Layperson’s Guide to Lenovo & Superfish

You’ve probably heard about Lenovo’s recent security dust-up but you probably have no idea what to make of it. As usual, the mainstream press hasn’t done a very good job of explaining computer security stories. Let’s take a look at what actually happened, its consequences, and what should be done in the future.

What Lenovo & Superfish said they did

Lenovo’s basic goal was to make money by selling ads on their computers. To do this, they took the normal Windows operating system and added software from a company called Superfish that would display additional ads on some websites. The normal ads that you might see on a normal website—say Google search results—are still there. They just added a few more. But, almost every PC manufacturer adds crapware to their computers. What’s the big deal?

What Lenovo & Superfish actually did

An analogy

To explain what what actually took place, let’s take a step back and look at an analogy. Imagine a letter carrier needs to make some extra money to help make ends meet. His buddy recently picked up a mail truck at auction.

The letter carrier and his buddy decide to repaint the truck identically to the letter carrier’s work truck. Every day the letter carrier goes to work, gets his truck, and drives to his buddy’s house. His buddy opens every piece of advertising, staples, glues, or inserts new ads into each ad, and reseals the ads.

Since this process takes a few hours, the letter carrier takes the fake truck and delivers the previous day’s mail that now includes the extra ads. At the end of the day, he takes the fake truck back to the post office. The next day, he takes the fake truck filled with the new day’s mail from the post office to his buddy’s house, grabs the real truck, and delivers the previous day’s mail.

This is more or less the analog equivalent of what Superfish’s software was doing with its adware. Oh, and the best part? Superfish pretty much did the equivalent of leaving the keys in the mail truck parked at the letter carrier’s buddy’s house so anyone off the street was free to use the truck for their own purposes.

Back to real life

Lenovo and Superfish wanted to insert ads into webpages, particularly search results. The goal was to target ads towards people who were searching to buy things. This would very easy to do on any normal HTTP website. But the place where these ads would generate the most money would be on pages showing search results.

The problem with this plan was that Google and other search engines have started using HTTPS on their sites. This technology prevents anyone between the search engine’s servers and the user’s web browser from seeing or changing a webpage as it travels across the internet to the user. This is exactly what banks use to secure their online banking connections.

So, this adware couldn’t just insert ads into Google search results without showing big security warnings to the user. So, they added a file (called a root certificate) to Windows that enables the adware to intercept all traffic from every single website a user visits. Because this file was trusted by the Windows operating system, no web browser would throw up the big security warnings.

But, wouldn’t somebody notice the lock icon or the green address bar was missing from their web browsers? The adware would also re-“secure” all HTTPS websites, causing the padlock and green address bar to be displayed. So, most people would assume that everything was okay.

The only catch was that if a paranoid person went looking at the equivalent of the mail truck’s registration, they would see that it wasn’t issued by the internet equivalent of a government agency. It’s not quite the same thing, but for this discussion they’re close enough (they’re actually called certificate authorities).

For example, if you visited https://www.BankOfAmerica.com, you would expect the registration to be issued by a certificate authority.  But instead, the registration wold be issued by Superfish, Inc.

But they stopped the ads! What’s the big deal?

Yes, you’re absolutely right. Lenovo did stop inserting ads and removed the adware portion of the system from all computers back in January. But remember that little trick to re-“secure” websites? That piece of the system was left in place. The problem is this piece was secured with a simple password. The password was cracked in just 3 hours by security professional Robert Graham.

Now that the password (and the certificate that it secured) is public, anyone can put up a malicious website to target users of these Lenovo laptops. On these laptops, that website would still show the lock icon and green address bar.

Lenovo’s response

When Lenovo was confronted with this issue Thursday morning, they initially responded by sticking their head in the sand. Statements released to The Next Web (see update #2) and Ars Technica by Lenovo read in part:

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

This was clearly not the case and to Lenovo’s credit, they have since updated their original statement. Late Thursday, Lenovo’s Chief Technical Officer pledged to provide a tool to remove the Superfish software. On Friday, Lenovo made good on that promise by releasing that tool.

What should I do now?

If you have a Lenovo laptop, the easiest way to check if you’ve been affected is to use this web checker. It would also be a good idea to look at Lenovo’s Superfish website to see if your model may have been affected.

If you’re in the market for a new computer, I probably wouldn’t recommend buying a Lenovo computer for at least 6 months. Lenovo doesn’t seem to have intentionally acted maliciously, but since they’ve done something this bad, it makes you wonder what else they might have done. I really think they will sort this out and should be a better company as a result of it in the future.

If you know me, you probably know that I like Apple’s technology. That’s true, but I’m not going to tell everyone to switch to a Mac. If I was in the market for a Windows laptop (I’m not because I’m a relatively poor college student), a Lenovo Yoga series laptop would have been among my top choices. At the moment? Not so much. In a year or two? I’d be willing to consider it.

Additional sources

InfoSec Taylor Swift (@SwiftOnSecurity): “Goodbye Lenovo, and thanks for all the Superfish.” [parody]

Ars Technica: Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated]

Ars Technica: Lenovo CTO says, “We didn’t do enough,” promises to wipe Superfish off PCs

Ars Technica: How to remove the Superfish malware: What Lenovo doesn’t tell you

Fast Company: The worst thing about Lenovo’s adware isn’t the adware

PCWorld: Lenovo preinstalls man-in-the-middle adware that hijacks HTTPS traffic on new PCs

PCWorld: How to remove the dangerous Superfish adware preinstalled on Lenovo PCs