As was widely reported this week, Lenovo consumer products may have potentially serious security vulnerabilities due to a piece of factory-installed software. This software, called Superfish, puts sensitive user data at risk by breaking secure HTTPS website connections.
Superfish installs its own root certificate on Windows systems so that it can use a host resident proxy to actively eavesdrop on HTTPS connections made in the browser. You can think of this as 'active eavesdropping:” say you are talking to your mother on the phone, but the somebody is in the middle, listening to what you say, and then transmitting a different message, in your voice, to your mother, and vice versa. You don’t know that you aren’t actually having a real conversation. Now, imagine that it’s not a phone conversation with your mother, but a search on the web. Superfish intercepts your search terms, for example, and injects ads based on what it sees. But that’s just the adware side of what it does. Now imagine that you’re not doing a simple search, but you’re visiting your bank online. In addition, you are sending passwords or other confidential information – Superfish sees all that in the middle, too. However, because of flaws in the implementation, it is possible for a bad guy on a WiFi network, say, to also see that sensitive information. Because Superfish hides or does not pass on certain information about that HTTPS connection to the browser, there is no way for you to know a bad guy has stolen your sensitive information.
That’s what has raised so much concern about Superfish. The way Superfish intercepts encrypted connections leaves holes that hackers could potentially take advantage of to steal your private data.
Simply uninstalling the program will not get rid of it. To remove Superfish and its root certificate, you can back up your data and install a new operating system, or you can simply run the latest version of Microsoft Defender, which has been recently updated specifically to get rid of Superfish.
HP, like virtually every other major manufacturer on consumer laptops, does preinstall software to enhance customer experience, but there is a key difference between most preinstalled software and Superfish. Superfish exposes customers to security vulnerabilities, is not easily removable, and hides its code from everyday users. Also unlike most preinstalled software, Superfish alters search results and cripples a Web browser's ability to communicate securely.
At HP, we take digital security very seriously, and have led the way in studying potential threats and developing products & services to guard against them. We do this because not only it is the right thing to do, but also because we know our customer’s trust in our brand is the foundation upon which we are built. Our rigorous privacy policies are a key part of our promise to our customers that has made us the world’s leading PC Company. This incident has only served to reinforce our commitment to building quality personal systems that can help you interact, communicate, and create better than ever before.
Courtesy of Amy Barzdukas, HP.