Lenovo is so screwed. The world's largest manufacturer of PCs and laptops has been caught pre-installing software that completely subverts users' security to insert adverts into their web browsing -- and leaving them vulnerable to attack. The company's response has been nothing short of pathetic. The brand is likely to suffer irreparable damage, and deservedly so. The software, called Visual Discovery and made by a company called Superfish, analyses the web pages that a user visits and inserts advertising for related products. Many web browsing sessions are of course encrypted to preserve users' privacy. But Superfish breaks into those sessions by presenting fake credentials -- and it does so in such a ham-fisted way that an attacker could easily take advantage of those fake credentials to break in. As Graham Cluley explains, or as Ars Technica details in its more technical overview, this is what information security practitioners call a "man in the middle" (MITM) attack. Users think they're communicating security with the intended website, but in reality their communication is being intercepted, decrypted, monitored and re-encrypted before being passed on to its intended destination. Lenovo customers first noticed and complained about Superfish's software a few months back. In January the company announced that it had stopped installing it on new computers, and that it had turned off the servers that did the analysis at its end. But even if users uninstall the software, Lenovo's hack to Windows that made it possible remains, and users are still vulnerable. Lenovo's statement was remarkably tone-deaf. A childish we-didn't-do-nuffin:
"To be clear, Superfish technology is purely based on contextual/image and not behavioural. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively."
Lenovo denies any security risk. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company wrote. But it can't have investigated very hard. The global information security community became aware of Lenovo's activities yesterday, and the reaction has been scathing. Wired called the response "astonishingly clueless":
"Robert Graham, the CEO of [an] internet security firm called Errata Security, doesn't mince words in assessing the situation. 'This is a bald-face lie,' he says of Lenovo's statement. 'It's obvious that there is a security problem here.'" "Graham took just three hours to crack Superfish's security. "'I can intercept the encrypted communications of Superfish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot,' Graham wrote in a blog post detailing how he did this."
It's possible that things haven't completely gone to shit. Yet. Security researcher H D Moore tweeted that he'd scanned the public internet and didn't find any secure web servers trying to exploit this vulnerability.