Superfish Visual Discovery: Lenovo’s preloaded bloat ware

Lenovo, the Chinese laptop manufacturing group has recently come under the media scanner for preinstalling the ad-serving software Superfish into its laptops. Lenovo is the world’s largest vendor of personal computers and Superfish Visual Discovery vulnerability immediately harmed the consumer giant’s reputation in the global market.

What is Superfish?

Superfish is a third party software that came preloaded with Lenovo consumer laptops, which altered search results to show different advertisements than what one would usually see. In addition, Superfish had Microsoft level permission access that means it can snoop SSL level security such as entered online banking passwords or credit card details. Attackers could even tamper and snoop with the web browser’s security, no matter what browser was being used.

The threat:

Initially introduced as a ‘shopping aid’ to include more search results and enhance the shopping experience of users, Superfish Visual Discovery was found to cause problems with browser rendering and random pop-ups as early as September, 2014. However, it was the black hat hacking group, Lizard Squad, which hacked the Lenovo website in a revenge attack that finally brought this issue before the entire world in February, 2015.

The Superfish Visual Discovery was not created by Lenovo but instead by the third-party, Superfish and the data collected could be sent back to the third-party. There’s no indication as to whether either of Lenovo or Superfish did this intentionally but there is no denial that if a hacker were to get hold of the root certificate and the private key, they could have gained access to the user’s personal data. Also, the fact that Superfish used the same private key for all installations made it worse.

In January, 2015, Lenovo stopped preloading Superfish into its consumer systems. Simultaneously, it disabled existing systems from activating Superfish.

How to detect and remove Superfish?

Any laptop bought from Microsoft’s signature range of laptops are bloat free and do no come pre-installed with Superfish. Others can simply head on to the Superfish detection webpage, https://filippo.io/BadFish/ and the test site will simply tell the user if Superfish is preloaded on their system. The lastpass website, https://lastpass.com/superfish/ has a colourful step-by-step guide on how to detect and deal with Superfish. Microsoft too, released a critical security update which automatically removes Superfish. All the user needs to do is install the latest security updates.

The future?

Moving ahead, Lenovo should now be concerned about the long term implications of this incident. They need to rebuild customer trust and they have to be more transparent about their new policies regarding security and privacy. Consumers need to put their trust on their products especially in a device such as their laptop which stores all their critical personal and financial data. An in an era, which is digital, a lack of such trust can and will damage the brand of any well reputed company, even one such as Lenovo.

Siddharth Narayan
IMB2013027
MBA-IT 4^th Semester,
IIIT Allahabad