Lenovo shipping laptops with pre-installed adware that kills HTTPS

Software conducts Man-in-the-Middle attack to display ads; Lenovo says users had to opt-in before this could happen

1 2 Page 2
Page 2 of 2

Update 2:

Salted Hash has asked additional questions, since Lenovo has investigated and found no "evidence to substantiate security concerns."

In the interest of disclosure, the questions asked as a follow-up are below, should Lenovo respond, we'll update in-line.

(1) Superfish uses a SHA1 certificate, which is deprecated. It also uses a 1024-bit RSA key that has been cracked [1]. The public key and private key (password 'komodia') are freely available, so anyone can sign a certificate with them [2].

Also, the Superfish certificate is still trusted and not removed after un-installation. So while the technology may be safe - code wise - wouldn't your security engineers agree that the implementation of it isn't, or at least agree that it could have been handled better?

-

Lenovo didn't answer questions from Salted Hash after the original statement was delivered. However, in an interview with PC World, Lenovo CTO, Peter Hortensius, said that the company feels that they've "made a significant mistake here."

“At the end of the day, we’re seeing clearly that we messed up,” Hortensius said.

-

(2) Given the developments in (1), there is a high risk for Man-in-the-Middle attacks from external hostile actors. How is this not a security concern?

The keys are compromised and can be used to target Lenovo customers directly. Given the number of people with commercial product using them for work (BYOD), this is a home issue and an enterprise issue.

Will Lenovo create a tool to remove Superfish and ensure that the certificate is also removed from the system? If so, what are your plans for notification given that a majority of those impacted will not be aware of the potential risks created by this software?

-

Again, Lenovo ignored these questions. However, in an interview with the Wall Street Journal, Hortensius confirmed that a tool would be made available soon, confirming his statements to PC World that such a resource would be available on Friday.

"As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it," he said.

When asked about the disparity between Lenovo's take on the situation, and the opinions held by the security community, Hortensius said that the company wasn't "trying to get into an argument with the security guys."

"They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more."

-

For detailed instructions on how to determine if your system has Superfish installed, as well as how to remove it, see the following post on the XSS blog:

FAQ: How to find and remove Superfish from your Lenovo laptop

A follow-up story explains how the security concerns are not a theory, as Hortensius suggested. In fact, given recent developments, attacking a Lenovo customer using Superfish is a trivial task.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline