The arrival of the Lunar New Year, also known as Chinese New Year, is a festive and joyous occasion, but not for the new owners of Chinese computer manufacturer Lenovo’s laptops. Those who purchased Lenovo PC’s from October 2014-February 2015 are being greeted with a gift from Lenovo, the preload of the Superfish adware software application. Which, according to noted security researcher Marc Rogers, effectively compromises ALL SSL (HTTPS) connections between the browsers on the computer and a destination URL.
What’s Lenovo up to?
Lenovo advises that only a few model of consumer laptops were affected (see list below). Lenovo acknowledges they pre-installed the Superfish software, which they had hoped would “enhance our user experience?” Their statement makes no reference to the fact that the Superfish software undermines the security of all interaction from the device which occurs via a browser. So do we take Lenovo at their word, or should we subscribe to the theory (paranoia) this is a Chinese government influenced activity undertaken by Lenovo? An activity which would serve to provide unambiguous data direct from Lenovo computer users, adding evermore pieces to the mosaic of data being analyzed and exploited using big data algorithms in support of the Chinese intelligence goals and objectives?
A bit of Congressional prescience?
In May 2006, some 17 months after IBM sold their PC division to Lenovo, the US Congress queried the US Department of State concerning some 16,000 Lenovo computers purchased by the Department of State of which 900 were destined for installation on State Department classified networks. After consulting with government security experts, the State Department recommended that these computers be utilized for unclassified systems only. At the time, the congressional hoopla and subsequent ban on Lenovo’s within the intelligence community were largely construed as knee-jerk and xenophobic. Indeed, in a May 2006 Infoworld piece, the research director from the SANS Institute seemed to have been spot-on with his advice: “Instead of focusing on where computers are made, the U.S. government should work on better security for its systems after they are purchased. If you know you have a threat from a source, you can focus resources on testing. We need to do a much better job of looking for hidden back doors in systems.”
What should you do?
If you are using a Lenovo device in a classified environment, you may wish to unplug and have the IT security team review the device for the Superfish, especially if it is one of those models identified below. Should you eschew use of any Lenovo device now and in the future? How much do you trust Lenovo? Lenovo’s Chief Technology Officer, Peter Hortensius said in a Wall Street Journal interview that the company did not wish to get into an argument with security researchers, but went on to note how the experts are dealing with only “theoretical concerns.” There was nothing theoretical about the pre-loading of the Superfish application on the Lenovo PC and the subsequent connecting to Lenovo servers.
Happy New Year, the year of the Goat, from Lenovo.
To check if your laptop has Superfish installed: CHECK FOR SUPERFISH
Instructions on how to remove Superfish: REMOVE SUPERFISH
Models of Lenovo PC’s which Lenovo has identified as having the Superfish software installed:G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30