reinstall the entire operating system.
The glaring security flaw immediately prompted outrage and mockery from the tech punditry:
What Lenovo/Superfish have done is Wrong. They have violated norms and practices and, to technologists, professional ethics.
â€” InfoSec Taylor Swift (@SwiftOnSecurity) February 19, 2015
We gave ad networks a central position in the web and mobile/tablet economies, and this is what we get. #superfish
— matt blaze (@mattblaze) February 19, 2015
Without Superfish, how can consumers know for sure they are getting the latest, freshest content?
— Prof. Jeff Jarvis (@ProfJeffJarvis) February 19, 2015