from the so-long-and-thanks-for-all-the-superfish dept
Late last night, people started buzzing on Twitter about the fact that Lenovo, makers of the famous Thinkpad laptops, had been installing a really nasty form of adware on those machines called Superfish. Many news stories started popping up about this, again, focusing on the adware. But putting adware on a computer, while ethically questionable and a general pain in the ass, is not the real problem here. The problem is that the adware in question, Superfish, has an astoundingly stupid way of working that effectively allows for a very easy man in the middle attack on any computer with the software installed, making it a massive security hole that is insanely dangerous.
Lenovo’s response? Basically to shrug its shoulders and say it doesn’t understand why anyone’s that upset. This is because whoever wrote Lenovo’s statement on this is completely clueless about computer security.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
Bullshit. That’s really the only response that should be said to that line. Lenovo focuses on the reasons why many people normally hate adware: that it tracks what you’re doing and sends info back to third parties. That’s not what Superfish does, so Lenovo doesn’t see what the big deal is. Superfish, which was just recently ranked 64th by Forbes in its list of “Most Promising American Companies,” tries to watch what you’re surfing, and when you see certain images, the service injects other offerings for similar (or the same) products. In theory, if one chose to use such a product, you could see why it could be useful. But automatically putting it on computers is a different thing all together.
The real problem is in how Superfish deals with HTTPS protected sites. Since, in theory, it shouldn’t be able to see the images on those sites, it appears that Superfish came up with what it must have believed was a clever workaround: it just installs a root HTTPS certificate, that it signs itself, to pretend that any HTTPS page you’re visiting is perfectly legitimate. For many years, we’ve pointed out why the HTTPS system with certificate authorities is open to a giant man in the middle attack via any certificate authority willing to grant a fake certificate — and here we basically have Lenovo enabling this questionable company to go hogwild with this exact kind of MITM attack. Basically, EVERY SINGLE HTTPS SITE that you visit was a victim of this kind of MITM attack — solely for the purpose of interjecting Superfish ads. In fact, some have suggested it could apply to VPNs as well. Basically this is a massively dangerous security hole with wide ranging implications. And Lenovo says they don’t see why.
And, even beyond that, it’s implemented incredibly stupidly — in a way that is ridiculously dangerous. That’s because it appears that the private key use for the Superfish certificate is the same on basically every install of this software. And it didn’t take very long at all for security folks, such as Robert Graham, to crack the password, meaning that it’s now incredibly easy to get access to information someone thinks is encrypted. As Graham notes, the password is “komodia” which just so happens to also be the name of a company that “redirects” HTTPS traffic (for spying on kids and such).
This is a massive and ridiculous security threat, and Lenovo is completely brushing it off as nothing big. As many have noted, people have been complaining about the adware components of the software for months now, and Lenovo announced that it was stopping installs, because some people didn’t like the way the software created popups and such — but with no mention of the massive security problems. And, even now, the company doesn’t seem willing to admit to them.
Furthermore, the company doesn’t even seem willing to say what machines it installed them on, or provide people with instructions on how to protect themselves (simply uninstalling Superfish won’t do it). This is a huge mess. I’ve personally been a very loyal Lenovo Thinkpad customer for years, having bought many, many laptops. In fact, just a couple months ago — right in the middle of the period of when Superfish was being preloaded — I bought a new Thinkpad laptop, though it appears that mine is not one that includes Superfish. Still, Lenovo created a huge and dangerous mess, and they don’t seem to recognize it at all. This kind of fuck up is much worse than the whole Sony rootkit thing from a decade or so ago, and as with Sony then, Lenovo doesn’t seem to have the slightest clue of just how badly it has put people at risk.
It doesn’t take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it’s pitiful reaction here. It’s one thing for Lenovo to have made the stupid decision to install this kind of adware/bloatware. It’s a second thing to not realize the security implications of it. However, it’s another thing entirely, once it’s been pointed out to Lenovo to then deny that this is a security risk. Lenovo screwed up big time here, and mostly in the way it’s responded to the mess it created.
Filed Under: adware, certificate authority, concerns, https, man in the middle, privacy, security, superfish, tls
Companies: komodia, lenovo, superfish