Reports in the last week stated that the computer manufacturer Lenovo had preloaded software onto various lines of computers which critically compromised cybersecurity. The software in question is a product called Superfish Visual Discovery, a program generally designed to replace advertisements seen while browsing the Internet with ads provided by Superfish. However, the method of implementation opens up a universe of potential problems.
What Does Superfish Do?
Superfish is designed to replace Internet advertisements with advertisements provided by their sponsors. In order to do this, Superfish installs its own signed root certificate to the operating system. Furthermore, the Superfish certificate key being used is the same across all the affected systems.
What Does This Mean?
Secure browsing is based on a system of certificates. When you look up any website starting with https://, you are loading a secure website whose identity is verified using a certificate, usually validated by a third party. Normally, sites claiming to be secure that are not will trigger warnings from your browser. Superfish installs its own certificate and functions as a Man in the Middle, injecting its own content into the ostensibly secure connection between your computer and the secure website.
Because the certificate key used by Superfish is the same across all affected systems, it is easy to exploit that certificate to attack systems with the software installed. Reports indicate that people have been able to decrypt all data sent by HTTPS, including passwords, using this exploit.
Which Computers Are Affected?
Lenovo has published information containing a list of affected computers. The affected computers are laptops not in the ThinkPad series manufactured between September 2014 and February 2015. ThinkPad laptops, desktops, and smartphones are unaffected. Enterprise systems (e.g., servers and storage) are also safe.
Even if your organization has computers on the list of affected products, your organization may be safe. Generally, your IT department should be installing a clean version of Windows or an organizational system image on any new computer before it is brought into your network ecosystem. If your IT department does not do this, or your organization allows personal computers to perform work functions, you may be at risk.
Another potential issue is remote access. If anyone with remote access was using an affected computer, the user’s logon information potentially could have been compromised.
How Do We Remove Superfish from Affected Systems?
The easiest and most secure way to ensure the removal of any issues is to install a clean copy of Windows on the affected computer. This should not be the backup copy provided by Lenovo, as that copy will still have Superfish. However, reinstalling Windows will cause you to lose any data on the computer. If you need to keep the data on the computer or otherwise cannot back up the data, a good guide on how to uninstall Superfish without reinstalling Windows can be found at ExtremeTech.
What Else Should We Do?
If your organization does not install a clean version of Windows or an organizational system image on new computers, you should put into place a procedure ensuring that all new computers get a fresh install of Windows or a fresh system image prior to introducing them to the network.
Because your employees may potentially have used an affected computer for remote access, you should identify any employees who have used Lenovo computers for remote access in the past six months. Those users should have their credentials changed as a precautionary measure.