Lenovo PCs ship with preinstalled adware and root certificate

We all know that computer manufacturers make much of their revenue from device sales with software and service deals.

They integrate trial programs on user systems and may also cooperate with search engines to make a particular search engine the default on a system and with other companies to place shortcuts to their sites on the desktop.

The tech community calls this crapware and it is a fitting name as most users don't need or want these types of offers on their systems.

That's one of the reasons why programs like Decrapifier and services to remove these offers are popular. Sometimes, manufacturers are offering services to remove these products from systems for a price.

Lenovo confirmed recently that it shipped some (it is currently unclear which models are affected) its consumer devices with Superfish, a known adware. This particular version of Superfish analyzes images that are displayed on the web, looks up matching offers in a database to display these offers to the user.

According to a Lenovo rep on the official company forum, the system is not profiling customers or recording user information.

Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior.  It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted.  Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.

If that was not bad enough, the installation of Superfish on Lenovo devices also installs a root certificate to the Windows certificate store which makes all https connections vulnerable to man in the middle attacks as it can be used to intercept https traffic to any website.

A user connecting to secure websites may notice that the certificate is signed by Superfish regardless of site visited.

The certificate, on top of all that, shares a private key amongst all installations and uninstallation of Superfish won't remove the certificate with it.

Side Tip: Checking the Certificate Manager

If you are running a Lenovo device you may want to check if the certificate is installed on the device and remove it if it is.

1. Tap on the Windows-key to bring up the start menu or start screen.
2. Type certmgr.msc and hit enter. This opens the Certificate Manager.
3. Use the folder structure on the left to navigate to Trusted Root Certification Authorities -> Certificates.
4. Check if Superfish Inc. is listed among the certificates.
5. If it is, right-click the certificate and select Delete from the context menu to remove it.

Update: As Rodsmine mentioned in the comments, you need to use the Microsoft Management Console to check for Superfish.

1. Tap on the Windows-key, type mmc.exe and hit enter.
2. Go to File -> Add/Remove Snap-in
3. Pick Certificates, click Add
4. Pick Computer Account, click Next
5. Pick Local Computer, click Finish
6. Click OK
7. Look under Trusted Root Certification Authorities -> Certificates
8. Find the one issued to Superfish and delete it.

Here are the instructions that Lenovo posted on its support website to remove Superfish.

Closing Words

It is bad enough when PC manufacturers add all kinds of crapware on a PC to make money as these programs tend to slow down the PC quite a bit as many of them come installed on it and may run on system start as well.

It takes time and effort to remove those. What Lenovo did however is a whole new level. Not only did it install Superfish on systems with injects advertisement when users browse the Internet, that freaking thing did install a root certificate on the system as well sharing its private key which makes your system vulnerable to man in the middle attacks.

I don't understand how a company, or its executives, can think for a moment that this is good business practice. Even if Lenovo did not know about the certificate, it should considering that it added the software to its systems and hopefully tested this before it went to production, it is bad enough but with the certificate, it could severely damage the companies reputation for years to come.

Coincidentally, I purchased a Lenovo laptop back in 2014 but replaced its hard drive with a faster one and installed a system from scratch on it so that I never had to experience any adware (or worse) issues while using it.

Update: Lenovo released a statement on Superfish today. The main takeaway from the statement is that the company stopped the preloading of Superfish in January, that it won't preload the software in the future, and that the system has been disabled server-side since January.