Lenovo Computers Shipping With SuperFish HTTPS Spyware

Lenovo PC are shipping with a pre-installed adware called Superfish.  This wonderful program allows no less than the following:

1) Injects ads into web pages

2) Installs self signed root certificate that intercepts legitimate secure web traffic

3) Uses the same private key for each Lenovo PC it is installed on

4) Rob Graham of Errant Security has cracked the key with the password “komodia” which means anyone can now Man in the Middle (MitM) attack HTTPS on a Lenovo PC

5) This MitM even works against Google Chrome confirming that Certificate Pinning is not a defense against MitM attacks

Lenovo has stated that Superfish only shipped on computers shipped between October and December of 2014 on the following models:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30]

If you are worried your Lenovo may have Superfish installed the great folk that brought you a test for Heartbleed also have developed a test for Superfish.  You can self check your Lenovo at:https://filippo.io/Badfish/

Lenovo has officially commented stating they thought customers would like their private browsing sessions spied on. The official statement does nothing to address the security concerns:

Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
Lenovo stopped preloading the software in January.
We will not preload this software in the future.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.

To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.

We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detailed information is available at http://forums.lenovo.com.

Post by Protocol 46