Lenovo and Superfish Are Giving Us Deja-vu

lenova superfishEver since Edward Snowden’s revelations about the NSA’s extensive spying program, security has been in the spotlight. Over the past several weeks, the adware known as Superfish has been the hot topic.

Back in 2014, China-based OEM admitted to pre-loading Superfish adware on Lenovo PCs during the second half of 2014. Two new lawsuits were filed on February 23, 2015 against Lenovo and adware maker Superfish in the federal courts of California for putting consumers at risk of information theft and hacker spying.

One plaintiff, David Hunter of NC, claims that both Lenovo and Superfish violated the U.S. Electronic Communications Privacy Act among other laws and has requested that the court demand for the firms to hand back any revenue acquired by selling consumer’s browsing data and also the money earned from the adware advertising.

Another plaintiff, Jessica Bennett, stated that her laptop was damaged as a result of Superfish. She further accuses Lenovo and Superfish of making money at the expense of invading her privacy.

Security researcher Marc Rogers wrote that it’s “quite possibly the single worst thing I have seen a manufacturer do to its customer base…I cannot overstate how evil this is.” The Superfish adware is said to be more than just pesky. It’s the most virulent, evil adware you could find.

By installing a single self-signed root certificate across all of Lenovo’s affected machines, Superfish intentionally pokes a gigantic hole into your browser security and allows anyone on your Wi-Fi network to hijack your browser silently and collect your bank credentials, passwords and anything else you might conceivably type there.

This can be even more of a nightmare for companies who risk their private information, and their employees, from being exposed.

Errata Security’s Robert Graham said, “I can intercept the encrypted communications of Superfish’s victims (people with Lenovo laptops) while hanging out near them at a café wifi hotspot.”

Our deja-vu comes from the Sony DRM rootkit scandal of 2005, in which Sony automatically installed malware onto users’ computers whenever someone loaded certain CDs. That rootkit malware could be hijacked by another hacker and in its greed, Sony did nothing to stop piracy and compromised the security of millions of users.

Lenovo claims it installed Superfish to “enhance our user’s shopping experience.”