The software — which the company says was designed to create relevant advertising for online shoppers based on their website behavior — could also observe behavior that users don’t want observed, said Kevin Lanning, chief information security officer for UNC Information Technology Services, in an email.
“The Superfish software appears to have the ability to intercept encrypted traffic for every secure (HTTPS) website a user visits,” he said. “Given the specifics of Superfish software implementation, attackers may be able to create a website that imitates or masquerades as another secure website, and computers that have Superfish installed might fail to identify such imitation websites as forgeries.”
Lenovo has asked all computer owners to uninstall the software. Lanning said the software could be uninstalled by following instructions on Lenovo’s website or by calling ITS’s help number.
David Eckert, dispatch service manager for ITS, said in an email the software was not installed on Carolina Computing Initiative models because they come with a custom-built UNC software preload that has never included Superfish or a similar software.
Eckert said the “Think” brand products, the most common model purchased by UNC faculty, staff and students, were not affected, according to Lenovo.
Ray Gorman, a spokesman for Lenovo, said in an email there was no evidence that Superfish corrupted any data, but the company recognized there were potential security issues with the software. As of January, Gorman said they had stopped pre-loading the software on computers.
But Winston Howes, a UNC senior known for creating ConnectCarolina 2.0 in 2013, said it’s likely there have been security breaches.
“Lenovo said they were not aware of any cases; however, these types of attacks aren’t actually very easy to detect,” he said. “I would be surprised if no attacker took advantage of this.”
He said the reason some attackers might not have taken advantage is because they were unaware of the vulnerability.
Howes said Lenovo’s software is dangerous because when it’s installed, it creates its own root certificate — which is rare and allows an attacker using the same Wi-Fi to intercept any communication a computer user is having online.
Attackers could start by viewing online banking interactions and communication, but then could interject malicious code, Howes said.
Eckert said software is agreed upon by the CCI Software Load Committee.
“Software like Superfish is unlikely to ever be approved for inclusion in our software load by this committee,” Eckert said.