Lenovo laptops preloaded with Superfish adware can spy on secure banking and email communications

Lenovo's range of consumer laptops come pre-installed with a piece of adware that also allows it to monitor secure communications such as banking and email.

Laptops typically come pre-loaded with a range of software known as bloatware, which is already installed on your system when you buy it.

One such piece of software is SuperFish Visual Discovery, a browser add-on which promises to help "users find and discover products visually." The problem is that as well as doing this, the piece of adware is serving up third-party ads on Google searches and websites without the user's permission.

However this is not the worst thing the piece of software does.

Access secure communications

Superfish can also intercept source communications thanks to the installation of a self-signing certificate authority.

This means that the Superfish software is essentially carrying out what is known as a man-in-the-middle attack allowing it to intercept secure communication which is protected by SSL and TLS protocols.

SSL certificates are small files your used by many websites such as banks, email providers and retailers like Amazon to protect your communications with them by proving you are who you claim to be.

One security expert has already shown that the self-installed Superfish certificate authority can create SSL certificates seemingly issued to Bank of America:

This means that Superfish can potentially spy on your banking transactions, emails or social media updates, monitoring your communications without your knowledge.

The issue first came to light in November 2014 on Lenovo's own product forums, but it has gained traction in recent weeks when Lenovo product manager Mark Hopkins addressed the issue of the rogue third-party ads saying the company has stopped installing Superfish on new laptops:

"We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues."

Monitoring behaviour

In a statement to IBTimes UK, the Chinese company said:

"Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in market from activating Superfish. Superfish was preloaded onto a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish."

Hopkins defended the inclusion of the software saying it provides users searching for products with more options and potentially lower prices. He added that Superfish "does not profile nor monitor user behaviour. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent."

Super fish is bundled with the company's consumer range of laptops only - such as its Yoga range - but not the company's hugely popular enterprise-focused laptops such as the ThinkPad range.

Lenovo says that users are presented with a terms of use and privacy policy when they first use the product and have the option to disable Superfish. However, some users have reported that even when this is done, it does not remove the root certificate.

Ken Westin, senior security analyst at Tripwire, said:

"It will be interesting to see what affect this has on Lenovo's sales and brand reputation. With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetization strategies. If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers' trust, but also put them at increased risk."