Lenovo preinstalling malware on consumer notebooks

Chinese hardware manufacturer Lenovo has been accused of preloading malware onto its consumer range of notebooks and two-in-ones. Dubbed Superfish, the software injects advertisements into search results, but also has the ability to intercept encrypted traffic, making computers vulnerable to "man-in-the-middle attacks".

The consequence of this is that communications between the user of a Lenovo laptop and an online banking site, for example, could be easily accessed by a third party. At a basic level, this would allow third parties to intercept information such as usernames and passwords. Security researcher Robert Graham was easily able to break Superfish's encryption, demonstrating how easy it would be for a hacker to spy on a Lenovo user.

Google security engineer Chris Palmer confirmed that Superfish also intercepts HTTPS traffic. When he visited the Bank of America website, he found that the security certificate provided wasn't signed by VeriSign, but by Superfish. This means that attackers could theoretically create viruses or fake HTTPS websites to grab passwords or credit card details that couldn't be detected by vulnerable Lenovo machines.

Developer Filippo Valsorda has built a website that allows users to check whether or not Superfish is installed on their machines, which should be run in either Internet Explorer or Chrome first. He has provided removal instructions for those affected. There are however conflicting reports as to how effective these are, with some suggesting that a complete reinstall of Windows from a non-Lenovo recovery image is required to completely remove the adware.

"From what we know right now, one of the easiest ways to remove Superfish is to reformat your computer," said Adrian Wood, director of Australian information security company Whitehack, "but if you reinstall it with a Lenovo Windows disk, you'll be back to square one. You need a refresh Windows disk."

"I imagine Lenovo will have to release an application to simplify the removal process."

While man-in-the-middle exploits using Superfish currently require the attacker and victim to be on the same wireless network – such as a public Wi-Fi, the risk of fake websites targeting Lenovo users is an internet-wide threat. Wood stressed that the Superfish threat is currently active and exploitable. 

"[Superfish] is exploitable right now, it's not something that could happen in the future," said Wood.

UPDATE: Microsoft has released an update for Windows Defender that can completely remove Superfish. To ensure the fix works, users should update Windows Defender to the latest version before running a scan.

Lenovo has published a statement explaining that the software was preloaded onto consumer notebooks between September and December in 2014, and that it stopped preloading the software in January. While the statement does not address security concerns around Superfish, a linked product advisory describes it as a high severity threat. Lenovo Australia was not able to confirm whether or not Superfish affected the devices it sold locally.

Superfish may have appeared on the following Lenovo models: 

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30

CyberShack has been unable to confirm whether or not Lenovo devices sold in the Australian market have been affected by Superfish, but recommends users check their machines for the malware. Affected users should avoid sensitive tasks such as online banking and shopping until they confirm Superfish has been removed. 

20/2/15 11:04am: Updated article with comments from Adrian Wood

20/2/15 2:27pm: Updated article with comment from Lenovo Australia

21/2/15 2:27pm: Updated article with additional information about removing Superfish