Lenovo’s SuperFish Security Gaffe: Trust No One

The Lenovo SuperFish fiasco is a very big deal: a major computer maker broke fundamental online security and exposed millions of customers to identity theft, all in the name of “improving the customer experience.” Let us briefly review what happened, and then discuss how you can protect yourself, because the way Lenovo did this is a chronic industry problem, and vendors never seem to wise up.

Pre-Loaded Security Risks

Windows and Mac PC vendors love to load up their machines with bundles of add-ons that tech-savvy people refer to by various names such as crapware, adware, junkware, bloatware, or malware. The vendors, of course, refer to them as added-value cool stuff. The added value goes to the vendors, because they get paid to load this crud on their products. Just to keep things simple, and to be less argumentative, let’s call the stuff “trialware.”

Not all trialware is bad. Sometimes you get trial versions of games, creative design programs for making things like cards and calendars, anti-virus, and other useful programs that you might actually want—emphasis on sometimes. More likely it’s a front for nasty stuff such as spyware, adware, and Web browser hijackers. Much of it is not deliberately malicious—merely incompetent—but it bogs down your system, makes it less stable, and opens security holes.

Why SuperFish is So Dangerous

Lenovo, maker of the beloved ThinkPad line of laptops, and good-quality PCs and servers, bundled SuperFish on millions of Lenovo laptops. SuperFish injects its own ads into your Web browser when you’re shopping online. It doesn’t matter where or how you’re searching: Google, Amazon, Yahoo, LL Bean, Macys. SuperFish makes sure that you see what SuperFish wants you to see.

Website encryption certificate and options

Figure 1: Amazon’s encryption certificate and options.

But that’s not the worst part: SuperFish deliberately breaks your online security and exposes you to identity theft. It does this by installing its own root Certificate Authority. Bear with me while I briefly explain why this is so dangerous.

When you log into your bank, shopping sites, or any site where you need security, your online session is encrypted with SSL (secure sockets layer). The major Web browsers, Firefox and Google Chrome, display a little padlock that tells you if your session is safely encrypted, and if the site you’re visiting really is who it says it is. You can click on this little padlock to get more information, and even examine the site’s encryption certificate.

Any company can create its own SSL certificate and install it on the company’s websites, so how do you know it’s not fibbing? By checking whether the site uses commercial third-party certificate authorities such as Thawte, Verisign, Comodo, Globalsign, Startcom, and many more. When you install a Web browser, it comes with a bundle of trusted root Certificate Authorities.

These Certificate Authorities verify that the site’s certificate is legitimate. You can see these with your own eyes; for example on Firefox look in Settings > Advanced > Certificates, and then click the View Certificates button (figure 2).

How to view website Certificate Authorities

Figure 2: How to see the root CAs in your Web browser.

Trust? Don’t Make Me LOL

There isn’t much we can do with these root CAs; we have to trust that everyone in the chain—the commercial certificate authorities, the websites we visit, and the makers of our Web browsers—are all competent and trustworthy. It’s a fragile chain, and SuperFish gave us a lesson in just how fragile. SuperFish installed its own root CA in customer’s Web browsers. Why is this so terrible?

One, it’s not verified by a trusted authority such as Thawte or Verisign. Two, it’s such a weak and incompetent root CA that it allows anyone—and I mean literally anyone—to eavesdrop on your online sessions, hijack them, and steal your credentials. How’s that for improving the customer experience? See the links at the end of the article for detailed references and SuperFish resources).

In a world where people are prosecuted for minor copyright infringements, it’s mind-boggling that an attack of this scale is not considered a criminal offense. What did Lenovo gain from installing SuperFish? About $250,000—that’s a lot of money to me, but consider this: Lenovo reported profits of $253 million in Q3 2014. The company sold out its customers for pocket change.

Protect Against Security Breaches

The best way to protect your small business is to stick with Linux computers. Linux is far less prone to security breaches. No operating system is immune, but Linux’s security record is still the best. Linux is open source, and this is potent protection because there is nowhere to hide all that tricksy stuff. You can install Linux yourself, or you can buy a PC with a Linux OS installed from any one of these top-notch Linux vendors.

But what if you really, truly, and most sincerely want Windows PCs? You have two good options. One is to buy from Microsoft’s Signature Edition line of computers, which are free of trialware.

Another option is to purchase the full retail version of Windows. You can buy this separately or pre-installed. The full retail version is not tied to any hardware, so you have more flexibility and you’re not forced to ask permission to use your own stuff. When you’re computer shopping, avoid the consumer products —shop in the business section. Dell is one of the better Tier 1 vendors for customizations and for giving you what you want.

Finally, think very hard about your online activities. The path of least resistance is often the most dangerous path, because vendors want to lock you into their clouds and product ecosystems. You really don’t need to conduct all of your business online, and you certainly don’t need to trust your data and activities to cloud storage vendors. This is still the Wild Wild West era of the Internet and personal computing, so we must be informed and wary.

SuperFish Resources

$250K: That’s what Lenovo earned to rat you out with SuperFish

Carla Schroder is the author of The Book of Audacity, Linux Cookbook, Linux Networking Cookbook,and hundreds of Linux how-to articles. She’s the former managing editor of Linux Planet and Linux Today.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.