Superfish Lenovo Security Issue Raises Concerns about Trust

Joe Reithmeier February 27, 2015

What Does this Mean For Your Company’s Information Security?

You may have read or heard about the recent Superfish Lenovo security fiasco (for lack of a better word) that has most recently resulted in Lenovo and Superfish being hit with class-action lawsuits charging them with “fraudulent business practices” as well as Lenovo’s website being breached by hacking group Lizard Squad.

In addition to the issues regarding information security, this situation raises larger concerns about consumer trust. Businesses, regardless of industry, will need to place trust in certain manufactures from which they will be purchasing equipment to help run their business.

This is especially true when it comes to information technology, because unless a company is manufacturing its own components to assemble servers, computers, firewalls, etc., it will need to purchase hardware from a manufacturer. Those who placed their trust in Lenovo were let down in a big way by the company recently.

Let’s take a brief look at the issue that occurred, and what lessons businesses can take from it to help reduce the likelihood of them purchasing IT hardware with similar vulnerability issues.

So what exactly did Lenovo do?

Most computer manufacturers—including many of the major brands—take money from companies to place pre-installed software, often known as “bloatware,” on their computers. Many of these adware programs are designed to “enhance customer experience” by displaying relevant ads on websites based on a user’s search and browsing history. In this most recent case, Superfish Visual Search was the bloatware that was pre-installed and sold with new Lenovo computers.

What was different in this case was the level to which Superfish was installed on the computers. Lenovo allowed Superfish to create a self-signed root CA certificate in conjunction with the software that intercepts all secure browsing. This left users vulnerable to a “man-in-the-middle attack,” in which their secure communications could be intercepted assuming someone was able to extract the included private key information for the certificate.

Sure enough, the private key—which was the same across all the Lenovo devices with Superfish—was decrypted by researchers, potentially giving malicious attackers access to sensitive user information if they are eavesdropping. This could be accomplished on networks such as a public Wi-Fi connection without the user’s knowledge.

What can businesses do to avoid being faced with a similar situation?

First and foremost, if you are currently utilizing a Lenovo computer that may have come with Superfish pre-installed, make sure you remove it ASAP. Lenovo now has a guide with detailed instructions for removal.

For decreasing the odds of a similar adware or bloatware security issue occurring again, unfortunately for businesses, much of the onus is on the manufacturers. Unless businesses are going to start building their own computers from scratch, they are left with few options for protecting themselves from a vulnerability like the one caused by Superfish.

One option for businesses is to assume that, going forward, any computer they purchase needs to be completely reformatted and its operating system needs to be reinstalled. This option is both costly and time-consuming, as it requires additional labor to perform this process for each machine. Even if a computer is reformatted and its operating system is reinstalled, there is not a 100% guarantee that there isn’t something in the physical hardware or the BIOS(basic input/output system) of the computer that will still cause an issue.

A second option is for companies to purchase Microsoft Signature Edition PC’s. Microsoft touts these computers as having “no third-party junkware or trialware installed.” This option is usually more costly, as prices for the Signature Edition computers tend to be slightly higher. Also, when purchasing a signature edition PC, you are also placing trust in Microsoft that any software pre-installed by them will not result in any security issues. Notice they say there is no “third-party” junkware or trialware installed. They could; however, be pre-installing some of their own trialware.

On a whole, it is prudent for businesses to spend a little more money on certain computers—whether they are Microsoft Signature Edition or other enterprise grade equipment—because manufacturers will need to recoup fewer costs on these more expensive items so they are less likely to come with pre-installed third party bloatware.

Should business users do anything differently as a result of the Superfish Snafu?

Since this security issue was a result of pre-installed software, there wasn’t much users could have done to avoid having a vulnerability on their computers. This may be a good time for businesses to reemphasize to their users the potential security threats that come along with using public or unsecured Wi-Fi connections. It is generally best to avoid the usage of public Wi-Fi if you can, but if you must use it, do not visit sites such as your online banking or any applications with sensitive business data. Even though your computer may tell you that you are browsing securely, you may not be.

Additionally, the presence of Superfish and other bloatware, adware or junkware should remind users to decrease their software footprint on their desktops, laptops, tablets and even mobile devices. The more software programs and applications you have, the larger your footprint is. The larger your footprint, the bigger target you create for potential attackers.

By eliminating unnecessary applications, you will decrease the need to keep them up to date and you should help your computer perform better. Of course, care should be taken when removing any applications or modifying your computers settings. When in doubt, consult an IT expert.

Are you a Lenovo laptop owner who experienced issues because of Superfish? Have you experienced any other issues with bloatware? We’d like to hear from you in the comments below.

Have any questions about bloatware or your business’s information security in general? Contact us today to speak to an IT expert.

Leave Us a Comment

Your email address will not be published. Required fields are marked *

Do great things.

Get Started