Superfish – Breaking the trusted HTTPS connection

3

Sometimes a piece of news comes across your desk that is too amazing to believe. You read it and think to yourself, “That can’t be true. No one with any professional savvy would ever make such an obvious mistake.” But of course, in the inevitable chase to shore up profits, poor decisions are made.

This latest chapter in “Most Shocking News” is the discovery that Lenovo, one of the largest laptop manufacturers in the world, has been pre-installing software on its laptops that breaks one of the most basic trust models of secure Internet browsing.

“It must be a pretty bad bug,” I thought when I first saw the headlines. Turns out it wasn’t a bug; it was a feature. That’s right – the software installed on these laptops was designed that way and installed on purpose.

The software, called Superfish, installed trusted root certificates that allowed it to essentially perform man-in-the-middle attacks on secure web traffic to and from the computer it is installed on. The stated purpose of which was to inject ads into web pages as users surfed. Oh, great. That seems a LITTLE overkill, but okay.

So you pay your many-hundreds-of-dollars for your Lenovo laptop, but you’re still going to have to look at targeted ads based on your searches thanks to the Superfish software. If that was as bad as it got, it would still be annoying, but not shocking in the least. But it gets worse.

The technology behind the Superfish problem is from an Israeli company called Komodia. Because of the shortcuts Komodia took to break the user’s trusted HTTPS connection so they could inject advertising into the secure stream, they made it extremely easy for malicious attackers to make use of it as well. Researchers have already shown how easy it is to create fake certificates that look real once the Superfish software is installed. So users may think they were using a secure connection to their bank, or their healthcare organization, when in reality an attacker could be siphoning off all of the interesting information for themselves.

How likely is that? Well, considering that the Superfish software used the same root certificate across all their devices, and they all had the same password – “komodia” – it’s very possible that a bad actor has noticed this before, and decided to make use of it. After all, the problem was discovered by a security engineer at Google; it could have just as easily been discovered long ago by someone with nefarious plans and simply kept secret.

The Superfish framework is also apparently used in many other products (more than a dozen, according to Facebook). Thanks to Cloudflare security engineer Filippo Valsorda, you can check to see if it’s installed on your computer.

After initially claiming there was no problem and users were safe, Lenovo has ceased installing Superfish software on their systems, and to their credit they have apologized and promised to do more careful review of what gets installed in the future. Superfish has insisted that its code is safe and that the flaw was “introduced unintentionally by a third party.” If you ask me, I think they should have flushed that idea to start with.

Share.

About Author

Jeff Harrell has over 15 years of experience in the IT security industry leading product management and product marketing teams to build and market security solutions for businesses of all sizes. He is currently the Vice President of Product Marketing at Norse, a leading threat intelligence company. Jeff’s areas of expertise include cloud technology, threat intelligence, compliance, vulnerability management, configuration auditing, and encryption. Prior to Norse, Jeff worked for security and technology companies including nCircle, Qualys, McAfee, PGP, and eMusic.

3 Comments

  1. Sooo….I have a Lenovo laptop, a T440 provided by my employer. Should I check to see if Superfish is installed, or just let IT handle it?

    • Is that considered an Enterprise (business) model? Supposedly, it was only installed on consumer-level hardware. Lenovo published a list of all models affected (if you trust that)