It’s infuriating that Lenovo continues to deny that SuperFish is a security threat. They keep saying that they’ve stopped installing it but that in any case SuperFish didn’t collect or store any private information. Doubtless that’s true but it’s a straw man that no one is claiming. The problem is that SuperFish installed a fake CA root certificate and that this certificate can be and was recovered by third parties. Anyone holding that certificate can easily set up a man-in-the-middle attack in coffee shops and other places offering free WiFi.
Robert Graham, who demonstrated how easily the certificate could be extracted has provided a demonstration of a working MITM attack. He shows it collecting a (fake) login credential to Bank of America. Yet, Lenovo continues to say, “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”
If you have an infected Lenovo laptop, Graham’s demonstration should terrify you. Everything you do is subject to surveillance by anyone with a modicum of technical ability. Or for that matter, anyone who can read Graham’s article.
Lenovo, to their credit, has made a SuperFish removal tool available on Github. The Github repository also has a link where you can download an executable. If you’re paranoid—and who could blame you—you can read the code and build the app yourself. Again, if you have an infected laptop, it’s imperative that you do this. Either that or share your banking credentials with J. Random Cracker.