Update on Feb. 21, 2015 published on ZDNet: Lenovo admits security issues with Superfish, releases removal tool
Lenovo confirmed it had been installing Superfish adware on some of its laptops, and that it inserted a Superfish public key into the Windows Certificate Store as part of this installation. This means affected users cannot trust their computer when it says "this connection is secure." It also undermines trust in every other kind of secure communication the laptop might try to make: database connections, VPN connections, software updates, you name it.
It is nominally authorised by one of the numerous terms and conditions that a user "accepts" when they first use their laptop. In Lenovo's blog post on how to remove Superfish, the company claims that it has only been installing it on consumer notebooks between October 2014 and December 2014; however, users have been complaining about it for far longer. The company states it stopped preloading the software in January 2015.
Root cause of mistrust
First reported by Chris Palmer from the Google Chrome security team, Superfish installs a certificate in the Windows Certificate Store. Certificates are how the web browser knows a fake Bank of America website from the genuine one. With Superfish's Visual Discovery enabled, a banking customer going to https://www.bankofamerica.com/ will have its secure connection silently decrypted by Superfish (running on their own laptop, not somewhere else), inspected for suitability of advertisements, and then a new encrypted connection will be made from the Superfish process to the real Bank of America. Presumably the web page for Bank of America has advertisements inserted or somehow overlaid into the HTML by Superfish.
If you trust Superfish, you trust everyone
By trying to insert advertisements into web pages, they undermine every secure connection the Windows computer might make. All software that tries to make secure connections — way beyond web browsers — use the certificate store to verify the authenticity of certificates.
Cisco VPN clients use the Windows Certificate Store to verify that they're talking to the right end point. Database consoles like Toad or SQL Developer will use Windows to verify that they are connected securely to the database server. Programs like TweetDeck will use the Windows Certificate Store to check the identity of Twitter before connecting.
Of public and private keys
The public key is suspected to be the same on all laptops; this means that one private key can sign things that all affected laptops will accept as genuine. The private key was also shipped on laptops and has been extracted. Now that the private key is known, anyone can issue certificates for websites or VPN concentrators and sign them. Users of Lenovo laptops who trust the Superfish key will accept those certificates as genuine.
The password for the private key was komodia, which is the Greek word for comedy. And indeed, this vulnerability has made secure web browsing into a farce.
It's only a matter of time
Here is just one example of what is possible. An employee from ExampleCo sits down in a coffee shop, airport, hotel, or similar public place and joins the free Wi-Fi. Being the good corporate citizen, the first thing he does is connect to his company's VPN. This will prevent anyone from sniffing or performing a man-in-the-middle attack on any of his network communications. Unfortunately, a bad guy is on the same network, or maybe the bad guy set up a malicious "free Wi-Fi" hotspot that the victim joined. The bad guy redirects the victim to a fake VPN concentrator. Normally, this fake VPN concentrator would present a bogus certificate claiming to be the ExampleCo VPN. The user would get a warning dialog and (in our fantasy world) would do the right thing instead of just clicking OK.
In this case, the bad guy has issued a certificate for his VPN system that is signed by the Superfish certificate. And our ExampleCo employee who is using an affected Lenovo laptop sees no warning at all. The employee might use two-factor authentication, but at this point the malicious VPN can perform a man-in-the-middle attack and watch all that VPN traffic decrypted. Since it is decrypted from the attacker's point of view, he can even perform more man-in-the-middle attacks, like DNS spoofing. There are some VPN techniques that will protect users even in this situation (such as client-side certificates). But there are lots and lots of VPNs out there where this attack would work just fine.
With this Superfish certificate trusted, all bets are off. Lenovo laptops that have it preinstalled cannot distinguish friend from foe. It's only a matter of time before fake websites, VPN concentrators, and software update sites start popping up with certificates issued by the Superfish certificate. They can even issue Extended Validation certificates for extra trust.
Check whether you're vulnerable
If you want to know whether or not you are vulnerable, use Internet Explorer on your Lenovo laptop to visit https://www.canibesuperphished.com/. If you see a warning, you are not vulnerable. If you see a web page, you are vulnerable.
Removing the software
While it is true that Lenovo's instructions for removal will remove the ad software, the company fails to point out how insecure the user remains. They explicitly acknowledge "Registry entry and root certificate will remain as well." (emphasis is Lenovo's). Lenovo does not provide instructions that make the laptop trustworthy again. Until that Superfish certificate is removed from the PC, the user cannot trust any TLS connection — website, software update, or otherwise.
To remove the certificate from Windows, use Certificate Manager. The steps are:
- Run "certmgr.msc" to launch the Certificate Manager.
- Open the Trusted Root Certification Authorities.
- Look in the list of certificates.
- If there are any certificates labeled Superfish, Inc. delete them.
The moral of the story
This is not the first time adware has been installed surreptitiously on laptops — 12 years ago Gator did the same thing. These ham-fisted attempts to insert advertisements undermine users' trust in manufacturers, software developers, and the security claims of well-intentioned websites and services. It's shocking that enough people understood cryptography well enough to implement this as a service, yet no one who understood it was able to get Lenovo and Superfish to understand what a catastrophically bad idea it was.
PKI is fundamentally broken, but it's all we have. Undermining the entire root of trust in our PKI is never the right answer.
- Researchers: Lenovo laptops ship with adware that hijacks HTTPS connections (ZDNet)
- Can we talk before we arrive in our technical dystopia?
- How to stop a certificate authority breach
- Deploy a private CA with Windows Server 2012
- Let's Encrypt initiative to provide free encryption certificates
Disclaimer: TechRepublic and ZDNet are CBS Interactive properties.
Paco Hope is a security consultant at Cigital.
Author of the Web Security Testing Cookbook and frequent conference speaker, Paco Hope is a security consultant with Cigital who has been working in the field of software security for almost two decades. Paco helps secure software in the financial, retail, and online gaming industries through security requirements, source code review and architectural risk analysis. He serves as a subject matter expert to (ISC)² for the CISSP and CSSLP certifications. Outside of secure software, he is passionate about privacy, user experiences, and data visualization. Paco fundamentally believes that security is less about wizardry and more about common sense.