A major flop in Lenovo’s way of making computers underscores the risks of pre-installing software systems in digital products.
Superfish, a software program that enables the injection of ads into web pages, is making Lenovo computers vulnerable to malicious attacks and eavesdroppers.
Computer makers are in the habit of pre-configuring their products with certain software programs to help users operate the machine on start-up. This practice is enough evidence of how invasive these manufacturers could get, and Lenovo is one of them.
Now the nosy manufacturing practice has back-fired, as a new security research found that the Superfish software has opened the gates for hackers to exploit ads by hijacking the certificates for web pages in order to circumvent the security process.
To provide context of what happens when you are browsing, here’s an illustration: Connecting to a website requires the encryption and authentication stages in order to secure the process. Encrypting the communication means to prevent third-party prying eyes from monitoring your connection. This will block hackers in particular. The authentication phase confirms the identity of the website you are visiting, so you can be sure that when you are viewing, say TechWalls, there is guarantee that the page you are looking at is what it claims to be. It is done through a certificate provided by a third-party security provider.
Remove these processes and you can be exposed to hijackers. That is what Superfish has exactly done. The software program works to take over the standard authentication process and verify a website’s identity without doing the actual security check that otherwise would have been the case with robust authentication providers.
Perhaps, what Lenovo has in mind when it pre-installed Superfish in its laptops is to allow ads in web pages secured with the HTTPS protocol.
And for some computer experts, manipulating Superfish is so easy. In fact, there’s already a work around the program in such a way that anybody who knows it can compromise the software for their malicious activities. This is good news for phishing campaigners, who can now deceive users into their tricky business.
As of January 2015, Lenovo has halted the pre-installation of the Superfish software program in the company’s laptops on the production level, at least, so we can be sure of the safety of new Lenovo computers. However, units shipped from October to December 2014 are affected, so you should use the official removal tool right now.
The flaw shows a lack of serious security audit on the part of Lenovo, and this does not bode well for its millions of customers.