Pre-installed Lenovo adware hijacks TLS/SSL encryption

Lenovo's consumer laptops ran pre-installed adware/malware which could be used to intercept and hijack encrypted SSL/TLS web sessions.

Lenovo adware  carries out MiTM attack, strips out encryption
Lenovo adware carries out MiTM attack, strips out encryption

The ‘Superfish' adware is a third-party application which was installed on all Lenovo consumer laptops (it is not on the business laptops) up until last month, and it is designed to inject ads into web sessions, send browsing information onto the ad company, and monitor user activity.

However, the adware – which was developed by a company under the same name – also  used its own, fake, self-signed CA certificate to hijack user sessions over SSL/TLS.

The above image, posted online by one researcher, shows the difference between the URL and the certificate. These certificates are used by websites to ensure that communications are shared with the right authority, but in this case Superfish assumed that role, meaning it was essentially carrying out a MiTM attack to intercept content that would usually be protected by SSL and TLS.

It has been suggested that certificate-pinning, employed by most browsers (although notably not Google Chrome), would have picked up the issue, although experts said on Twitter that a root certificate would override this process.

Errata Security CEO Rob Graham said on his blog: “It's designed to intercept all encrypted connections, things it shouldn't be able to see. It does this in a poor way that it leaves the system open to hackers or NSA-style spies.

Lenovo has subsequently urged users of these laptops to remove the software, although numerous commentators say that this won't remove the problem, as the certificate would still be on the system.

Worse still, on the same network, Lenovo laptops could apparently be used to attack each other.

Last month, a Lenovo administrator confirmed that the software had been “temporarily removed” from consumer devices until software fix would be provided – although it's unclear how many devices have shipped with the adware. 

“We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,” wrote Mark Hopkins. “As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.”

Security researcher Marc Rogers said of Lenovo on his blog: “This is unbelievably ignorant and reckless of them. It's quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch.”

Alan Woodward, Europol adviser and visiting professor at Surrey University's Computing Department, told SCMagazineUK.com that it was unbelievable Lenovo had come to install this adware on users' machine.

“It's an open bit of software, SuperFish, within the browser and it issues its own fake certificate to intercept encrypted communications.”

“It's classic, in a way it's not even adware, it's similar to the way Google watches what you're searching for and sends what ads what it thinks you'll like.”

Woodward was bemused how Lenovo came to install this on the laptops: “One can only assume their intention was helping users without understanding the technical details.” He added: “It's evidence that the road to hell is paved with good intentions…and of marketing over security.”

“Lenovo has given Superfish an extremely privileged role on its machines and I can't imagine that removing the software will remove it,” he said. “The two big questions are how far back does this go, and is Lenovo going to help by removing certificates or giving a copy of Windows for a clean install?”

Page 1 of 2