How Superfish’s Security-Compromising Adware Came to Inhabit Lenovo’s PCs
By NICOLE PERLROTH
MARCH 1, 2015
SAN FRANCISCO — Until its advertising software was discovered deep inside Lenovo personal computers two weeks ago, a little company called Superfish had maintained a surprisingly low profile for an outfit once named America’s fastest-growing software start-up.
In 2013, Superfish revenues had increased more than 26,000 percent over the previous three years to $35.3 million. It had advertising deals with some of the biggest names in e-commerce — Amazon, eBay and Alibaba among them.
But as the start-up, based in Palo Alto, Calif., searched for new income sources last year, it landed a deal with Lenovo, the world’s largest PC maker, to put its software — often called adware — on several Lenovo consumer PCs.
That deal has proved disastrous. Not only has it called into question the business practices of both Lenovo and Superfish, it has shined an unflattering light on makers of this sort of advertising technology.
Superfish’s software, a security researcher revealed, was logging every online movement of the people using those Lenovo machines and hijacking the security system that is supposed to protect online communications and commerce. The Department of Homeland Security even warned Lenovo PC users to remove the software because of the risk it presented.
Superfish’s technology, security experts now say, is a particularly aggressive example of the targeted advertising technology that tracks consumers’ online movements without their knowledge.
What made its adware particularly bad, experts say, is that it fooled Lenovo customers into thinking that private sessions with their email service, or bank — secured with encryption that is often represented by the tiny padlock that appears in their web browser — were private, when Superfish, and potentially hackers, could see everything.
“The padlock is a means of telling you that who you are talking to is who you think you are talking to. Superfish made that mechanism ineffective,” said Jonathan Mayer, a lawyer and computer science graduate student at Stanford University who specializes in digital privacy.
Superfish was co-founded by Adi Pinhas and Michael Chertok, two veterans of the video surveillance industry. Their first start-up, Vigilant Technology, worked with casinos, prisons and governments and used algorithms to scan video footage from surveillance cameras in search of suspicious activity.
In 2006, the two began exploring the possibility of applying similar computerized methods to visual searches. They called their new start-up Link-It. Much in the same way that Google is a search engine for text, Siri for voice, and music discovery apps like Shazam help people match songs they hear on the radio to an artist and song title, Superfish aimed to be a “visual search” engine for images.
With 12 Ph.D.s on staff and 10 patents for visual search technology, the company’s software crawls the web, using mathematical models to catalog, analyze and match images of plants, dogs or furniture to the exact flower, dog breed or home goods retailer. At one point, they worked with Samsung on a proof-of-concept visual search engine on Samsung cellphones, but a formal partnership was never consummated.
In 2009, the co-founders said, they renamed the company Superfish.
Five years later, Superfish had accumulated partnerships with more than 100,000 retailers that paid the company through “affiliate” programs, in which retailers gave Superfish a cut of each sale its software encouraged. As Superfish tracks products that appeal to people on the web, its technology serves ads of similar or identical products from its retail partners.
Last year, Superfish began experimenting with new sources of revenue. It released a series of free “LikeThat” mobile apps at the iTunes and Android store, such as LikeThat Décor, an app that allows design aficionados or interior designers to snap shots of furniture so that Superfish can locate the same, or similar, products online.
The start-up’s executives say they approached Lenovo, based in China, early last year about the possibility of loading their VisualDiscovery software onto its PCs at the factory.
The pitch, Lenovo’s executives recall, was that Superfish could “improve our consumer experience” by serving its customers more relevant ads.
“The motivation was to enhance the experience,” Peter Hortensius, Lenovo’s chief technology officer said in an interview last week. If a consumer was hovering his mouse over a vase, Mr. Hortensius said, Superfish technology would register his interest in the vase and could show a similar vase, or the same vase at a cheaper price, from a different retailer.
“That was the idea at least,” Mr. Hortensius recalled.
Neither Lenovo nor Superfish will discuss the financial terms of the deal.
Industry experts say that when software is preloaded onto a machine, the hardware maker is usually paid a fee per machine. In the case of adware, they suspect Lenovo was also paid a cut of any Superfish ad revenue generated on their PCs. Lenovo executives will only say that its revenues from the deal were “financially insignificant.”
After Lenovo began putting Superfish software onto its consumer PCs last September, consumers were soon complaining in online forums that their web experiences were buggy.
Peter Horne, who has worked in the financial services technology industry for 25 years, noticed that the adware was buried so deep in the machine’s operating system that antivirus scanners couldn’t find it.
