Superfish

Superfish
Private
Industry Internet
Founded 2006
Headquarters Palo Alto, California, United States
Key people
 Adi Pinhas (co-founder & CEO) Michael Chertok (co-founder and CTO)
Services Visual search[1]
Revenue ~$40 million
Number of employees
 90
Website http://wwws.superfish.com/

Superfish is an advertising company that develops various advertising-supported software products based on a visual search engine. The company is based in Palo Alto, California,[1] and was founded in Israel in 2006.[2] Its software has been described as malware or adware by several sources.[3][4][5][6][7] The software was bundled with various applications as early as 2010, and Lenovo began to bundle the software with some of its computers in September 2014.[3] On February 20, 2015, the United States Department of Homeland Security advised uninstalling it and its associated root certificate, because they make computers vulnerable to serious cyberattacks, including interception of passwords and sensitive data being transmitted through browsers.[8][3]

History

Superfish was founded in 2006 by Adi Pinhas and Michael Chertkof.[2][9] Pinhas is a graduate of Tel Aviv University.[10] In 1999, he co-founded Vigilant Technology, which “invented digital video recording for the surveillance market”; before that, he worked at Verint, an intelligence company that analyzed telephone signals and had allegedly tapped Verizon communication lines.[11] Chertkof is a graduate of Technion and Bar-Ilan University with 10 years of experience in "large scale real-time data mining systems."[12]

Since its founding, Superfish has used a team of "a dozen or so PhDs" primarily to develop algorithms for the comparison and matching of images. It released its first product, WindowShopper, in 2011.[13] WindowShopper immediately prompted a large number of complaints on internet message boards, from users who didn't know how the software had been installed on their machines.[11]

Superfish initially received funding from Draper Fisher Jurvetson, and to date has raised over $20 million, mostly from DFJ and Vintage Investment Partners.[14] Forbes listed the company as number 64 on their list of America's most promising companies.[15]

CEO Adi Pinhas in 2014 stated that "Visual search is not here to replace the keyboard ... Visual search is for the cases in which I have no words to describe what I see."[16]

As of 2014, Superfish products had over 80 million users.[17]

Lenovo security incident

Users had expressed concerns about scans of SSL-encrypted web traffic by Superfish Visual Search software pre-installed on Lenovo machines since at least early December 2014.[18] This became a major public issue, however, only in February 2015. The installation included a universal self-signed certificate authority; the certificate authority allows a man-in-the-middle attack to introduce ads even on encrypted pages. The certificate authority had the same private key across laptops; this allows third-party eavesdroppers to intercept or modify HTTPS secure communications without triggering browser warnings by either extracting the private key or using a self-signed certificate.[7][4][19][20] On February 20, 2015, Microsoft released an update for Windows Defender which removes Superfish.[5] In an article in Salon tech writer David Auerbach compares the incident to the Sony DRM rootkit scandal and said of Lenovo's actions, "installing Superfish is one of the most irresponsible mistakes an established tech company has ever made."[21]

Criticisms of Superfish software predated the "Lenovo incident" and were not limited to the Lenovo user community: as early as 2010, Apple, Mozilla Firefox, and Microsoft Windows users had expressed concerns in online support and discussion forums that Superfish software had been installed on their computers without their knowledge, by being bundled with other software.[11]

CEO Pinhas, in a statement prompted by the Lenovo disclosures, maintained that the security flaw introduced by Superfish software was not, directly, attributable to its own code; rather, "it appears [a] third-party add-on introduced a potential vulnerability that we did not know about" into the product. He identified the source of the problem as code authored by the tech company Komodia, which deals, among other things, with website security certificates.[22] Komodia code is also present in other applications, among them, parental-control software; and experts have said "the Komodia tool could imperil any company or program using the same code [as that found within Superfish]."[23] In fact, Komodia itself refers to its HTTPS-decrypting and interception software as an "SSL hijacker," and has been doing so since at least January 2011.[24] Its use by more than 100 [corporate] clients may jeopardize "the sensitive data of not just Lenovo customers but also a much larger base of PC users."[25]

Products

Superfish's first product, WindowShopper, was developed as a browser add-on for desktop and mobile devices, allowing users to hover over browser images and be directed to shopping Web sites to purchase similar products. As of 2014, WindowShopper had approximately 100 million monthly users, and according to Xconomy, "a high conversion to sale rate for soft goods." Superfish's business model is based on receiving affiliate fees on each sale.[14]

The core technology, Superfish VisualDiscovery, is installed as a man-in-the-middle proxy on some Lenovo laptops. It injects advertising into results from Internet search engines; it also intercepts encrypted (SSL/TLS) connections.[26][6]

In 2014, Superfish released new apps based on its image search technology.

