Lenovo shipping laptops with pre-installed adware that kills HTTPS

Lenovo is in hot water after it was revealed on Wednesday that the company is shipping consumer laptops with Superfish (Adware) pre-installed. Security experts are alarmed, as the software performs Man-in-the-Middle attacks that compromises all SSL connections.

It’s a fact of life; PC manufacturers are paid to install software at the factory, and in many cases this is where their profit margin comes from. However, pre-installed software is mostly an annoyance for consumers. Yet, when this pre-installed software places their security at risk, it becomes a serious problem.

Lenovo, in comments posted to a company support forum, said they have partnered with a company called Superfish Inc. to deliver software “that helps users find and discover products visually.”

This is done by injecting ads on the sites displayed by Internet Explorer and Chrome; Firefox doesn’t seem to be impacted in this instance, but complaints that date back to last summer surrounding Superfish do include Mozilla’s browser. Others are more recent, including one posted Thursday morning on Twitter, which says Superfish installs WindowShopper on Firefox.

Researchers have discovered that not only does Superfish inject ads; it also breaks SSL by installing a self-signed root certificate that can intercept encrypted traffic for any secured website a user visits.

This Man-in-the-Middle attack is what drives the visual ad displays across all websites, no matter what their encryption status may be.

“Superfish technology is purely based on contextual/image and not behavioral. It does not profile, nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked, nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled,” commented Mark Hopkins, Program Manager for Lenovo Social Media Services.

Most experts have taken exception to Lenovo’s pre-installed business deal, and the fact that consumers had to first opt-in to the Man-in-the-Middle attack doesn’t change the flawed security involved.

Even if the user removes the Superfish software, the certificate remains trusted and installed on the system. As for the opt-in requirement, most users agree to everything when configuring a new system, assuming they even notice the Superfish TOS to begin with.

The Superfish certificate is the same for each laptop it’s installed on, and this certificate is used for each SSL connection. A criminal would have little difficulty in using this setup to further compromise a person’s connections – and the Superfish certificate’s trust level on the system would only help. Moreover, Superfish uses a SHA1 certificate, with1024-bit RSA key.

“We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you can’t trust your hardware manufacturer you are in a very difficult position,” wrote security researcher Marc Rogers.

“When bad guys are able to get into the supply chain and install malware it is devastating. Often users find themselves with equipment that is compromised and are unable to do anything about it. When malware is installed with the access a manufacturer has it buries itself deep inside the system often with a level of access that often takes it beyond the reach of antivirus or other countermeasures. This is why it is all the more disappointing – and shocking – to find a manufacturer doing this to its customers voluntarily.”

Salted Hash has reached out to Lenovo for comment, and will update once they respond.

Update:

A Lenovo spokesperson responded to questions earlier this morning. The company says that Superfish hasn’t been installed on laptops since January, and that all server side interactions have been disabled since then as well. The full statement is below.

Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

1) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.

2) Lenovo stopped pre-loading the software in January.

3) We will not pre-load this software in the future.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first…

The statement goes on to repeat what was said originally on the support forums, adding that the relationship with Superfish Inc. is not financially significant Lenovo; “our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively,” the statement concluded.

Additional updates are on the following page…

Update 2:

Salted Hash has asked additional questions, since Lenovo has investigated and found no “evidence to substantiate security concerns.”

In the interest of disclosure, the questions asked as a follow-up are below, should Lenovo respond, we’ll update in-line.

(1) Superfish uses a SHA1 certificate, which is deprecated. It also uses a 1024-bit RSA key that has been cracked [1]. The public key and private key (password ‘komodia’) are freely available, so anyone can sign a certificate with them [2].

Also, the Superfish certificate is still trusted and not removed after un-installation. So while the technology may be safe – code wise – wouldn’t your security engineers agree that the implementation of it isn’t, or at least agree that it could have been handled better?

–

Lenovo didn’t answer questions from Salted Hash after the original statement was delivered. However, in an interview with PC World, Lenovo CTO, Peter Hortensius, said that the company feels that they’ve “made a significant mistake here.”

“At the end of the day, we’re seeing clearly that we messed up,” Hortensius said.

–

(2) Given the developments in (1), there is a high risk for Man-in-the-Middle attacks from external hostile actors. How is this not a security concern?

The keys are compromised and can be used to target Lenovo customers directly. Given the number of people with commercial product using them for work (BYOD), this is a home issue and an enterprise issue.

Will Lenovo create a tool to remove Superfish and ensure that the certificate is also removed from the system? If so, what are your plans for notification given that a majority of those impacted will not be aware of the potential risks created by this software?

–

Again, Lenovo ignored these questions. However, in an interview with the Wall Street Journal, Hortensius confirmed that a tool would be made available soon, confirming his statements to PC World that such a resource would be available on Friday.

“As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it,” he said.

When asked about the disparity between Lenovo’s take on the situation, and the opinions held by the security community, Hortensius said that the company wasn’t “trying to get into an argument with the security guys.”

“They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.”

–

For detailed instructions on how to determine if your system has Superfish installed, as well as how to remove it, see the following post on the XSS blog:

FAQ: How to find and remove Superfish from your Lenovo laptop

A follow-up story explains how the security concerns are not a theory, as Hortensius suggested. In fact, given recent developments, attacking a Lenovo customer using Superfish is a trivial task.