Superfish, a little-known "visual search" and ad tech provider from Palo Alto whose CEO was once part of the surveillance industrial complex, is about to learn what it feels like to face the unwavering wrath of the privacy and security industries. Lenovo will take much of the blame for potentially placing users at risk by contracting Superfish to effectively carry out man-in-the-middle attacks on users to intercept their traffic just to get the firm’s “visual” ads up during customers’ web searches.
But Superfish, founded and led by former Intel employee and ex-surveillance boffin Adi Pinhas, has been criticised by users the world over since its inception in 2006. In one Apple Mac forum started in 2012 and continuing into the following year was full of complaints about a technology called Window Shopper, built by Superfish. It appears to have found its way onto people’s machines by being bundled with other software, in one case alongside an Oracle Java download, in another via an "Awesome Screenshot" extension. Indeed, most members of that forum had no idea just how the Superfish software had wormed its way onto their machines before irritating them with ads as they hovered over content. And a few had some trouble locating Window Shopper to uninstall it. Microsoft Windows users were experiencing similar pain back in 2011. As were Mozilla Firefox fans in 2010. The list could go on.
A simple Google search for Window Shopper shows just how unloved the technology is, with many labelling it adware, malware or a virus. Sean Sullivan, from anti-virus vendor F-Secure, told me over Twitter that Window Shopper was much more prevalent than the Lenovo-powered version of Superfish technology, though it didn’t ostensibly open up the same security issues.
This is part of a major problem with the whole web browser extension ecosystem. Companies, understandably, are keen to have their software bundled with others so they can get more customers. But in many cases that means no due diligence on the firms they’re partnering with. Who knows what kinds of adware and malware services could come with some innocuous looking plugin? Did Lenovo carry out adequate checks on Superfish?
As noted in a range of 2013 articles, there’s a lot of money to be earned by simply bundling extra “crapware” onto people’s PCs. Investors are keen to spur them on too. In mid-2013, Superfish announced it had secured a $10 million Series D funding round, taking its total backing up to $20 million.
Superfish’s surveillance background
What of the foundations of Superfish itself? Pinhas, the co-founder, has an interesting history, especially from a privacy perspective. According to his LinkedIn profile, in 1999 he co-founded a company called Vigilant Technology, which “invented digital video recording for the surveillance market”. That company is still thriving today, boasting contracts with a diverse range of big-name clients, including the US military’s White Sands Missile Range, Paradise Casinos in California and Arizona, and a number of Israeli government organisations.
Prior to that, former Tel Aviv resident Pinhas worked at Verint, an intelligence company with a tumultuous history, where he carried out “signal processing research” in which he’d recognise and analyse anything going over a telephone line. Verint was founded by members of the elite military intelligence agency Unit 8200. It was featured in a Wired article in 2012, in which it was alleged Verint tapped Verizon’s communications lines and was supposedly working with the National Security Agency in doing so. Just a year later, Edward Snowden would reveal Verizon had let the NSA tap all customers’ communications. One wonders if Pinhas was ever involved in those shady operations. Did that lead to his move to the West Coast?
Pinhas had not responded to requests for comment at the time of publication. Superfish declined to give me an interview with Pinhas, but provided the following defence of its work with Lenovo: "It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable - we stand by this today... there has been no wrong doing on our end." It said it wholly agreed with Lenovo's online statement.
There's more intrigue to be found here, though. As security expert Matt Suiche pointed out to me on Twitter, the password used to get the encryption key for the Superfish certificate authority (you can find more details on that in my previous article here) is "Komodia". There's a company called Komodia, which also does ad injection and "global proxy interception" - some very aggressive techniques. According to the company's website (which is currently down because of an attack on the site), the founder, Barak Weichselbaum, was also part of the surveillance industrial complex in Israel, having carried out "military service as a programmer in the IDF’s Intelligence Core". Komodia offers one service called SSL Digestor that carries out ad injects and effectively breaks encryption, just as Superfish was doing on Lenovo PCs.Suiche and Robert Graham of Errata Security are convinced that product was used by Superfish in the Lenovo case.
So ex-surveillance agents, operating in both the private and public spheres, have ostensibly combined their powers to force ads onto people's computers, leaving web users open to other forms of attack. That's startling and frightening for anyone who cares about privacy or security.
Regardless of the furore that’s exploded online since the Lenovo revelations, and the fascinating history of Pinhas and his firm, Superfish is still earning a packet. Forbes ranked it 64th in the most promising American companies of 2015 and reported revenues of $38 million. It pays to be invasive these days.
