Your Lenovo PC Has An Adware That Lenovo Put Itself
Irrespective of a manufacturer’s market standing, a slight risk to its user’s data and security can come down heavily on the company. Superfish – a pre-installed adware program, has created a similar situation for Lenovo today. Things went from bad to worse today, due to the inherent security flaws in the program; researchers revealed the key Superfish uses to create SSL certificates on all Lenovo machines.
Basically the intent behind the use of Superfish was to monitor a user’s browsing patterns including all the private data and then sharing them with different agencies for advertising as well as financial gains. Consequently, making the user see unwanted adverts while they’re browsing.
As unwelcoming and frustrating this could get for a normal user, things just don’t end here as far as the masked maliciousness of Superfish is concerned.
Making itself an unrestricted root certificate authority, it makes up fake SSL certificates on demand of a secure connection. So when a user is visiting a website over a secure connection, the site certificate is hence signed and controlled by Superfish falsely indicating itself as the website’s certificate. As a result it becomes possible for it to intercept all the private traffic and then also use it to push ads even through to these secure websites.
To make things worse the secure key for the Superfish-signed Transport Layer Security certificate is the same for all Lenovo machines. So hackers can now easily create certificates to make way for their fraud sites putting up a mask of reliable institutions for e.g. Banks, E-commerce websites. With this the oblivious user becomes even more vulnerable as he or she never gets notified of them, forged websites.
The most recent update puts all the Lenovo consumers at a greater risk. Because now the cryptographic key that was encrypting the Superfish certificate has been cracked by Rob Grahm, CEO of security firm Errata, bringing to light another vulnerability in an already insecure environment.
Terming it as ‘trivial to extract’ Grahm is reported to have said that it just took him 3 hours to identify the password as “komodia” (minus the quotes). This breach now exposes all Lenovo users, with Superfish installed on their machines, to man-in-the-middle attacks without being detected. With this key even an amateur hacker can track all encrypted activity of a user during an apparently secure session.
Lenovo did acknowledge the pre-shipping inclusion of Superfish on laptops shipped between October – December 2014. But went on to say that the Lenovo-Superfish partnership was discontinued this January with no plans of renewing the contract. But their denying of the risks concerning the user’s security has really shocked too many out there; “we have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”
Although in the previous month, Lenovo termed the technology behind Superfish as ‘innocuous’ but it has now become obvious that they either were in complete denial of the level of threat it posed or couldn’t foresee how it could malign the company’s reputation in the coming months.