Smartphones and tablets made by certain manufacturers are not seen with good eyes by users due to the insane amount of bloatware, and Lenovo’s recent notebooks are about to share the same fate because of some adware that comes pre-installed.
Supposing that the notebooks come with Microsoft’s OS already installed, it’s not unusual to find some programs already installed, regardless of the brand of the device. However, when the pre-installed pieces of software come in the form of bloatware, adware or malware, the safety of the users can be jeopardised. In Lenovo’s case, the adware in question is called Superfish and it represents a serious security threat, as it can break HTTPS connections.
Superfish Visual Discovery, which according to Lenovo was pre-installed on all laptops that were shipped between October and December 2014, acts in a manner similar to the man-in-the-middle cyber attacks. More precisely, it installs its self-signed security authority that then enables the software to gather data transmitted over secure connections.
The certificate does not have a single goal, meaning that it will trusted for anything over a great number of sites. Assuming that someone gets their mittens on the private key for the certificate installed by Superfish, he (or she, as I’m not going to pretend that all hackers are boys/men) can have access to banking websites, e-mail accounts and every other secure site that includes sensitive information about the user.
Obviously, people who found out about this problem have not taken the problem lightly. The /r/technology subreddit includes several threads discussing this matter, and this one has even made it to the front page.
One way to check if the Superfish adware has affected you is to visit canibesuperphished.com. Seeing this website’s name, I now realize that Lenovo couldn’t have picked a worse name for this software, considering that phishing is a way of obtaining usernames and passwords in pretty much the same way as this adware.
Lenovo is one of the top 5 notebook manufacturers in the world, so the number of affected devices must have been great. Rob Graham, CEO of security firm Errata Security, figured out in just three hours that the password used for cracking the Superfish is “komodia”, and that the certificate can be used even against Google in Chrome. That poses great danger to a great number of users, and Lenovo might have a hard time solving this problem in a satisfying manner.
Be social! Follow Walyou on Facebook and Twitter, and read more related stories about how buying Blackberry could make Samsung devices more secure, or the heartbeat authentication that may unlock smartwatch mobile payments.