On Thursday, the world woke to the news that commercial-grade Lenovo PCs were being shipped from the factory with adware pre-installed on the system. Designed to provide a visual shopping experience, the software is insecure and breaks HTTPS connections intentionally, leaving customers vulnerable.
Security researchers, and anyone with a horse in the information security race, took note of Lenovo's software and quickly determined that not only was the concept questionable, the way the software functioned created a situation that is easily exploited and should be avoided at all cost.
Visual Discovery was created by Superfish Inc., a company that makes advertising software. In comments posted to a company support forum, Lenovo said the software was pre-installed in order to deliver an experience "that helps users find and discover products visually."
Yet, the way those ads are generated is the problem. Researchers quickly discovered that not only does Superfish inject ads; it also breaks SSL by installing a self-signed root certificate that can intercept encrypted traffic for any secured website a user visits.
It's a classic example of a Man-in-the-Middle attack, one that wouldn't be too difficult to conduct based on the design of the software and its security protocols. Worse, the risk remains even after the user uninstalls the Visual Discovery software.
However, Lenovo sidestepped the security issues. In a statement the company said that after an investigation, they've not found "any evidence to substantiate security concerns."
In an interview with the Wall Street Journal, Lenovo CTO, Peter Hortensius, was asked to address the security community's concerns, particularly the difference of opinions. Hortensius said that the company wasn't "trying to get into an argument with the security guys."
"They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more."
There's nothing theoretical about the concerns being expressed by security professionals. Within hours of the story breaking, the private and public keys used by the questionable Superfish certificate were in the public domain.
As it turns out, the password for the private key is 'komodia' – the name of the company that created the tools needed to enable Superfish to Man-in-the-Middle connections.
If you read the statement given to the Wall Street Journal by Hortensius a second time, from a marketing standpoint, he doesn't dismiss the threat posed by Superfish outright.
Instead, he focuses on the fact there hasn't been any evidence (or proof) of attacks that take advantage of the weak certificate. That's spin, pure and simple, and exactly what Lenovo needs – their reputation depends on it.
"... The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation...," Hortensius said.
Still, if attacks are only theory, how quickly could they become practical?
The certificate used by Superfish has already been cracked. Moreover, when presented to a user, there are no clear warnings pointing out the fact the secure session has been hijacked.
...what that pic shows is the browser thinks it's a legit authenticated BofA website but it's just my Apache default pic.twitter.com/dshTkEHNko
— Rob Graham (@ErrataRob) February 19, 2015Locating potential victims isn't that hard either. A search on Twitter for the term "new laptop" with the exact phrase "Lenovo" excluding "reviewed," "announced," and "review," returns hundreds of potential victims, and their locations in some cases.
You could also target colleges that promote Lenovo systems to students. Students that are likely to opt for commercial offerings over everything else due to price. For that, a simple Google search does the trick:
site:.edu recommended laptop shop.lenovo.com
Given the ease of locating either people of interest individually (based on social media), or a large concentration of viable targets (college campuses, companies, etc.) known to have the vulnerable setup, it would be fairly trivial to conduct an attack, remarked Ian Amit, Vice President of ZeroFOX, a company that does social risk management.
All the attacker would need to do is create a rogue access point and use the Superfish certificate to spoof known websites for banking, social media, and email. This simple setup enables them to capture traffic for a large number of victims. This could happen at a student center, coffee shop, library, even a dorm common room.
During the Man-in-the-Middle session, credentials are visible in plain text, so the attacker can save them and later use them to access banking applications, email, or other accounts. Tools that enable such attacks are freely available online, some of the more popular ones are packaged inside of security suites such as Kali Linux.
"The difficult part should have been the interception of the encrypted traffic and being able to decrypt it, with the fake root CA installed on the victim laptops, and the availability of the private key, this turns [the attack] into a trivial task," Amit added.
Lenovo promises that a tool will be released within the next day or so to completely remove Superfish from the impacted systems. In addition, they've issued a public apology:
We're sorry. We messed up. We're owning it. And we're making sure it never happens again. Fully uninstall Superfish: http://t.co/mSSUwp5EQE
— Lenovo United States (@lenovoUS) February 20, 2015