Lenovo & Superfish: How Not to Handle Security Issues
The internet erupted with outrage at Lenovo Thursday for their inclusion of Superfish adware on certain consumer laptops. The adware was extremely intrusive: it installed a kernel-level rootkit to persist itself... which is surprisingly not the most alarming thing about it (unless someone finds a way to exploit it...). The intent of the adware was to inject "visual shopping" ads in traffic.
It accomplished this by running a local proxy to man-in-the-middle ('MITM') secure web traffic. Every HTTPS-protected site you accessed would have its connection intercepted by the Komodia MITM toolkit. Komodia would intercept your HTTPS request, negotiate the SSL connection with the site you were accessing, inject their advertising JavaScript into the HTML, and then serve the site encrypted by a Komodia-generated certificate, the root certificate for which would have been inserted into every certificate store Komodia could find.
This root certificate is where the major issue lies. Rather than creating customized per-system certificates with unique passwords, all systems with Superfish installed had root certificates signed with the same private key, with an easily crackable and obvious password.
Lenovo made a series of gaffes in addressing the inclusion of this software, beginning with including adware in their software distribution apparently out of some misguided belief that anybody, anywhere in the world would actually find it valuable, continuing with their community administrators defending and deflecting the impact of the software throughout the month of January. The cavalcade of failure continued on Thursday offering removal instructions while claiming that “...Superfish was previously included on some consumer notebook products shipped in a short window between October and December” and, more alarmingly, “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” It’s weird that as early as June 2014 people were reporting this software being installed on Lenovo laptops if it was only in place on devices shipped between October and December! UPDATE: Lenovo has removed the claim that they were only shipping Superfish between October and December, but it remains if you search the history of the knowledge base document.
Inept or dishonest?
Addressing Lenovo’s claim that there is no security concern, we here at Duo Labs have confirmed Rob Graham’s postulation that it should be possible to man-in-the-middle Superfish-affected computers. We were able to use sslsniff with the Superfish root CA and confirm that Superfish’s proxying software does not check to see if the cert for the site it is connecting to is signed with the Superfish root cert -- it will wind up accepting connections to sites whose certs are signed by the easily crackable root certificate distributed with Superfish.
Our friends at LastPass have set up a nice testing site with removal instructions for Lenovo customers.
Lenovo emailed partners today with a "statement on Superfish" in an attempt at damage-control. They assert, "As you may have heard, select Lenovo consumer notebooks shipped after September 2014 included Superfish Visual Discovery software as a shopping aid to customers. Superfish is a TrustE certified third-party software vendor, with offices in Palo Alto, CA."
What good is TrustE, anyways? After a cursory review of the TrustE program requirements it seems like the method and manner in which the Superfish software was included violates at least the intent of the program (to inform users of collection of personally-identifiable information and how it's being used). They may include reference to it hidden deep within some EULA, but there's no real attempt at gaining the user's consent for PII-collection via Superfish, as the application is pre-installed without the user's explicit knowledge. While their methods may technically be acceptable (I have not heard of any reviews of the Lenovo EULA) according to the TrustE program requirements, it still seems to violate the intent of the program. TrustE appears to be a corporation offering a toothless program that doesn't protect anything except the status quo of uninformed PII exfiltration, giving unethical software vendors a shield with a cutesy icon to hide behind. The implication of Lenovo calling out that Superfish is TrustE certified is that users should somehow be comfortable with the data gathering they're performing... the same users whose trust they abused by including this software without notification in the first place.
Lenovo continued to try to do damage control by finally accepting responsibility for including this software and promising not to in the future. Their gaffes and their denials and aggression against those who pointed out the serious security implications of Superfish's implementation still stand in the public record as an example of how not to respond to security and privacy concerns.
Lenovo has an economic incentive to include this crapware on their systems -- but the fact that it's not obviously illegal and the fact that it is profitable is far from justification. What makes money is not always what's right, and responding with strong assertions that your software is secure in the face of people showing you it isn't is never wise.
2015-03-16 Update:
After publishing this article, TRUSTe reached out to us with some corrections regarding the specific nature of their relationship with Superfish.
"The Superfish software Lenovo distributed, which included the proxy functionality by Komodia, has never been certified under TRUSTe's programs. TRUSTe previously certified a specific version of a different application by Superfish, namely "WindowShopper," which did not incorporate the Komodia software certificate proxy. TRUSTe does not currently certify any Superfish software."