Superfish – Should you be worried?

Note: Not the same Superfish....
Note: Not the same Superfish….

Last week security researchers discovered a major vulnerability caused by a program that was bundled with new Lenovo computers.  The program in question, made by a company named Superfish, is designed to inject ads into web pages you are visiting, based on your web browsing activity.

“Injecting” ads into web pages is pretty ethically questionable anyway, especially one that tracks your activity on any web page you visit, but it gets worse.  Most sites, like Google, Amazon, Twitter, Facebook, and others use encryption to secure your connection, so that unsavory characters can’t just listen in and track you.  Naturally, if Superfish can’t listen in on your web traffic, they can’t track and/or inject ads into those pages.

So, Superfish devised a method to insert themselves into those secure websites too.  Usually referred to as a Man-In-The-Middle attack (because it is an attack), the idea is to create a faux connection from the customer (you, in this case) and the website you want to use (anything that uses encryption).

A man-in-the-middle attack
A man-in-the-middle attack

Of course, the magic of the encryption used to secure web pages requires you to have the public key (usually called the certificate) and the private key (kept strictly private).  As you can imagine, Google doesn’t lend their private key out to interested parties, so the solution is to create your own certificate, install it on the victim, I mean customer’s, computer, and then you can sit right in the middle of that “secure” connection, present a certificate for any site to the customer (which your browser will happily trust – it’s installed as “trusted”, after all!), and watch everything going back and forth.

You are probably asking yourself what the big deal is.  Here’ the problem: the certificate that Superfish installed on your computer, just so that they can inject ads into your web browser, can be used by other attackers too.  Remember that private key we mentioned earlier?  Turns out that the Superfish crew used the same one on ALL of the computers the software was installed on.  An attacker who found the private key would have the ability to impersonate ANY website visited by someone with this software installed.

Just like a password, it doesn't matter how complex the private key is if everyone knows it....
Just like a password, it doesn’t matter how complex the private key is if everyone knows it….

Recognizing now that perhaps this is a bad idea, Lenovo has released a removal tool, that not only removes the Superfish software, but also pulls out the certificates that were installed along with it.  Kudos to them for doing so.  You can find the removal tool here:

http://support.lenovo.com/us/en/product_security/superfish_uninstall

So, should you be worried about Superfish?  If you bought one of the following Lenovo computers between September 2014 and January 2015, then you probably have it installed right now.

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30]

The Thinkpad line from Lenovo was not shipped with the Superfish adware installed, according to Lenovo.

If you have a company issued laptop (especially if you are an Enterprise Integration customer), your machine was likely reloaded with a purpose-built Microsoft Windows image that does not have any of this type of software installed.  If you purchased a Lenovo for yourself or your family, you should take a few moments and try the removal tool from Lenovo.

The bigger question that remains: How many more Superfish situations exist, and how can you protect yourself from these unknowns?  We’ll address that in a follow up post.

Thanks for reading, and stay safe out there!

More information can be found here:

http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

Leave a Reply