In an interview, Mr. Hortensius said Lenovo’s customers were given the chance to opt out of Superfish when they started their machines, but customers do not recall any opt-in language. Even after Mr. Horne wiped his new Lenovo PC and rebuilt it, his PC was still calling back to Superfish’s servers.
Worse still, Superfish’s technology was hijacking the third-party certificate authorities that are used to guarantee the security of encrypted connections between users’ browsers and websites like Bank of America and Google. To circumvent web protections, Superfish served up its own certificate with the help of an Israeli company, Komodia, which specializes in intercepting encrypted communications, so it could insert ads.
By doing so, Superfish left Lenovo users vulnerable to hackers. “Websites, such as banking and email, can be spoofed without a warning,” a Homeland Security alert read.
In an email, Mr. Pinhas said Superfish was not aware of any security issues with its Lenovo adware until the news broke two weeks ago. He said the Lenovo partnership was the only time Superfish adware had been preloaded into hardware and that it was the first time the company had worked with Komodia, which helped it circumvent web encryption to insert its ads.
Mr. Pinhas also maintains that Superfish does not log any personal information on its servers. Citing pending lawsuits, Mr. Pinhas said he could not say more.
Lenovo is now facing its own lawsuits — one accuses Lenovo and Superfish of trespassing on personal property and violating wiretap laws — and even angry hackers. For several hours last Wednesday, hackers defaced Lenovo’s website, replacing its contents with images of bored teenagers.
Two days later, Lenovo announced a pledge for “cleaner, safer PCs” and said it would eliminate unnecessary adware from its PCs and clearly post what all preloaded software does.
“We are not confused as to the depth that this has caused people not to trust us,” Mr. Hortensius said. “We will do our best to make this right. In the process of that, I think we will come out stronger.”
He added, “But we have a long way to go to make this right.”
Lenovo’s Superfish Screwup Highlights Biggest Problem In Software
By not properly vetting the Superfish adware, Lenovo became the most recent unwitting example of broken links in the software supply chain.
By Seth Rosenblatt
February 27, 2015 12:48 PM PST
When will a buck-stops-here culture finally reach the software industry?
Not soon enough, if Lenovo’s Superfish software scandal is any indication.
From September to January, Lenovo shipped more than two dozen laptop models with Superfish software that inserted its own ads in Web search results. (It’s widely estimated that means millions of computers, though the company hasn’t gone into detail.) More than that, Superfish exposed the laptops and their Internet traffic to hackers in a way security experts have described as egregious and easily exploitable.
Lenovo’s chief technology executive claimed the company was just trying to improve the user experience. “Our teams did not understand the significant security problem that [Superfish] presented,” Peter Hortensius said Tuesday. “We’re desperate to understand why we missed that.” The company on Friday issued a statement pledging to reform its ways.
Superfish, too, pleaded ignorance. Founder and CEO Adi Pinhas blamed a small Israeli startup called Komodia. It’s Komodia’s software that allowed Superfish to decode Internet traffic and insert ads. Komodia did not respond to a request for comment, but in a 2009 blog, CEO Barak Weichselbaum detailed working on a security program designed to hijack secure Internet traffic.
Lenovo’s Superfish debacle highlights a growing problem in the software world: As more software components are outsourced, consumers are placed at greater risk than ever before. Software used by billions of consumers and businesses almost always relies on components made by development companies far removed from the final product, each trusting the other to do their due diligence. Few are, however, and that’s putting you at risk, experts say.
Imagine that software is a jigsaw puzzle, with everyone from at-home hobbyists to multinational conglomerates supplying pieces they trust to be well-made, said Herb Lin, a senior researcher for cyber policy at Stanford University’s Hoover Institute. The problem is they are “too trusting” of their partners, he said.
“Testing is known to not be sufficient,” said Lin. “The usual way of vetting software is that I give you a specification and you give me back a program,” he said. “I then test it to see if it meets those particular specs. But it’s only a part of a program, and it hasn’t been tested with all [the other] components.” The smaller software component may even work perfectly until it’s built into a larger program or app, at which point the flaw gets introduced.
Third-party software havoc
Holes made by third-party software that are ripe for exploitation by hackers go far beyond Lenovo. Security researchers last year discovered major vulnerabilities in two widely used open-source software tools, dubbing the flaws Heartbleed and Shellshock. Although they were accidentally introduced, they had survived for decades because companies trusted that the small teams of volunteers developing the software had thoroughly checked the software.
