Security on the web must be taken seriously, and people should trust software and PC makers to help them remain secure when conducting business online. Sadly, too often PC makers or software publishers put your security at risk for other motivations.

Since at least September 2014, customers of Lenovo PCs have been complaining on the Lenovo forum about mysterious advertisements showing up generated by pre-installed software, Superfish, that also posed a security threat. In January 2015, security researcher, Chris Palmer, purchased a Lenovo Yoga 2 and confirmed the Superfish adware created a self-signed certificate with the same private key as on other Lenovo PCs as reported by Ars Technica. Worse yet, another security expert at Errata Security extracted the Superfish certificate by cracking the password which turned out to be, komodia. The Superfish adware makes it much easier for attackers perform a man in the middle theft by using the same certificate key to spoof other websites and fool visitors into handing over sensitive information.

US-CERT Alert

The United Stated Computer Emergency Readiness Team (US-CERT) issued an alert about this Superfish software “critical vulnerability” on February 20th. This is a serious security risk.

Test your system for Superfish, Komodia, PrivDog vulnerability

Since other software, some intended for security or parental controls, do similar or worse, you can test your system using Filippo Valsorda’s test at:

HTTPS and your security in a nutshell

When you see that green padlock symbol in your browser you trust that the information you enter on the website is encrypted and secure from being intercepted. It’s private business between you and the organization behind the website.

The process comes down to trust using certificates. A handful of third-party Certificate Authorities are recognized as trusted groups to confirm identities using digital signatures with public-private key pairs. Your browser uses a public key to check for a valid signature that was generated using the private key by the trusted authority signed on behalf of the website you’re visiting.

The private key must be kept secret, and the certificate should be from a trusted source. Your browser comes with a list of trusted certificates from Certificate Authorities. There are also self-signed certificates that are sometimes necessary, but each of these certificates generated must be unique on each computer making it difficult for an attacker to use.

For a detailed overview, see “How does https actually work” by Robert Heaton.

Superfish-Komodia foolery

To insert targeted advertising, Superfish installed a self-signed HTTPS certificate using the same key as on my other machines (non-unique) that intercepted encrypted data. Many machines having the same false certificate from the same private key makes things much easier for thieves. Even if the certificates were unique, intercepting all HTTPS connections just to display advertising is risky business. Nobody wants their private data in the hands of advertisers.

It turns out the bad technology Superfish used came from Komodia, a company marketing spyware and ad-insertion tools. The same issue appeared in other software as listed in this post on Ars Technica and this post revealing Lavasoft, an anti-virus company having had included Komodia technology until recently removed.

Lenovo-Superfish debacle

Lenovo had stopped using Superfish due to negative customer feedback. Why would anyone want adware in the first place? In an interview with Wall Street Journal, the CTO of Lenovo made a statement:

We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.

Lenovo listed affected models with a statement.

Superfish responded to Ars Technica by email stating:

Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. The software was disabled on the server side (i.e., Superfish’s search engine) in January 2015.

Thoughts

It’s very tough to imagine how experts on HTTPS could claim no security risk. Better to respond with reasonable acknowledgement and a plan to improve than deceive customers. Lenovo installing adware without basic investigation damages their reputation. Take responsibility.

Jim Dairyample on The Loop said it best, “This is why people don’t trust PC-makers” in response to AppleInsider, “Lenovo bundled adware on some laptops, leaves users with staggering security vulnerabilities”.

Indeed. Lenovo needs to work hard to regain trust and respect.