Lenovo Puts Ad Revenue over Security with Superfish

We have been talking for quite a while now about the obvious “rogue” devices hiding in your enterprise, but there is another issue highlighted in our post on gifts that has resurfaced again: potentially vulnerable devices within your network that are not obviously rogue.

The security and privacy communities have been on absolute fire since news broke about the “Superfish” advertisement software Lenovo decided to pack in with some of their Windows-based machines in 2014. While everyone agrees that Lenovo pre-installing malware designed to push advertisements onto users’ screens is pretty, Superfish is looking to be considerably more dangerous than your standard manufacturer bloatware. Superfish messes up the HTTPS standard so badly that many in the industry have been left wondering how the companies involved could possibly have signed off on something so against standard security practices.

Many are calling this the worst security gaff from a major tech player in recent history, and it has already been compared to the infamous Sony rootkit debacle of the mid 2000’s. Superfish has even gotten the attention of Homeland Security, which released a statement calling it a “critical vulnerability”. For its part, Lenovo claims they had no idea about the security implications of Superfish and have been working with Microsoft to get it automatically removed by Windows.


How Superfish Works

Superfish is described as a “Visual Discovery” platform, essentially software that matches the content of images with what they actually are. The creators claim this software helps consumers do things like identify what items are even if they don’t know how to textually describe them.

In the case of Lenovo computers, Superfish was included to analyze the images users were looking at and suggest advertisements that were relevant to them. So if the user was looking for images of dogs on their computer, they may start seeing advertisements related to animal adoption agencies while browsing the web. This is not unlike Google’s AdSense, just using images instead of text keywords to generate contextual ads. In other words, it might sound shady, but it isn’t something we aren’t already dealing with on a daily basis.



The real problem is that Superfish was configured to intercept all of the data a user was sending out on the Internet, even if it was encrypted. It did this by installing it’s own self-signed root certificate, essentially making the computer think that Superfish was the issuing party for all SSL certificates. It then had free reign to view and modify the data the user was seeing in any way it wished, even though the browser said the page was encrypted and they had a secure connection to the site.

In other words, Superfish performed a classic Man-in-the-Middle attack against SSL encrypted sites. A trick that usually requires taking over the entire network with specialized software was done out of the box by the friendly folks at Lenovo.

But it gets worse.

If each installation of Superfish had a unique private key, this would still be an invasion of privacy on a large scale, but not exactly unheard of. For example, anti-virus software often installs a root certificate unique to each machine so it can check HTTPS encrypted sites for malicious code. But the company that provided Superfish with its SSL certificate, Komodia, decided to use the same private key for every certificate that got installed on a machine running Superfish. Which means anyone who has that key could fool a Superfish-equipt machine into believing they had a secure connection to any site they wished.

It only took a few hours for the private key Komodia used to get discovered, aided in no small part to the fact that they decided to protect the key with the password: “komodia”.


Lessons Learned

It’s becoming clear that more software than just Superfish was using the faulty Komodia private key. It’ll likely be awhile before the practical implications of the Superfish/Komodia software combination are fully known. How many machines are really affected? How likely is it for an attacker to leverage this against a victim in the real world?

But in the end the real point here is that the software included on a new machine simply cannot be trusted in an era where companies are playing fast and loose with users’ privacy and security. A full wipe and operating system reinstallation should be standard operating procedure on any new computer, whether it’s for personal or for business use.

With employees unaware of the potential dangers of their personal devices, it is vitally important to be aware of all devices connecting to your network.

New Call-to-action

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *