Everyone knows how easy it is to accidently get some sort of malware onto your computer, especially if browsing “sketchy”-looking sites without a firewall. But until now, malware has been something that gets on your computer after you buy it. Nobody would think that a brand new laptop would be delivered with malware pre-installed. Yet this is exactly what happened with Superfish, which infected millions of users worldwide.
It all started in Sept. 2014 when Lenovo began packaging a software called from a company named Superfish into its laptops. Superfish has actually been a headache for many users for much longer than that, but the version in question started shipping then. Marketed as a “visual search” app that enhances browser experience, in reality Superfish is just adware, if not borderline malware. Its sole purpose is to inject ads into your browser. Hardly something that would be considered useful software, but nevertheless shipped by default with Lenovo laptops.
This is certainly not unique to Lenovo, though. For years now, computer and phone manufacturers have been taking money from various nefarious companies in order to have their questionable software installed by default when the hardware is shipped out. In some cases (I’m looking at you, McAfee) it is incredibly difficult for the end user to uninstall said software. And although certainly what Superfish did was not beneficial to anyone buying Lenovo laptops, that’s not nearly as much of a big deal than how Superfish did it.
In order to inject ads into your browsing experience, Superfish issues a fake SSL certificate to your browser. Certificates are the methods by with which browsers determine that they are connected to an actual website, and whether or not that website is secure.
By issuing its own certificate, Superfish can make your browser think it’s connected to a real website, when it fact is connected to Superfish, which allows Superfish to place ads in the current webpage. To recap so far: Lenovo installed Superfish onto its computers before selling them, then Superfish registered a fake certificate, which allows it to place ads on whatever website it wants. It gets worse though.
In a stroke of pure genius, Superfish uses the exact same certificate for every computer it’s on, and the private key for this certificate has been published online. Through this, Superfish has gone from a slight annoyance to a full blown security threat. Since the key is public, anyone, not just Superfish, can use it to convince your browser that it’s connected to a real, secured website when it’s not.
So for instance, you could believe that you are sending your password to a bank, and the little lock would appear in your browser, indicating your connection is secure. In reality though, anyone with the key (which is everyone) could be listening, and take your username and password. Even worse, your computer has no way of telling whether or not it’s been compromised. And uninstalling Superfish doesn’t fix the problem! You have to manually go into the certificate list used by your browser, and remove the evil Superfish certificate.
So why should you care? Well, if you own a Lenovo laptop, use one of many tools that have popped up online to figure out if your computer is infected, and if so, go through the sets to remove the infection.
If you don’t use a Lenovo laptop, you should still care about what Lenovo and Superfish did.
In a world more and more dominated by digital transactions, keeping your passwords and information safe is more important than ever. Bank robbers’ weapon of choice has moved from guns to keyboards as our world moves online.
So you should care when a major computer manufacture compromises the security of its user base without their knowledge by trying to make an extra buck bundling adware with its computers.