As Lenovo faces mounting criticism for pre-loading adware onto consumer laptops — and then offering an incomplete fix to the security problem — more questions were raised Friday about just who is at fault.
Fingers immediately pointed to the company behind the adware program: Palo Alto-based Superfish. But after it was discovered the Lenovo shipped millions of computers with gaping security flaws, Superfish on Friday continued to maintain its innocence.
The Superfish software does not present a security risk, Co-founder and CEO Adi Pinhas said in an interview with the Mercury News. In no way does Superfish store personal data or share such data with anyone. He called out the media and bloggers for making false and misleading statements about Superfish.
And he pointed the blame for the Lenovo security flaw on a third-party, Komodia, a technology company that handles security certificates for webpages.
In this case, it appears the third-party add-on introduced a potential vulnerability that we did not know about, Pinhas said.
The Komodia website went offline Friday, with a landing page saying it was under attack due to the recent media attention, it said. A spokesman told Forbes that he couldn t comment on the Superfish mess because of contractual reasons.
Superfish has made a name in visual search: take a picture of something, say a dog, plant or pair of shoes, and the Superfish application will dig through the depths of the Internet to find a similar image. The app user can then find out which pet store has the poodle she wants, or which retailer has that pair of black boots.
But as we quickly learned this week, Superfish isn t all about helping the consumer. In addition to the various pet and plant apps, the company also makes software that pummels computer users with pop-ups and intrusive ads on webpages, trying to get them to buy something from a retailer. Between September and December last year, Lenovo s consumer laptops were shipped with this adware program.
Pinhas said the software installation was to provide users with real-time price comparisons as they were shopping online.
But in order to show these Superfish-generated ads, Lenovo has been breaking all encrypted traffic for millions of customers.
Business Insider described how this security flaw works: Secure websites — like a bank, or a form for entering passport details — will have a security certificate, which proves to your browser that the site is who it says it is. These certificates stop rogue sites and hackers impersonating trusted websites and stealing your sensitive details. Superfish also inserts ads into these secure web pages, and it does so by installing a new certificate authority onto users laptops.
Several experts have said Superfish is responsible for producing fake certificates; Superfish says Komodia is responsible. But Superfish also recognized there was a problem a while back, according to Pinhas.
Both Lenovo and Superfish did extensive testing of the solution but this issue wasn t identified before some laptops shipped, he said. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. The software was disabled on the server side in January 2015.
Superfish is was working with Microsoft, Lenovo and Komodia on a fix.
Superfish has been criticized since its inception for invading people s computers and being little more than crapware that was designed to be very difficult to get rid of. Pinhas, who founded the company in Israel in 2006, has connections to the surveillance industrial complex; Slate referred to him as a shady surveillance veteran. Pinhas has a background in digital video recording for the surveillance market, and told the Mercury News recently he is interested in using Superfish technology for facial recognition and installing the technology in every iPhone.
Photo: Superfish CEO and co-founder Adi Pinhas at the Superfish offices in Palo Alto, Calif., on Friday, Dec. 19, 2014. By LiPo Ching/Bay Area News Group.
