Spin and FUD: Superfish CEO says software presents no security risk

In a statement to Ars Technica, Adi Pinhas, CEO of Superfish Inc. said his company’s pre-installed advertising software on Lenovo PCs poses no security risk – despite clear evidence otherwise.

Pinhas’ statement centers on recent news that his company’s software, Visual Discovery, poses a significant risk to consumers. This risk was compounded by the fact Lenovo pre-installed the software on systems that shipped between September and December of 2014.

The problem isn’t the adware itself, as Visual Discovery is pitched as a tool “that helps users find and discover products visually.”

Adware is an annoyance true, but the way those ads are generated by Visual Discovery is the real problem, and the reason that researchers and security experts came down hard on Lenovo.

In a matter of hours, researchers quickly discovered that not only does Superfish inject ads; it also breaks SSL (what consumers know as HTTPS) by installing a self-signed root certificate that can intercept encrypted traffic for any secured website a user visits.

If you uninstall Visual Discovery, the Superfish certificate remains on the system with the exact level of trust it had while the software was operational. Its function and existence on a system can lead to a Man-in-the-Middle attack, one that wouldn’t be too difficult for an attacker to leverage based on the design of the software and its security protocols.

All an attacker would need to do is sign a certificate using the Superfish private key, which normally would cause a problem, as the attacker would first need both the software’s public key, as well as the private key and its password.

However, Visual Discovery was so poorly implemented and deployed, that researchers were able to find and crack the Superfish private key within hours. As it turns out, the password for the private key is ‘komodia’ – the name of the company that created the tools needed to enable Superfish to Man-in-the-Middle connections.

Worse, Superfish uses the same key on each installation, meaning millions of Lenovo customers could be at risk.

Lenovo first said that most of the Man-in-the-Middle conversations were attacks based on theory, a claim Salted Hash and other experts proved false. Later, the manufacturer admitted their mistake, and said they’re working to fix the issue, promising a removal tool that will automate the process of removing the Superfish software and the certificate. Until then, removal instructions are available here.

The following is the statement issued by Superfish Inc. CEO, Adi Pinhas, along with additional commentary on certain points.

“There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish’s software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.”

“Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped.”

At no point did researchers or other security experts claim that Superfish stored personal data or shared it. That isn’t the problem, and phrasing the statement like this ignores the real issue. This spin is misleading and false.

This spin is designed to cover the fact that as long as the Superfish certificate remains installed and trusted on select Lenovo computers, consumers are at risk and easily targeted. Worse, they’ll never know its happening.

Throwing Komodia under the bus does nothing to help the situation. The fact is, Superfish trusted third-party code and didn’t completely check it before it was shipped to market. Just because the code works, doesn’t mean it’s safe. The statement admits this, yet the security community is called out for stating facts?

If there is no security concern, why has Lenovo published a security advisory?

Why has US CERT (US Department of Homeland Security) published advisories urging consumers to uninstall Visual Discovery and remove the Superfish Inc. certificate?

Why has Microsoft come forward and stated they would tune their security software to not only detect Superfish, but also automatically remove your company’s software?

Why? Because everyone agrees there is a significant security risk, and there is a likely chance that consumers will be targeted due to the basic security mistakes contained in the Visual Discovery software.

In fact, the latest research shows that not only are things bad as they stand, but worse because SSL validation in Komodia / Superfish is broken.

“Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. The software was disabled on the server side (i.e., Superfish’s search engine) in January 2015.

“Superfish takes great pride in the quality of its software, the transparency of its business practices, and its strong relationship with the Superfish user community. Superfish’s visual search technology enables millions of people to explore and learn about the world in an engaging and highly intuitive manner. A positive user experience has been the cornerstone of Superfish’s success.”

And that positive user experience will crumble the first time a targeted attack uses the poorly implemented and protected Superfish Inc. certificate that you willingly shipped to millions of people.