Thursday, February 19, 2015

Lenovo PCs preloaded with "Superfish" malware that breaks security

Technology and security are rife with shades of grey. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing Superfish adware that breaks otherwise secure HTTPS website connections.
Technology and security are rife with shades of grey. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing adware that breaks otherwise secure HTTPS website connections.

Recent Lenovo laptops include what can only be described as malware, malware that intercepts all web traffic whether secured or not. The "VisualDiscovery" adware from a company called Superfish reads all web traffic and injects advertisements into web pages. In doing so it completely breaks HTTPS security.


Ordinarily, when your browser connects to a secure website, your browser inspects a certificate that vouches for the authenticity of the website, and uses an encryption "public key" from that certificate to encrypt information so that no one except the intended website can read your conversation. Your browser trusts the certificate presented by the website, because your browser trusts the Certificate Authority - the organization that issued the certificate.

The Superfish adware comes with its own HTTPS certificate - a certificate issued by, signed by, and controlled by Superfish. Instead of connecting directly to a secure web site, your browser connects to the Superfish adware, which in turn connects to the website.


I don't necessarily fault Lenovo for using advertising to generate some extra revenue. Amazon likewise uses advertising on some Kindle Fire products, and in exchange subsidizes the cost of the Kindle, offering it for a lower price. In Amazon's case though, this is completely transparent, clearly explained, and the purchaser has the option to pay an extra $15 or $20 to remove the ads and the subsidy. Personally I find an ad-supported device to be a little annoying, but I have no problem with a company giving me the choice between ads and a slightly higher price.


The problem with Lenovo's approach - aside from the fact that it was done without any disclosure - is that it completely breaks secure web communication. The Superfish adware decrypts all secure web traffic using the local certificate, so it has unfettered access to your usernames and passwords, bank accounts, email, social media, and anything else you do on the web.


Worse, Superfish appears to use the same certificate on all devices, so not only will a Lenovo PC trust the local Superfish adware - it would trust anyone else pretending to be the adware.


Why is this a bad idea? Public/private key encryption involves some complex math where you can use one number to encrypt your information, but have to use a different number to decrypt it. It's a bit like a mailbox with two keys - one key locks the mailbox, but a completely different key unlocks it. You could share the first key (called a public key because it is shared publicly) with anyone in the world. They could put mail into your mailbox and lock it with the public key, knowing that only with your second (private) key could you open the mailbox.


With legitimate secure websites, the company behind the website carefully protects the private key to their website. No one except the legitimate website has the private key, thus no one except the legitimate website can decrypt your messages.


In the case of the Superfish adware, every computer with this adware has the private key (otherwise the adware couldn't decrypt the web traffic and would thus be useless). This private key was quickly discovered and published, which means that any malicious actor now has the capability of reading and manipulating supposedly-secure web traffic on any PC with the Superfish program.


At the moment, I would not do any private web browsing on a Lenovo laptop unless that I installed the operating system from scratch (using original Microsoft media or a Linux distribution from a trusted source, not using the "recovery partition" provided by Lenovo). Businesses normally do this. Home users though more often use the operating system pre-loaded by the manufacturer.


Coverage on the net: