When news broke that Lenovo installed third party software to serve ads from a company called Superfish on many of its laptops, the cyber security world had a meltdown, and for good reason: the Superfish package leaves users completely vulnerable to having their communications intercepted, even on sites with encrypted connections.According to a statement released by Lenovo today, the Superfish software has been disabled since January, and the company will no longer ship machines with the software pre-loaded. In a post on Lenovo's forums on January 23rd, Lenovo representatives stated they were awaiting a software fix from Superfish.
Advertisement
However, security researchers are still finding evidence of Superfish on some users' computers.Security researchers from CloudFlare built a site called Badfish that Lenovo owners can use to easily test whether their machines are affected or not. Visit Badfish here. If your browser asks you to trust the site's certificate, you're all good. If you see a green "YES" instead, it means Superfish is intercepting the connection.According to Badfish's creator, Cloudflare security researcher Fillipo Valsorda, the site caught a stunning number of Superfish infections just today. "In the last 30 minutes, 269 out of 3380 (8%) test visitors resulted positive for Superfish," he tweeted today. According to a report by the Electronic Frontier Foundation, also released today, their Decentralized SSL Observatory has detected 44,000 Superfish certificates.The software from Superfish is an adware package that injects ads into web pages users visit by breaking secure HTTPS connections—the protocol for transferring encrypted data between computers and websites. Superfish installs a HTTPS certificate on the user's laptop and intercepts connections in order to present itself as the site's real certificate, an important part of the "handshake" between the machine and website that ensures both parties are who they say they are so an encrypted session can begin.
Superfish masquerading as a Bank of America HTTPS certificate. Photo via marcrogers.org.
This essentially means the user's communications are open to interception on every site they visit. Even worse, the encryption key used for Superfish's certificate is the same on every machine, and it was just cracked by Errata Security CEO Rob Graham—meaning any hacker can launch attacks on users without them knowing.In other words, if you have Superfish on your Lenovo laptop, you're a dead duck in still water for hackers hunting for vulnerable users. "If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers' banking sites, personal data and private messages," Marc Rogers, CloudFlare researcher and head of security for DEFCON hacker conference, wrote in a blog post.If you own a Lenovo laptop, it might not be a bad idea to check Badfish to see if your machine has dangerous adware installed before an attacker gains access to your information.
ONE EMAIL. ONE STORY. EVERY WEEK. SIGN UP FOR THE VICE NEWSLETTER.
By signing up, you agree to the Terms of Use and Privacy Policy & to receive electronic communications from Vice Media Group, which may include marketing promotions, advertisements and sponsored content.
