Lenovo, a huge maker of laptops, bundles virus-like software on laptops for the consumer market, cybersecurity experts said on Thursday.
Users reported as early as last June that a browser add-on called Superfish Superfish Visual Discovery installed by Lenovo on consumer laptops automatically displayed adverts.
Robert Graham, CEO of U.S.-based security research firm Errata Security, said Superfish had been designed to intercept all encrypted connections in a poor way that it leaves the system open to hackers or NSA-style spies.
According to Marc Rogers (Errata Security), the software installs a transparent-proxy (MitM) service on the computer intercepting browser connections. However, such interception still cannot decrypt SSL. Therefore, SuperFish installs it's own root CA certificate in Windows system. It then generates certificates on the fly for each attempted SSL connection. Thus, when you have a Lenovo computer, it appears as SuperFish is the root CA of all the websites you visit. This allows SuperFish to intercept an encrypted SSL connection, decrypt it, then re-encrypt it again.
It's the same root CA private-key for every computer. This means that hackers at your local cafe WiFi hotspot, or the NSA eavesdropping on the Internet, can use that private-key to likewise intercept all SSL connections from SuperFish users.
Lenovo claims it's providing a useful service, helping users do price comparisons. However, they have stopped including the software on new systems.
Lenovo commanded one-fifth of the global PC market in the third quarter of 2014, according to data research firm IDC.