Judy Lau
Staff Writer
Lenovo has sold computers that are preinstalled with adware that hijacks Web sessions. This may in turn make users vulnerable to HTTPS man-in-the-middle attacks, which are trivial for attackers to carry out.
The main threat is present on Lenovo PCs that have adware from Superfish installed. Superfish is a visual search tool designed to enhance online shopping for Lenovo customers and does not collect any personal data, according to CEO Adi Pinhas.
However, Superfish installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed, controlled by Superfish, and falsely represents itself as the official website certificate.
In addition, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Thus, attackers can use the key to certify imposter HTTPS websites that masquerade as secure destinations on the internet, such as Bank of America or Google. PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries, undermining the reason HTTPS protection exists in the first place.
“Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken,” US-CERT warns.
Additionally, Superfish uses the same certificate on every affected Lenovo system by using a weak, depreciated version of encryption. Security researchers have already extracted the private key for the certificate. Thus, hackers can easily launch their own man-in-the-middle attacks, which is when an attacker has the ability to monitor, alter, and inject messages into a communication channel, on users of affected Lenovo PCs by leveraging this shocking vulnerability put in place for Superfish.
The Superfish software hijacks encrypted Web sessions no matter which browser someone uses. Certificate pinning in Google Chrome does nothing to alert users that something is wrong. As Google points out in a post explaining certificate pinning, the mechanism is not set up to validate certificates chained to a private anchor.
“A key result of this policy is that private trust anchors can be used to proxy connections, even to pinned sites,” the Google page warned. “Data loss prevention appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.”
Lenovo stopped using the Superfish software in January, vowing to provide a tool to remove Superfish from affected PCs. While the tool has not come out yet, Microsoft quickly pushed out a Windows Defender update that eliminates the Superfish adware and the root certificate in Windows, but not the Superfish certificate stored in Firefox’s separate certificate manager. Likewise, other antivirus solutions identify Superfish as adware but will not remove the certificate from Windows or Firefox.
Lenovo recently released a statement saying Superfish was installed on consumer laptops shipped between October and December 2014. The manufacturer claimed to stop preloading Superfish in January 2015 and has no plans to resume the practice. People concerned that their PC may contain this critical vulnerability can check at https://filippo.io/Badfish/, a site that scans other websites for catastrophic Heartbleed weakness in OpenSSL. The best way to truly eradicate the dangerous certificate from the Lenovo PC is to remove everything manually.