Superfish code hides in hard-to-reach places on a Lenovo PC, making it difficult to remove.
Screenshot by Robert Graham/Errata Security
There’s also the intentional security hole the National Security Agency is accused of inserting into a tool made by the RSA Corporation that scrambles user data to protect it. It’s highly unlikely companies would have paid RSA to protect their data had they known, and RSA denies that it knew about it.
To be sure, Lenovo’s Hortensius said his company has taken steps to ensure few users can still run into Superfish. But it was only after security experts began howling about Superfish’s behavior that some security programs — from Microsoft, Symantec and McAfee — detected and removed the software.
A matter of trust
To keep its position atop the global PC market, Lenovo has vowed to stop including unnecessary additional programs in its PCs.
“The events of last week reinforce the principle that customer experience, security and privacy must be our top priorities,” Lenovo said in its statement Friday. With this in mind, we will significantly reduce preloaded applications. Our goal is clear: to become the leader in providing cleaner, safer PCs.”
Whether that’s enough to regain consumer trust is another issue, and one that every company suffering a supply chain screwup must overcome. “For all these vulnerabilities we’re seeing, somewhere in the pipeline the trust got broken,” said Robert Olson, a professor at the State University of New York at Fredonia who specializes in information security and ethics.
Smaller companies, especially new startups, may not have the resources or the corporate culture to ensure that they’re properly checking how their partners have built their software. “Superfish’s policies may not be your policies,” said Justin Troutman, a security and privacy researcher and book author. “If you don’t look into the code, you’re blindly accepting risks.”
In theory, trust is also an issue between software makers. The burden of proving a program is safe must be borne by each subsequent vendor: Alex must convince Brenda who must convince Christy that their software is safe. “It’s a social negotiation, not a technical issue,” Lin said. But, he added, the cost of making sure there aren’t security flaws in software makes the program significantly more expensive to produce. “The cost per line of avionics software [for controlling aircraft], stuff that really has to work right, is 10 to 100 times more than ordinary code,” he said.
What’s the solution? Not necessarily regulation
Whatever the process at Lenovo was that broke down or didn’t exist and let Superfish through, there’s no doubt the goal of the software was to infiltrate a user’s Web traffic and change what that person sees. That’s a problem for Dan Kaminsky, the security researcher who discovered malicious software from Sony BMG infected more than half a million computers in 2005. “Imagine a supermarket inserting their own sweetener into Diet Coke,” he said. “That’s not normal. That’s weird, the kind of thing you should be sued for.”
More regulation would seem to be the obvious answer to solving the problem, and it’s not unheard of in the security software world. The PCI Security Council, a standards body for governing how software handles financial data, has a certification process to make sure credit card numbers and transactions are handled with the proper precautions, said Avivah Litan, a security analyst with Gartner. “They look at the code, the quality assurance it goes through, who’s managing the [security] keys. It’s probably a good idea to extend it to other tech sectors,” she said, but noted there are risks associated with doing so.
“In financial services, there have been so many breaches caused by third parties that regulators have put rules in, but it’s really slowed down innovation and procurement,” Litan said.
Even if broad regulations demanding higher standards for software security are devised, they may not be effective, for two reasons: many free-to-use, open-source components offer a lot of features to developers at no cost, and software security rarely works with a one-size-fits-all approach. “It’s difficult to define what ‘secure’ means broadly across all software,” said Jason Schmitt, who runs Hewlett-Packard’s Fortify division, which focuses on software security. “What you have to define is the process of making it secure.”
Bloatware is here to stay
Preloaded software isn’t going to go away, no matter how loudly consumers and security experts howl. In addition to padding their bottom lines by bundling Windows with third-party software such as Adobe Reader, McAfee’s antivirus software and the Bing Toolbar, manufacturers are convinced the software benefits consumers. Lenovo’s Hortensius pointed to a system update tool his company adds to each new machine that updates drivers, small pieces of software that tell hardware components like printers how to interact with the computer. “We try to improve the user experience with every piece of software we load,” Hortensius said.
Sometimes, supply chain mistakes can cost an executive his or her job. Andrew Lack, the Sony BMG CEO at the time of the company’s malware-on-disc problem, lost his job over the incident. Lenovo hasn’t signaled yet if there will be an executive shuffle for the Superfish incident, but there’s already been one lawsuit filed by a Lenovo laptop owner.
“This signals to participants in the supply chain that if they intentionally put in software that makes machines vulnerable, they’re going to be taken to task for it,” Kaminsky said.
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.