Pre-installed Lenovo adware hijacks TLS/SSL encryption

News by Doug Drinkwater

Lenovo's consumer laptops ran pre-installed adware/malware which could be used to intercept and hijack encrypted SSL/TLS web sessions.

The ‘Superfish' adware is a third-party application which was installed on all Lenovo consumer laptops (it is not on the business laptops) up until last month, and it is designed to inject ads into web sessions, send browsing information onto the ad company, and monitor user activity.

However, the adware – which was developed by a company under the same name – also  used its own, fake, self-signed CA certificate to hijack user sessions over SSL/TLS.

The above image, posted online by one researcher, shows the difference between the URL and the certificate. These certificates are used by websites to ensure that communications are shared with the right authority, but in this case Superfish assumed that role, meaning it was essentially carrying out a MiTM attack to intercept content that would usually be protected by SSL and TLS.

It has been suggested that certificate-pinning, employed by most browsers (although notably not Google Chrome), would have picked up the issue, although experts said on Twitter that a root certificate would override this process.

Errata Security CEO Rob Graham said on his blog: “It's designed to intercept all encrypted connections, things it shouldn't be able to see. It does this in a poor way that it leaves the system open to hackers or NSA-style spies.

Lenovo has subsequently urged users of these laptops to remove the software, although numerous commentators say that this won't remove the problem, as the certificate would still be on the system.

Worse still, on the same network, Lenovo laptops could apparently be used to attack each other.

Last month, a Lenovo administrator confirmed that the software had been “temporarily removed” from consumer devices until software fix would be provided – although it's unclear how many devices have shipped with the adware. 

“We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,” wrote Mark Hopkins. “As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.”

Security researcher Marc Rogers said of Lenovo on his blog: “This is unbelievably ignorant and reckless of them. It's quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch.”

Alan Woodward, Europol adviser and visiting professor at Surrey University's Computing Department, told that it was unbelievable Lenovo had come to install this adware on users' machine.

“It's an open bit of software, SuperFish, within the browser and it issues its own fake certificate to intercept encrypted communications.”

“It's classic, in a way it's not even adware, it's similar to the way Google watches what you're searching for and sends what ads what it thinks you'll like.”

Woodward was bemused how Lenovo came to install this on the laptops: “One can only assume their intention was helping users without understanding the technical details.” He added: “It's evidence that the road to hell is paved with good intentions…and of marketing over security.”

“Lenovo has given Superfish an extremely privileged role on its machines and I can't imagine that removing the software will remove it,” he said. “The two big questions are how far back does this go, and is Lenovo going to help by removing certificates or giving a copy of Windows for a clean install?”

“It is so easy to destroy a brand and this is the sort of thing that does that. I think they need to think about how to communicate widely, and undo it.”

Daniel Cuthbert, security researcher at Sensepost, said in an email to SC that it was serious, especially as the adware's use of a fake certificate would mean the compromise of all web encryption.

“In a nutshell, they are able to compromise all SSL. What this means is that Superfish is able to man in the middle SSL connections, access data and inject content into those streams.

“We aren't just talking about website here but anything that makes use of SSL. Some are calling it adware but this is plainly malware. As for exploitation, [it's] too early to tell I'm afraid but Superfish is already doing the exploitation on users laptops.

“As for protection, never run the default install. Remove it and install fresh from source.”

Chris Boyd, malware intelligence analyst at Malwarebytes, added in an email to journalists: “While a clean operating system install is preferable, it isn't always practical - hitting the rollback / factory setting button on a new machine will give you back programs you've just tried to remove, and not everybody has a stack of operating system discs to hand.

“In this particular case, anybody affected should uninstall the Superfish software then type certmgr.msc? into their Windows search bar - from there, they can find and remove the related root certificate.”

All sites are said to have been affected displayed by Internet Explorer and Chrome. Firefox currently doesn't seem to be affected.

Updated: Lenovo has since responded to the news by issuing a statement in which it says reaffirms that Superfish has been 'completely disabled' and has stopped being pre-loaded onto Lenovo machines since January. "We will not pre-loaded this software in the future", it goes onto note.

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the statement reads. "But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software."

Brian Honan, Europol adviser and managing director at BH Consulting, told SC that while the bloatware (third-party apps pre-installed) is a problem, a bigger one is the fact that companies can view encrypted traffic.

"A bigger issue here is the fact that companies view the interception of customer web traffic and the undermining of their systems' security to be a legitimate business practice," he said. "Other software vendors may be doing the same thing, we just may not yet be aware of it. Users could remove the Superfish application via their control panel and manually remove the Superfish certificates from their browser using these instructions."

"The best practice for users to ensure the veracity of their computer's operating system is to install the Windows operating system from an original Microsoft source and not rely on the bundled version that comes with the laptops. However, while this practice may be easier for companies to follow it may not be as easy, cost effective, for consumers to do so. In that case all non-essential software bundled with the built in version of the operating systems should be removed."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews