Recent Lenovo laptops include what can only be described as malware, malware that intercepts all web traffic whether secured or not. The "VisualDiscovery" adware from a company called Superfish reads all web traffic and injects advertisements into web pages. In doing so it completely breaks HTTPS security.
Ordinarily, when your browser connects to a secure website, your browser inspects a certificate that vouches for the authenticity of the website, and uses an encryption "public key" from that certificate to encrypt information so that no one except the intended website can read your conversation. Your browser trusts the certificate presented by the website, because your browser trusts the Certificate Authority - the organization that issued the certificate.
The Superfish adware comes with its own HTTPS certificate - a certificate issued by, signed by, and controlled by Superfish. Instead of connecting directly to a secure web site, your browser connects to the Superfish adware, which in turn connects to the website.
I don't necessarily fault Lenovo for using advertising to generate some extra revenue. Amazon likewise uses advertising on some Kindle Fire products, and in exchange subsidizes the cost of the Kindle, offering it for a lower price. In Amazon's case though, this is completely transparent, clearly explained, and the purchaser has the option to pay an extra $15 or $20 to remove the ads and the subsidy. Personally I find an ad-supported device to be a little annoying, but I have no problem with a company giving me the choice between ads and a slightly higher price.
The problem with Lenovo's approach - aside from the fact that it was done without any disclosure - is that it completely breaks secure web communication. The Superfish adware decrypts all secure web traffic using the local certificate, so it has unfettered access to your usernames and passwords, bank accounts, email, social media, and anything else you do on the web.
Worse, Superfish appears to use the same certificate on all devices, so not only will a Lenovo PC trust the local Superfish adware - it would trust anyone else pretending to be the adware.
Why is this a bad idea? Public/private key encryption involves some complex math where you can use one number to encrypt your information, but have to use a different number to decrypt it. It's a bit like a mailbox with two keys - one key locks the mailbox, but a completely different key unlocks it. You could share the first key (called a public key because it is shared publicly) with anyone in the world. They could put mail into your mailbox and lock it with the public key, knowing that only with your second (private) key could you open the mailbox.
With legitimate secure websites, the company behind the website carefully protects the private key to their website. No one except the legitimate website has the private key, thus no one except the legitimate website can decrypt your messages.
In the case of the Superfish adware, every computer with this adware has the private key (otherwise the adware couldn't decrypt the web traffic and would thus be useless). This private key was quickly discovered and published, which means that any malicious actor now has the capability of reading and manipulating supposedly-secure web traffic on any PC with the Superfish program.
At the moment, I would not do any private web browsing on a Lenovo laptop unless that I installed the operating system from scratch (using original Microsoft media or a Linux distribution from a trusted source, not using the "recovery partition" provided by Lenovo). Businesses normally do this. Home users though more often use the operating system pre-loaded by the manufacturer.
Coverage on the net:
- Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Ars Technica | Dan Goodin]
- Lenovo installs adware on customer laptops and compromises ALL SSL [Marc Rogers blog]
- Extracting the SuperFish certificate [ErrataSec | Robert Graham]
- How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It [Forbes]
- Lenovo shipping laptops with pre-installed adware that kills HTTPS [CSO Online]
- Lenovo preinstalls man-in-the-middle adware that hijacks HTTPS traffic on new PCs [PC World]
- Lenovo is breaking HTTPS security on its recent laptops [EFF]
- What You Need to Know About Superfish, The Man-in-the-Middle Adware Installed on Lenovo PCs [Tripwire | Graham Cluley]
- Superfish CA test [filippo.io | Caveat: given the author's track record, this site is probably safe, but a malicious certificate checker would be a great way to exploit a broken certificate]
