Tearing Down Lenovo’s Superfish Statement

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, February 19, 2015

Follow me on Twitter as @mattiasgeniar

The last 48 hours have been interesting, given Lenovo has been caught installing Man-in-the-Middle root certificates on newly purchased laptops via spyware known as Superfish.

It’s even more interesting now that the private key to that root certificate has been compromised. The password “komodia” tracks back to a known/commercial SSL hijacker.

It’s a sign of the bad state IT security is in nowadays. Network switches and routers are intercepted on their way to ISPs to install backdoors, hard disk drives have NSA spyware in their firmware from the factories and now consumer laptops have spyware and man-in-the-middle certificates on them.

If we can’t even trust the hardware we use, how are we ever going to be able to trust the software?

But what disturbs me the most in this recent Lenovo scandal, is their most recent news announcement on Superfish.

Superfish was previously included on some consumer notebook products shipped in a short window between September and December …

This short window means the entire Q4 of 2014. So let’s take the numbers published for Q4 2013 from Lenovo. The numbers may be 2 years old, but Lenovo isn’t selling any less. So if Q4 2013 resulted in “$4.8 billion in sales (accounting for 51 percent of the Company’s overall sales)", how many laptops do you think those are?

An average selling price of $750 (just a wild guess, it’s probably less) would result in a little over 5.630.000 laptops sold.

Diminishing the Superfish impact by saying “included on some consumer notebooks” is a smack in the face.

Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.

Oh good. The threat is over.

Except it isn’t. The CA certificate is still present on those laptops. The spyware itself is still installed on those machines. Guess what Lenovo, if you can disable it server-side, it can be enabled again server-side as well. You’ve temporarily disabled part of the problem while ignoring the bigger picture and providing a false sense of security.

Users are given a choice whether or not to use the product.

How is that even remotely true, if it’s pre-installed on laptops without prior asking the user?

The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.

The primary goal of Superfish was to show ads and inject them into various places. This is most likely the true reason of inserting their own CA certificate, to still inject ads on SSL/TLS-enabled sites.

If the primary goal of an application is to show ads, it’s a financial choice. While it may not be financially significant to Lenovo, the choice to embed Superfish was made based on dollars. How much could this make us each month? What would Superfish pay Lenovo? How much money can they gain from this deal?

The only reason the relationship with Superfish existed in the first place, was a financial reason. Nothing else, Lenovo.

In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns.

This is where Lenovo missed the point entirely. There should never have been a reaction in the first place. They’re selling laptops to consumers. That gives them 2 distinct priorities: the laptops should A) work and B) not contain any spyware. I’d love to see B) take priority over A), but for Lenovo A) will come first.

How did Superfish make it through internal reviews at Lenovo? How can any technical engineer feel OK allowing and approving this to be pre-installed on consumer laptops?

The private key for the Superfish certificate is exposed. Out of those 5.630.000 laptops sold, I’d venture a guess that 5.600.000 owners have no clue this happened and will continue to live their lives with a pre-compromised computer. Just making online payments as if nothing happened.

Good work Lenovo. Way to destroy our faith in IT security just a little more.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.