The Lenovo Superfish Vulnerability

Anyone who ordered a computer from Gateway or Dell in the 1990s probably remembers choosing software for the system while placing the order, then having their computer arrive days or weeks later with the software they selected. Today, customers routinely purchase PCs with fewer options, and with software on the devices chosen and pre-installed by the manufacturer. Although the practice of pre-installing manufacturer-selected software is now commonplace, and can reduce costs for the customer, Lenovo has recently come under scrutiny for shipping PCs bundled with Superfish's VisualDiscovery adware, which creates a dangerous vulnerability. The vulnerability would allow a malicious party to silently impersonate trusted websites and monitor affected consumers, enabling an attacker to steal login information or observe sensitive communication. Because the vulnerability stems in part from Superfish's use of a third-party library, additional software relying on the library also poses similar risks.

Superfish's software operates by intercepting Web traffic to insert advertisements as you browse the Web. Recent press coverage has focused largely on the manner in which the software deals with secure communication over HTTPS. Web browsers implement features to facilitate secure connections when accessing websites, helping defend against risks like eavesdropping and impersonation. When you visit a banking site, for example, your browser will usually seek to confirm a direct connection to the legitimate site's servers (as opposed to a potentially nefarious impersonator). Many browsers present a padlock icon to reassure users that they are accessing pages over a confirmed secure connection.

The Superfish software allegedly inserts itself into the middle of connections from the user's browser, including secure connections. Because equivalent behavior—subverting a secure direct connection from the browser to a desired site—is performed by malicious parties to mount “man in the middle” attacks, browsers typically detect and warn users of such behavior. However, features of Superfish's software prevent detection of its activity by the browser, and as a result, users continue to see a padlock icon with no sign that anything is amiss. As we discuss later, the software's implementation unfortunately permits otherwise evident third-party attacks to go undetected as well.

How does Superfish's software work?

To understand how Superfish's software operates, we first need some background knowledge. When a user visits a website over a secure connection, the website's servers present the user’s web browser with an SSL certificate to verify, among other things, the identity of the site and the authenticity of data received. For example, the certificate from https://www.bankofamerica.com allows your browser to confirm that it is communicating with the real Bank of America corporation and displaying the unaltered site.

Because anyone could claim to be Bank of America, entities exist that vouch for the accuracy of SSL certificates, generating and “signing” these certificates. Most browsers are programmed by default to trust a fairly common set of these vouching entities, which are usually large, well-established corporations. Your computer stores “root” certificates for a set of these trusted entities to facilitate this arrangement, and your browser verifies the signatures on website SSL certificates using the root certificates. Unless a website presents an SSL certificate signed by a trusted entity, your browser will not display a padlock for a secure connection.

Installation of Superfish's software also results in installation of a root certificate on a computer, causing the computer to treat Superfish as a highly trusted entity and allowing Superfish to insert itself into secure connections. This would allow the software to create a fake SSL certificate for, e.g., Bank of America, and vouch for the authenticity of the certificate to the browser. As a result, the software could intercept requests from the browser, relay those requests to the legitimate site, insert advertisements into the response, and return the modified result to the browser without arousing suspicion. Rather than debating this design decision, let's discuss how the particular implementation of Superfish's software results in a critical vulnerability.

The Superfish/Komodia vulnerability

The arrangement above works because Superfish can create an SSL certificate for any website, and the user's browser will trust the certificate as legitimate. For Superfish software to create an SSL certificate that will verify successfully using the installed Superfish root certificate, the software must know and use a long, secret number called a private key. This private key is the crux of the process: anyone else that knows the private key could also create SSL certificates to impersonate any site. To make a long story short, researchers managed to recover this private key, which turns out to be common to all computers with the software installed.

Consequently, anyone could now create certificates for any legitimate website, and those certificates would, in turn, be trusted by computers with Superfish installed. For example, an attacker could impersonate your bank's website to steal your login information without any visible warning to you. This vulnerability undermines critical security features of your browser, threatening both the privacy of communication and the integrity of data you receive while browsing.

Superfish uses a third-party library from Komodia in its software for intercepting web traffic, and Superfish's vulnerability is partially rooted in Komodia's library. As a result, any software relying on this library may also be affected. Furthermore, additional flaws in the Komodia library make similar attacks against consumers with such software even easier for a malicious party. CERT provides more details along with a list of additional software using the Komodia library, such as KeepMyFamilySecure and Lavasoft Ad-Aware Web Companion.

How to know if you’re affected

Lenovo has published a list of computers it sold with the Superfish software pre-installed. You can also visit this website to test whether your system is vulnerable: https://filippo.io/Badfish/

If your computer is vulnerable, Elysium strongly recommends that you remedy the issue as soon as possible. A fix can be somewhat complicated, but readers can find more details about the vulnerability and remediation at the following sites:

Lenovo recommendations: http://support.lenovo.com/us/en/product_security/superfish_uninstall
CERT alert: https://www.us-cert.gov/ncas/alerts/TA15-051A
Komodia CERT vulnerability note: http://www.kb.cert.org/vuls/id/529496

What's next for Lenovo, Superfish, and Komodia?

Given the widespread attention that this vulnerability has received, legal action or regulatory scrutiny would not be surprising for the parties involved (in fact, at least one lawsuit relating to the Superfish software has already been filed). Any such action will likely focus not only on the impact and severity of the vulnerability itself, but also on details like the design and implementation of the relevant software.

For example, Superfish and Komodia are not the only companies developing software that installs a root certificate on computers. Other software, such as anti-virus programs, sometimes also installs these certificates. The purpose of anti-virus software is very different from adware, however, and the specific implementation details of Superfish (such as use of a common private key across systems) may differ from any otherwise comparable cases. Superfish also could have made alternative design and implementation decisions with substantially different functionality and risk trade-offs, so the decisions made may also be evaluated in the context of those alternatives.

Because installation of software on a PC places that software in a trusted position, the logic behind Lenovo's decision to install the software may also face scrutiny. The decision process and vetting that Lenovo performed, potentially in the context of industry norms, may therefore be of interest. To protect their customers and their reputations, all PC vendors should review their processes and practices with regards to pre-installed software—regardless of industry norms.

Update: After we posted our initial analysis, we learned that Lenovo has announced changes in how it will select software to be pre-installed on its PCs.

To learn more

If you are concerned about whether your organization's computers may be affected, or have any general questions, please feel free to contact us.

The Lenovo Superfish Vulnerability

Joseph Calandrino, Ph.D. & Nicholas Jones

Security & Privacy

February 26, 2015