Lenovo is selling PCs equipped with a pre-installed adware package that destroys the security of HTTPS and creates a perfect man-in-the-middle (MTM) scenario against the host PC. The software in question is called Superfish Visual Discovery, and its basic function — it injects advertising into browser sessions — is bad enough. Superfish’s five-alarm functionality is that it installs its own signed root certificates to a user’s operating system. What this means, in essence, is that Superfish substitutes its own signed certificate for the certificate that’s supposed to be provided by the actual website.
Here’s how the system is supposed to work. When you connect to your bank’s website using HTTPS, the bank sends its certificate information back to the browser. The bank’s certificate must be issued by a valid Certificate Authority. If it isn’t, your browser is supposed to warn you that the data you’re about transmit may be insecure and that it can’t verify the authenticity of the certificate itself.
A properly signed certificate
What Lenovo and Superfish have done is configure shipping systems with a certificate signed by Superfish rather than a Certificate Authority like Verisign or Symantec. Worse, the certificate key that Lenovo is distributing with its PCs appears to be identical across all systems.
SuperFish’s certification
Here’s what this means in aggregate:
- Superfish can decrypt all data that you send via HTTPS connections.
- It uses the same root key for every Lenovo system, which means every Lenovo system with this key installed connecting over WiFi at a public hotspot can theoretically be snooped.
- It injects Javascript into web pages to perform its functions, which can cause its own compatibility problems.
Toss in the fact that you can’t download Superfish’s software (the company’s website only lists products available in the App Store or Google Play) and it’s obvious that the intent was to turn a quick buck to fund the development of other products with zero mind paid to user security or data access.
Lenovo’s no-win scenario
Lenovo apparently doesn’t ship Superfish on its business systems, only on consumer products, but no complete product list has been released thus far. There’s no good answer for how this product ended up deployed on Lenovo computers. Consider the options:
- Lenovo knew that the product fatally compromised browser security by creating a MTM attack but didn’t care.
- Lenovo didn’t know the product compromises browser security because it didn’t bother to analyze the software it sells to customers.
- Lenovo only installed Superfish on consumer systems because it knew the product was an unacceptable corporate security risk (but didn’t care what happened to consumer data).
Lenovo’s response to all of this is to claim that users consented to the software because they accepted the license agreement when they first booted up their systems (I’d be surprised if the front page of that agreement included the phrase “Nothing you transmit on your PC using HTTPS will be encrypted or secure, ever.” Uninstalling Superfish does not fix the problem, users will need to remove the root certificate manually. Instructions on how to do so are available here. Superfish is now distributing an “update” that literally keeps the entire original function of the software (including the MTM attack possibilities) but includes a string to disable certain functions if a Lenovo user is detected.
In other words, Lenovo’s “apology” for this behavior is to push for a patch that solves nothing but papers over the issue. The horse, however, is apparently out of the barn — theprivate key for Superfish has already been decrypted. What is it, you ask? Komodia.What’s komodia? A TCP/IP redirector and “a brand new technology that allows you to access data that was encrypted using SSL and perform on-the-fly SSL decryption.”
Anybody smell a rat yet?
No comments:
Post a Comment