PC manufacturer Lenovo has confirmed that it had -- between mid-2014 to mid-January -- shipped laptops pre-loaded with the Superfish adware application. The problem with Superfish isn't that it's annoying adware. The problem is that it compromises the sanctity of all SSL connections a Lenovo client machine makes. (As though SSL didn't have enough problems.)
Security researcher Marc Rogers drew attention to the problem in a blog post, Wednesday. Paco Hope, principal consultant for Cigital, provided more analysis as well.
The intended purpose of Superfish is to serve targeted ads to Lenovo users. It does so by looking over users' shoulders when they're web browsing, peeking at the images being displayed, then serving up ads similar to those images -- the idea being that if a user is already interested in a vacuum cleaner, maybe they'd be grateful for more info about great deals on vacuum cleaners.
Lenovo's reason for pre-loading Superfish is to make some extra cash, since they, like most client machine manufacturers, don't profit greatly from selling laptops.
If only spying on users and pelting them with ads was the worst Superfish did.
Essentially, Superfish hijacks every SSL connection and operates as a man in the middle certification authority (CA). See, every computer contains a certificate store with trusted certs pre-installed by the operating system or browser. Yet, Superfish also installs its own certificate -- not approved by the OS or browser -- into the laptop's cert store -- meaning that the machine will always trust anything signed by Superfish.
And as it is implemented on those Lenovo clients, everything is signed by Superfish -- web sessions, VPNs, software updates, etc. For example, when a website -- say, Bank of America -- attempts to initiate a secure connection with a browser, Superfish intercepts the communication. It (not the browser) decrypts the site, inspects it for "suitability of advertisements, and then a new encrypted connection will be made from the Superfish process to Bank of America," explains Hope. "Likewise, the web page sent back by Bank of America might have advertisments inserted into the HTML by Superfish."
Adding insult to injury, Superfish does not seem to check whether or not the initial certificate (from Bank of America, or wherever) was, itself, legitimate. So, while a user's browser might issue a warning message that "this site's certificate is untrusted/expired," Superfish may not do that due diligence.
Plus, the Superfish certificate uses the SHA-1 algorithm -- so it may be trashing a stronger SHA-2 cert in favor of a weaker one.
"It is hard to overstate how catastrophically bad this design is," writes Hope. "[Superfish] doesn’t merely insert advertisements into web pages. It undermines every secure connection the Windows computer might make. Lots of software—way beyond web browsers—use the certificate store to fetch certificates. ... Everything on a Lenovo computer that says it is 'making a secure connection' is now lying."
It gets worse.
"The catastrophic failure," writes Hope, "is that Superfish installs a certificate at the highest level of trust, and they ship both the public key and private key that belong to it on every single laptop. Once that private key is known, then anyone can issue certificates for web sites or VPN concentrators and sign them with this Superfish private key. Users of Lenovo laptops who trust the Superfish key will accept those certificates as genuine."
It effectively disables "the laptop’s ability to distinguish genuine web sites from fake" ones, he says.
Lenovo said that it stopped pre-loading Superfish last month and has since disabled existing implementations. Unfortunately, axing the app is not enough -- the more important job is deleting the certificate, and that's something users must do manually. (Microsoft provides instructions on how to do so. LastPass has done similarly, and created a tool for checking if Superfish is running on your machine.)
The damage to Lenovo's reputation may already be done.
"This is unbelievably ignorant and reckless of [Lenovo]," Rogers wrote. "It's quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch."
"Recent revelations about Lenovo enabling MiTM attacks are similar to what was reported last month about the Gogo service," says Kevin Bocek, VP of security strategy and threat intelligence at Venafi. "You’ve got good guys doing what the bad guys do. In this case, they're breaking everything that’s been built over 20 years to create trust and privacy on the Internet, by inserting a CA into systems that can impersonate any trusted site.
"This is exactly what bad guys do with Trojans and other malicious software," he adds, "to trick users to access fake sites to surveil/monitor private communications."
Ken Westin, senior security analyst from Tripwire says that, despite the economic reasons for pre-loading its laptops with adware, Lenovo hasn't done itself any favors. "With increasingly security- and privacy-conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetization strategies," he says. "If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk.”
Timo Hirvonen, senior researcher of F-Secure put it succinctly: