Lenovo Thinkpads come with a software called Superfish that allows attackers to eavesdrop on all their communication using simple Man-in-the-Middle attacks. A brief history of events.

One of the most solid and reliable devices I’ve ever owned was the IBM ThinkPad T42. It was rather expensive, even though I got it via the Neptun Project and it was somewhat more affordable. It served me well for years until it finally died a few years ago. The cause of its death was most likely the constant use.

People buying a ThinkPad these days will end up buying it from Chinese manufacturer Lenovo that took over IBM’s laptop line. It is pretty successful but has lost a bit of its reputation. IBM veterans lament the continuous decrease in quality of material, which has been one of the most valued features of Lenovo devices. Still, Lenovo managed to get a solid foothold, mostly in academic and professional areas.

Unwanted Standard Software

Time Jump: People who have bought a Lenovo laptop between September 2014 and January 2015 have other problems to deal with. Problems that aren’t the absence of a magnesium-made lid for their device. Apart from the included operating system and the utilities, whose usability is debated, Lenovo included an adware application named Superfish.

Adi Pinhas, CEO of Superfish, describes the application’s functionality on his LinkedIn profile as follows.

Superfish is a pioneering visual search company. Through cutting-edge, patented technology we have developed a visual search engine that analyses images algorithmically and transforms the way images are searched, seen, utilized and shared over the web. Quite Simply, we are opening up a new way to search.

In brief: Superfish analyses images on a website and embeds relevant search results into the site. It’s no surprise that these results are always advertisement. And that seems to work for Pinhas. Since launching his company in 2006 he was managed to raise over 20 Million US Dollars in investor money.

Compromising System Integrity

While the technology used by Superfish is interesting, the use case described above will probably make it an unwanted feature. There’s also the question whether or not the installation of adware on a computer that was bought for full price is ethically sound. But the story of Superfish isn’t over and it’s far from its pinnacle in terms of being problematic.

The continuing adoption of SSL encrypted connections for everyday use is a problem for Superfish. Google has switched to SSL-by-default a few years ago. End-to-end encrypted connections block, at least partially, the injection of ads into the website on screen.

That wasn’t a big obstacle for Pinhas, though: His company just installed a pragmatic solution to the problem. In addition to the adware, Superfish installs a new Root-CA on the target system and basically allows the interception and manipulation of all traffic to all end points.

In an interview Pinhas was asked about the differences between his home Tel Aviv and his adopted home Silicon Valley, where Superfish is based. His reply:

The way we work, for example, is very different. We work a lot faster. We have fewer meetings, less formality. We are not saying “Sorry;” we are saying straight to your face, “This is a stupid idea.”

Considering that Superfish has a user base over 10 million people – quite a number of them as a result of the deal with Lenovo – it’s regrettable that nobody said This is a stupid idea when it came to the secretive installation of a Root-CA. Because it is a stupid idea. It is stupid when an institution that has neither the reputation nor the public trust nor the infrastructure to run a Root-CA. The incision into system integrity is significant and is dangerously close to categorizing Superfish as Malware.

After users discussed the potential security issues on Lenovo’s forums Lenovo released a statement trying to defuse the situation. Superfish is a feature, they said, that seeks to aid the user and besides, users can decline the Terms of User (sic) so that Superfish isn’t activated.

What isn’t so nice about all this is that the declining of the Terms of User (sic) leads to Superfish not being executed – but the Root CA is still being installed. User are exposed to the risk of the Root CA anyways, even if they manage to hit the right button at the right time when faced with a massive wall of text.

PR Disaster and Tangible Risks

After Lenovo tried to de-escalate the situation and assured that there are no security implications brought on by the Root CA, Peter Hortensius, CTO of Lenovo, gave an interview to the Wall Street Journal. Lenovo is, he said, working on removing Superfish from Lenovo devices, but the security concerns are a purely theoretical matter.

It doesn’t need much explanation to see just how wrong this statement is. But Robert Graham of Errata Security delivered said explanation despite everything. In a blog post he explained how the certificate including the password – which is komodia, by the way – can be extracted with relative ease. Using this information, an attacker can – absolutely untheoretically – execute Man-in-the-Middle attacks against all affected devices.

A juicy detail: komodia isn’t just a really weak password in general but also points towards the company named Komodia. Komodia offers SSL Redirector software, marketed towards concerned parents wanting to watch over their children. The vendor’s website is currently unavailable because of recent media attention.

One would hope that the tragedy would end after Graham’s proof of concept. But one would be wrong. In reality, Lenovo published a guide to uninstall the software but limited itself to incomplete instructions that saw the certificate remain installed in Firefox.

This isn’t the only reason why Superfish is a small disaster: While the amazing incompetence regarding communication and removal of the problem on the side of the vendor is reason enough to worry, there are millions of devices affected. Devices belonging to consumers that are traditionally only rarely if ever updated with any kind of system behind the update cycle. Even if Lenovo publishes an automated and functioning fix, many users will remain vulnerable for a long time.

The only hope is that Superfish will turn into an argument that will see new devices sold without bloatware and added functionality software and that this argument will become a decisive one for purchase by customers. Because people buying new computer should be able to expect that it’s not infected with malware from day zero onwards – regardless of whether it is Superfish or not.

About the Author

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

• http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
• http://blogs.wsj.com/digits/2015/02/19/lenovo-cto-were-working-to-wipe-superfish-app-off-of-pcs/
• http://news.lenovo.com/images/20034/remove-superfish-instructions.pdf
• http://searchengineland.com/google-to-begin-encrypting-searches-outbound-clicks-by-default-97435
• http://www.erratasec.com
• http://www.komodia.com
• http://www.lenovo.com
• http://www.mercurynews.com/business/ci_27246085/q-adi-pinhas-founder-and-ceo-tech-startup
• http://www.neptunprojekt.ch
• https://forums.lenovo.com/t5/Security-Malware/Potentially-Unwanted-Program-Superfish-VisualDiscovery/m-p/1860408#M1697
• https://secure.marketwatch.com/story/chinas-lenovo-may-be-one-off-success-2012-08-19
• https://www.linkedin.com/in/adipinhas