I’m Steven Sundermeier, Internet Security Expert, Virus Researcher and Business Entrepreneur. I’ve spent the last sixteen years traveling across the Country uncovering, analyzing and speaking on many of the top online security issues of the last decade. Last quarter, I’d heard stories of a critical vulnerability pre-installed on Lenovo laptops shipped between September 2014 and February 2015. My investigation will take me deep into the heart of the cyber world, as I try to unravel the mystery behind this potentially serious security bulletin. I am calling this case, “The Lenovo Superfish”. [Queue the ominous scream]
If the beginning paragraph sounded familiar to you, you are not mistaken. While the grueling demands of owning and operating a business (and enjoying a family of five!) doesn’t always allow for it, I do enjoy watching TV when I have the chance. And one of my favorite shows to watch is the Animal Planet series, River Monsters. For those of you who are unfamiliar with the show, it follows extreme freshwater angler Jeremy Wade across the World in search of today’s modern day deadly freshwater monsters (i.e. Goliath Tiger Fish, Wels Catfish, Arapaima, etc.). The best part of enjoying River Monsters (given my hefty workload) is that I only need to tune in for the first 5 minutes to get a general understanding of the shows direction for the week and the last 5 minutes of the show to catch all the fishing action, and see the “River Monster” getting caught. With that now being said, re-read the first paragraph and see if the opening lines make more sense. Please note: to get into full River Monsters mode you’ll have to hear yourself reading the first paragraph in a British accent.
The Lenovo Superfish.
Lenovo, the multinational computer technology company that develops personal computers, tablets, laptops and much more, dominated news headlines with negative press earlier this year as a result of software known as “Superfish Visual Discovery” that came pre-installed on Lenovo laptops that were shipped out between September 2014 and February 2015. The concept behind the Superfish software is to enhance image search accuracy helping computer users locate similar products visually. However, it was later found that the software included a proxy, a component that acts as an intermediary for requests from clients seeking resources from other servers. The presence of this proxy presented a security risk for those who had the Superfish Visual Discovery software installed.
How Superfish Visual Discovery works- In order to increase the significance of the image searches of a user, the Superfish software intercepted thought-to-be secure “HTTPS” traffic so that it could get obtain an insider advantage. Superfish accomplished the task of intercepting the HTTPS communications via a “man-in-the middle” attack. A man-in-the middle attack is a form of eavesdropping where communication between two parties is monitored and modified by an unauthorized user. In the process, the two original parties appear to communicate normally. That is, the message sender doesn’t recognize that the receiver is an unknown party/attacker trying to access or modify the message before retransmitting to the receiver. Thus, the unknown party controls the entire communication. In our case, if a user with Visual Discovery software installed / visited any secure website (let’s use as an example) https://secure_page.com the connection is directed to the Superfish filter (instead of directly to the targeted webpage). The average user is unaware that this process is occurring.
Superfish was created in this fashion to intercept user’s web traffic with the sole purpose to serve up targeted advertisements. In other words, the developers of Superfish have an opportunity to bank lots of money by putting relevant information at your virtual doorstep, so to speak.
The interception of the encrypted HTTPS communication used here works by Superfish vouching for itself to Windows and installing a trusted Certificate Authority certificate. Trusted certificates are typically used to ensure secure connections to a server over the Internet, as they tell your computer what websites and software publishers are to be trusted. You may have noticed that some websites display a padlock in the browser address bar especially when online shopping; the padlock signifies a trusted website (look for these!). Using the above technique (without getting into too much technical detail), Superfish can now forcefully sign any publisher’s certificate to make them trusted. The end result is that all your traffic will now flow dangerously free through the Superfish man-in-the middle filter and the communications will be intercepted, decrypted and re-encrypted by it. Here’s the problem… the Private Key used for re-encrypting the communication was locally stored and can be easily recovered within the Superfish software. This means that any attacker aware of vulnerability could generate a fake certificate for any website that will be trusted by a system with Superfish installed on it. Therefore, even secure websites such as banking websites, secure online shopping transactions, personal email websites can be spoofed and all your login credentials and confidential information stolen without any user warning. A cybercriminal could also exploit the bungled cryptography to trick you into trusting malicious downloads.
If the above process isn’t 100% clear, think of it like this…what if you recently purchased a house in a new housing development. Once your house was complete, the home builder provided you with the keys to your new home. Every time you left your home you felt your house and the belongings in it were safe, as you always locked the door behind you with the keys that the builder gave you. Over time, the new community grew and there were now over a hundred new homes and new families in your development community. As you met neighbors and made friends, you soon privately realized that the home builder used the same locks and the same key for all the houses in the neighborhood meaning your key also unlocked the doors of the other one hundred homes. Would your perception of security change? Now, let’s say that this knowledge soon leaked publicly, how would this change your security level? Would you feel safe leaving your wallet, purse, passports, etc. on the kitchen table when you left home? And finally, and like the Superfish vulnerability, what if you knew the criminals in the area were now aware of the situation and were duplicating the master builder key. Hopefully, this analogy will give you a glimpse of the severity of the Superfish vulnerability.
As in each weekly episode of “River Monster’s”, the case usually wraps up successfully at the conclusion of the show and the same goes here. The good news is that Lenovo quickly realized the severity of their mistake and has discontinued the practice of pre-installing the Superfish Visual Discovery software. They have also published a list of affected Lenovo laptop models so that the software can be uninstalled immediately
(http://support.lenovo.com/us/en/product_security/superfish). And per their webpage, Lenovo has also contacted SuperFish to “disable all server activity associated with their product.” If you own a Lenovo Laptop, I encourage you to look into the possibility of being affected by all this. Awareness breeds action, and if you have this vulnerability, you’ll want to address it sooner than later.
Please tune in next week for the case, “Lenovo System Update”, as Lenovo again lands in the hot seat with another security issue, this time with its own System Update software. Oh, the joys of a good series—they keep us coming back week after week—and I hope you’ll join me again for our next CC Mag installment as well. In the meantime, if you have any fish-stories of your own, share them with me at firstname.lastname@example.org.