Superfish might sound like a delicious new sea meat served battered alongside chips and tartar sauce, but it’s actually landed the Chinese electronics giant Lenovo in hot water.
First, a bit of background – Superfish is the name of a piece of software Lenovo has been pre-installing on a select few models of its consumer laptops in recent months. The software is designed to analyse images for things the user might be researching on the internet and suggests alternatives or cheaper offers where available in ad form.
Think of it as a reverse image search and a price comparison tool combined into one piece of software. On the surface it sounds innocent enough, but by design it more closely resembles malware.
There are a few points in the Superfish story that don’t reflect well on Lenovo, not least the fact that many customers who bought the affected laptops weren’t aware of what Superfish was or that it was even installed on their machines in the first place. Lenovo’s official line states that Superfish was designed, “to help customers potentially discover interesting products while shopping.”
Whilst Forbes has a more robust explanation of why Superfish potentially opens up dangerous security holes for the user, in essence it has the ability to sign its own certificates, something websites, including your banks use to prove that the machines you’re passing through are the real deal and don’t intend to skim information from you as you peruse the internet.
Whilst this potentially could point the finger at Lenovo with claims of invading its user’s privacy, the way Superfish operates also increases the risk of malicious parties or hackers deciphering the authentication key it uses for signing these certificates, opening up a ‘back door’ for nasty people to steal your data.
It’s raised eyebrows amongst security firms and analysts and chances are the bloatware that makes its way onto future consumer laptops, whoever their manufacturers may be will fall under much closer scrutiny by educated users. In the wake of the Superfish debacle, Lenovo has disabled the service server-side and release instructions to disable it, but this doesn’t completely solve the problem.
In truth, the only way to truly eliminate the risks Superfish exposes its users to is to install a clean build of Windows, one not touch by Lenovo’s software, semi-malicious or otherwise.