Thursday, February 19, 2015

Lenovo PCs preloaded with "Superfish" malware that breaks security

Technology and security are rife with shades of grey. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing Superfish adware that breaks otherwise secure HTTPS website connections.
Technology and security are rife with shades of grey. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing adware that breaks otherwise secure HTTPS website connections.

Recent Lenovo laptops include what can only be described as malware, malware that intercepts all web traffic whether secured or not. The "VisualDiscovery" adware from a company called Superfish reads all web traffic and injects advertisements into web pages. In doing so it completely breaks HTTPS security.


Ordinarily, when your browser connects to a secure website, your browser inspects a certificate that vouches for the authenticity of the website, and uses an encryption "public key" from that certificate to encrypt information so that no one except the intended website can read your conversation. Your browser trusts the certificate presented by the website, because your browser trusts the Certificate Authority - the organization that issued the certificate.

The Superfish adware comes with its own HTTPS certificate - a certificate issued by, signed by, and controlled by Superfish. Instead of connecting directly to a secure web site, your browser connects to the Superfish adware, which in turn connects to the website.


I don't necessarily fault Lenovo for using advertising to generate some extra revenue. Amazon likewise uses advertising on some Kindle Fire products, and in exchange subsidizes the cost of the Kindle, offering it for a lower price. In Amazon's case though, this is completely transparent, clearly explained, and the purchaser has the option to pay an extra $15 or $20 to remove the ads and the subsidy. Personally I find an ad-supported device to be a little annoying, but I have no problem with a company giving me the choice between ads and a slightly higher price.


The problem with Lenovo's approach - aside from the fact that it was done without any disclosure - is that it completely breaks secure web communication. The Superfish adware decrypts all secure web traffic using the local certificate, so it has unfettered access to your usernames and passwords, bank accounts, email, social media, and anything else you do on the web.


Worse, Superfish appears to use the same certificate on all devices, so not only will a Lenovo PC trust the local Superfish adware - it would trust anyone else pretending to be the adware.


Why is this a bad idea? Public/private key encryption involves some complex math where you can use one number to encrypt your information, but have to use a different number to decrypt it. It's a bit like a mailbox with two keys - one key locks the mailbox, but a completely different key unlocks it. You could share the first key (called a public key because it is shared publicly) with anyone in the world. They could put mail into your mailbox and lock it with the public key, knowing that only with your second (private) key could you open the mailbox.


With legitimate secure websites, the company behind the website carefully protects the private key to their website. No one except the legitimate website has the private key, thus no one except the legitimate website can decrypt your messages.


In the case of the Superfish adware, every computer with this adware has the private key (otherwise the adware couldn't decrypt the web traffic and would thus be useless). This private key was quickly discovered and published, which means that any malicious actor now has the capability of reading and manipulating supposedly-secure web traffic on any PC with the Superfish program.


At the moment, I would not do any private web browsing on a Lenovo laptop unless that I installed the operating system from scratch (using original Microsoft media or a Linux distribution from a trusted source, not using the "recovery partition" provided by Lenovo). Businesses normally do this. Home users though more often use the operating system pre-loaded by the manufacturer.


Coverage on the net:



Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.