Stealthy Cybersecurity Threats: A Conversation With The Superfish Class Action Lawyers

What is "Superfish," and why should you be worried about it? Technology columnist Jeff Bennion explains.

Most of us know when we are being reckless with our cybersecurity. We all know to not click on the Nigerian Prince e-mail, and we know that if we just had lunch with someone, the e-mail from them about how they are stranded in Spain and had their money and passport stolen and they need an urgent Western Union is likely not from them. We ignore e-mails that have us go to www.bankofamerica.dj to enter in our banking information to confirm suspicious transactions. We generally trust that if we stay out of dangerous corners of the internet, we will be safer. That is why the Lenovo Superfish threat is such a dangerous problem.

Lenovo is the biggest manufacturer of PCs in the world. Like most other manufacturers, Lenovo computers come with bloatware – the software that companies pay to have pre-installed on each new computer. Earlier this year, consumers started noticing that something was wrong with their Lenovo laptops, namely, there was some bloatware called “Superfish” that they could not delete. This led consumers to look more closely at the Superfish software and found that it creates security risks.

Lenovo issued an apology and provided instructions on how to remove Superfish. According to Lenovo’s own support site, the Superfish software they installed on the computers is a “high” severity threat.

The first class action lawsuit was filed a few weeks ago in the Southern District of California by the Law Offices of Alexander M. Schack, Spreter Legal Services, and the Adler Law Group, for various criminal and civil causes of action, including federal wiretapping violations.

I spoke with the attorneys, and they explained to me why the Superfish threat is so dangerous:

The software is a form of visual discovery that functions as a type of mal or adware. The software conducts what is referred to in the industry as a man-in-the-middle attack by installing a self-signed root certificate that intercepts otherwise encrypted connections and websites. Root certificates are used by, among other things, browsers to validate certain types of encrypted communications between a user’s computer and third party websites. Security researchers believe this practice allowed the Defendants to inject advertising onto internet websites, collect data, monitor activity, gather personal information, and hijack secure connections of consumers, and makes it easier for attackers to access a user’s confidential information.

The software installs a self-signed root certificate that intercepts traffic from otherwise encrypted connections (i.e. those using HTTPS- The common protocol used to access a secure web server). Normally, when a consumer visits an encrypted website through an HTTPS connection, a digital certificate is provided from one of a few trusted Certificate Authorities, which verifies the identity and authenticity of the company, organization or person responsible for the website. For Lenovo computers infected with the preloaded software, Superfish installs a self-signed root certificate that enables it to generate certificates for otherwise encrypted connections. By representing itself as an official website certificate, the software has silently hijacked the encrypted connections of Lenovo users.

According to security analysts, the software not only intercepts secure web traffic, but also monitors user activity, collects personal information, injects advertisements into websites and browsing sessions, and leaves the user’s system vulnerable to outside attackers. As alleged in the complaint, the software in fact makes it easier for attackers to access consumer information and intercept connections, by, for example, allowing them to generate fake certificates to imposter protected websites.

An attorney from the Law Offices of Alexander M. Schack, Natasha Naraghi, prepared the following graphic showing how it works. Basically, instead of connecting through secured, trusted connections, it creates its own connection that is not secure so that it can more efficiently siphon information about the user. This is called a “Man in the Middle” attack:

Sponsored

Let’s compare it using the following analogy. Imagine you go to a hotel and they have an unsecured, open Wi-Fi connection. You have confidential things you want to transmit over the internet, so you choose instead to use to use a personal, secure connection. Superfish makes you think that you are connecting with that secure connection, but it’s actually using its own open connection without telling you. It does this so it can look at that information you send through the connection to better “serve you” with ads tailored for you. But, while it’s spying on you, that connection is open and hackers can come in and use that secret backdoor to attack your computer and steal your information. On top of it, the hotel is making money off every person who is tricked.

And that’s why we need class actions.


Jeff Bennion is a solo practitioner from San Diego. When not handling his own cases, he’s consulting lawyers on how to use technology to not be boring in trial or managing e-discovery projects in mass torts/complex litigation cases. If you want to be disappointed in a lack of posts, you can follow him on Twitter or on Facebook. If you have any ideas of things you want him to cover, email Jeff at jeff@trial.technology.

Sponsored

CRM Banner