See also

References

  1. 1.0 1.1 Hoge, Patrick (21 October 2014). "Superfish dives deep into visual search". San Francisco Business Times. Retrieved 16 November 2014.
  2. 2.0 2.1 Superfish Points Fingers Over Ad Software Security Flaws- ABC News/AP, 20 February 2015
  3. 3.0 3.1 3.2 "Alert: Lenovo “Superfish” Adware Vulnerable to HTTPS Spoofing". United States Computer Emergency Readiness Team. February 20, 2015. Retrieved February 20, 2015.
  4. 4.0 4.1 Fox-Brewster, Thomas (February 19, 2015). "How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It". Forbes. Forbes.com LLC. Retrieved February 20, 2015.
  5. 5.0 5.1 Chacos, Brad (20 February 2015). "Bravo! Windows Defender update fully removes Lenovo's dangerous Superfish malware". PC World. Retrieved 20 February 2015.
  6. 6.0 6.1 Williams, Owen (19 February 2015). "Lenovo caught installing adware on new computers". The Next Web. Retrieved 19 February 2015.
  7. 7.0 7.1 Hern, Alex (19 February 2015). "Lenovo accused of compromising user security by installing adware on new PCs". The Guardian. Retrieved 19 February 2015.
  8. "U.S. government urges Lenovo customers to remove Superfish software". Reuters. February 20, 2015. Retrieved February 20, 2015.
  9. Superfish gets $10M for image search - San Francisco Business Times, 30 July 2013
  10. Q&A: Adi Pinhas, founder and CEO of tech startup Superfish - San Jose Mercury News, 2 January 2015
  11. 11.0 11.1 11.2 Fox-Brewster, Thomas (February 19, 2015). "Superfish: A History Of Malware Complaints And International Surveillance". Forbes. Retrieved February 21, 2015.
  12. Executive Profile - Michael Chertok - Co-Founder and Chief Technology Officer, Superfish, Inc - Bllomberg.com, retrieved 20 February 2015
  13. Craig, Elise (16 July 2014). "Superfish Aims to Dominate Visual Search, One Product at a Time". Xconomy. p. 1. Retrieved 17 November 2014.
  14. 14.0 14.1 Craig, Elise (16 July 2014). "Superfish Aims to Dominate Visual Search, One Product at a Time". Xconomy. p. 2. Retrieved 17 November 2014.
  15. "America's Most Promising Companies". Forbes. January 2015. Retrieved February 21, 2015.
  16. "What Will It Take for Visual Search to Catch On?". eMarketer. 11 November 2014. Retrieved 17 November 2014.
  17. Weiss, Vered (3 September 2014). "Adi Pinhas’ Superfish #1 Fastest Growing Private Software Company in the US". Jewish Business News. Retrieved 17 November 2014.
  18. "What is the superfish SSL certificate and where did it originate". Super User Q&A site. Archived from the original on February 21, 2015. Retrieved February 21, 2015.
  19. Varma, Corey (February 20, 2015). "Complaint filed against Lenovo over Superfish adware". coreyvarma.com. Retrieved February 23, 2015.
  20. Valsorda, Filippo (February 20, 2015). "Komodia/Superfish SSL Validation is broken". Retrieved February 25, 2015.
  21. Auerbach, David (20 February 2015). "You Had One Job, Lenovo". Salon. Retrieved 21 February 2015.
  22. "Superfish denies blame in Lenovo security mess". The Mercury News: siliconbeat. February 20, 2015.
  23. "Palo Alto startup points fingers over Lenovo ad software security flaws". Contra Costa Times. February 23, 2015.
  24. "Komodia’s SSL Decoder/Digestor product page". Komodia Inc. Archived from the original on January 22, 2011. Retrieved February 27, 2015.
  25. "“SSL hijacker” behind Superfish debacle imperils large number of users". ars technica. February 20, 2015.
  26. Duckett, Chris (19 February 2015). "Lenovo accused of pushing Superfish self-signed MITM proxy". DNet. Retrieved 19 February 2015.

External links