How Superfish’s Security-Compromising Adware Came to Inhabit Lenovo’s PCs

March 1, 2015


SAN FRANCISCO — Until its advertising software was discovered deep inside Lenovo personal computers two weeks ago, a little company called Superfish had maintained a surprisingly low profile for an outfit once named America’s fastest-growing software start-up.

In 2013, Superfish revenues had increased more than 26,000 percent over the previous three years to $35.3 million. It had advertising deals with some of the biggest names in e-commerce — Amazon, eBay and Alibaba among them.

But as the start-up, based in Palo Alto, Calif., searched for new income sources last year, it landed a deal with Lenovo, the world’s largest PC maker, to put its software — often called adware — on several Lenovo consumer PCs.

That deal has proved disastrous. Not only has it called into question the business practices of both Lenovo and Superfish, it has shined an unflattering light on makers of this sort of advertising technology.

Superfish’s software, a security researcher revealed, was logging every online movement of the people using those Lenovo machines and hijacking the security system that is supposed to protect online communications and commerce. The Department of Homeland Security even warned Lenovo PC users to remove the software because of the risk it presented.

Superfish’s technology, security experts now say, is a particularly aggressive example of the targeted advertising technology that tracks consumers’ online movements without their knowledge.

What made its adware particularly bad, experts say, is that it fooled Lenovo customers into thinking that private sessions with their email service, or bank — secured with encryption that is often represented by the tiny padlock that appears in their web browser — were private, when Superfish, and potentially hackers, could see everything.

“The padlock is a means of telling you that who you are talking to is who you think you are talking to. Superfish made that mechanism ineffective,” said Jonathan Mayer, a lawyer and computer science graduate student at Stanford University who specializes in digital privacy.

Superfish was co-founded by Adi Pinhas and Michael Chertok, two veterans of the video surveillance industry. Their first start-up, Vigilant Technology, worked with casinos, prisons and governments and used algorithms to scan video footage from surveillance cameras in search of suspicious activity.

In 2006, the two began exploring the possibility of applying similar computerized methods to visual searches. They called their new start-up Link-It. Much in the same way that Google is a search engine for text, Siri for voice, and music discovery apps like Shazam help people match songs they hear on the radio to an artist and song title, Superfish aimed to be a “visual search” engine for images.

With 12 Ph.D.s on staff and 10 patents for visual search technology, the company’s software crawls the web, using mathematical models to catalog, analyze and match images of plants, dogs or furniture to the exact flower, dog breed or home goods retailer. At one point, they worked with Samsung on a proof-of-concept visual search engine on Samsung cellphones, but a formal partnership was never consummated.

In 2009, the co-founders said, they renamed the company Superfish.

Five years later, Superfish had accumulated partnerships with more than 100,000 retailers that paid the company through “affiliate” programs, in which retailers gave Superfish a cut of each sale its software encouraged. As Superfish tracks products that appeal to people on the web, its technology serves ads of similar or identical products from its retail partners.