Chinese PC maker Lenovo has found itself in the middle of a public relations disaster, following revelations that it sold a number of notebook computers with pre-installed software that hijacks users' browser sessions to inject customized advertisements and seriously degrades the security of encrypted connections.
Bank of America's website being signed with a Superfish certificate, as noticed by Google security engineer Chris Palmer
The adware, from a visual search firm named Superfish, is a contextual search platform that has been shown to act as a transparent proxy for requests flowing through browsers on Lenovo machines. It analyzes the content of websites, inserting advertisements that it considers relevant.
In order to access HTTPS requests, Superfish also comes loaded with a self-signed root certificate. Pages loaded over HTTPS are signed with this certificate, rather than the actual certificate of the site owner, allowing Superfish to decrypt the contents.
This creates a serious security problem. Anyone with the encryption password for the certificate -- which was easily found by Robert Graham of Errata Security -- can extract the private key and perform a man in the middle attack to intercept the communications of any computer with the certificate installed, or to craft legitimate-seeming fake phishing websites.
In a statement, Lenovo acknowledged that it had installed Superfish on "some consumer notebook products shipped in a short window between September and December." The company promised that the backend services powering the ad injection technology have been disabled, and that it would not include Superfish on any future products.
Unfortunately, that does nothing to alleviate the security concerns caused by allowing the installation of a self-signed root certificate in the first place. Despite the clear implications, Lenovo does not appear worried.
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in the same statement.