Apparently, Superfish stinks worse than security industry watchers first thought. There was an uproar when the world discovered Lenovo, the world’s largest PC maker, has been shipping laptops pre-installed with a virus-like software that puts customers in the line of hacker fire. But uproar may soon be an understatement.
Since June, Lenovo customers have been reporting a program called Superfish, software that automatically displays advertisements in the name of helping consumers find products online. Superfish is designed to intercept all encrypted connections and leaves the door open for NSA-style spies to hack into PCs through man-in-the-middle (MitM) attacks, according to Robert Graham, CEO of security research firm Errata Security.
Lenovo was quick to apologize and release an automated tool that promises to eradicate Superfish adware from PCs. Microsoft has updated Windows Defender to remove the malware, and other security vendors have followed suit but that may not solve the problem for users who don’t know they are infected.
The Only Thing Worse . . .
On Friday, Facebook's Threat Infrastructure team issued an analysis of the adware, which concluded that “the new root CA (certificate authority) undermines the security of Web browsers and operating systems, putting people at risk." Now security researcher Filippo Valsorda is calling Superfish adware “catastrophic," saying that's “the only way all this mess could have been worse.”
Why? Because the Superfish proxy, which uses a Komodia content inspection engine, can be made to allow self-signed certificates without warnings. That opens the door to man-in-the middle attacks.
“What we all realized in horror is that the root private key is the same on all machines, so anyone can take that and sign fake certificates to use in MitM attacks,” Valsorda wrote in a blog post. “Komodia should be punished for jeopardizing the users, like probably all the companies that didn't do due diligence here.” Komodia could not immediately be reached for comment.
Lenovo: ‘We Are Learning’
“We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday,” Lenovo said in a statement. “Now we are focused on fixing it.”
Lenovo vowed it has moved as swiftly and decisively as it can based on what it now knows. The company stressed that the issue does not impact any of its ThinkPads, tablets, desktops or smartphones -- or any enterprise server or storage device.
“We apologize for causing these concerns among our users -- we are learning from this experience and will use it to improve what we do and how we do it in the future,” Lenovo said. “We will continue to take steps to make removal of the software and underlying vulnerable certificates in question easy for customers so they can continue to use our products with the confidence that they expect and deserve.”
Posted: 2015-02-24 @ 8:05am PT
The whole tech industry should be learning, not just Lenovo.
For decades, manufacturers of Windows-based computers have accepted *bribes* from shady advertisers to install bloatware on the computers sold to the retail channel with insufficient review. The bloatware is designed to monetize everything possible on the computer and it was only a matter of time until one of these advertisers would push it too far, as it is happening now with StinkyFish.
This is a symptom of a deeper-seated problem. For decades, Microsoft has ignored Windows security. Then, to keep alive an industry of anti-virus and other shady security-providers, Microsoft reluctantly put out Windows Defender, a half-baked solution.
The solution is to make sellers responsible for the security of the systems they sell. The last time citizens had to pay "protection money" was when the mob was controlling the streets. Much of the anti-virus industry is, like the mob, collecting protection money in exchange for a subscription service that would not be needed if somebody would take responsibility for Windows' security. Look at Apple's OSX or at the different variation of Linux/BSD for systems where security is integrated from the ground up.
Similarly, Lenovo and its peers should be made responsible for the damage caused by the bloatware they install.
Last but not least, there is an ELEPHANT IN THE ROOM: Certification Authorities, that get their root certificates installed on encryption-dependent devices. There are roughly 300 such root CAs on the average computer and here all of the tech industry is guilty, including Apple(iOS/OSX), Google(Android), Microsoft(obviously) but also Mozilla(Firefox) and Opera. The critical point of failure is that many of these CAs have shady practices and there is a lack of mechanism for the end-user to control which CAs to trust and which to kick out of their computing devices. The solution? political. The tech industry must either voluntarly or under political pressure secure that root certificates can only be installed on their products after they fulfill verified standards; and it must provide for the easy revocation of root certificates both by an automated mechanism as well as by user intervention.