When Lenovo shipped some of their notebook products worldwide last year, some users discovered they came with a piece of pre-installed tracking software. The software, Superfish, was created by a company of the same name, which apparently paid Lenovo “very minor compensation” to be able to install the software on their computer models.
Why is this a big deal?
Superfish pushes ads on the laptop owner’s browser. While this is mildly annoying, that’s not the problem. The big issue in the words of one of the first users who discovered the adware:
“[Superfish] will hijack ALL your secure web connections (SSL/TLS) by using self-signed root certificate authority, making it look legitimate to the browser.”
What this essentially means is, the tracking software tricks the computer’s browser into thinking it has a secure connection, even when it doesn’t. This is so it can sneak in more annoying ads to the browsers of unsuspecting users, but in doing so it makes way for a massive breach in security by potentially exposing users to what is known in the computer security world as a “man-in-the-middle” attack.
Superfish got this network interception technology from another tech firm, Komodia, who has called their SSL interception engine a “hijacker” that allows easy access to data as well as “the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.”
While this is already bad enough, Komodia uses the same key for all computers – and the key has been proven to be easily extractable, making it easier for attackers to use it to sign their own certificates. What’s more its own SSL validation is broken – it validates untrusted/invalid/self-signed certificates. It is as many say: “spectacularly bad.”
With Superfish/Komodia installed, that HTTPS page you’re looking at – when you’re doing online banking, for example – may not be as secure as it seems. While it takes some effort and some serious hacking knowledge and skills, attackers can exploit this weakness and use it to get people’s sensitive information such as passwords, emails, or credit card details.
Not just Superfish
To make things even worse, it isn’t just Superfish that uses the Komodia engine. Other programs have been found that use the same technology as well and these include:
- CartCrunch Israel
- Catalytix Web Services
- Objectify Media
- Over the Rainbow Tech
- Say Media Group
- System Alerts
- WiredTools L
Getting rid of it
Lenovo has since admitted and apologized to users for this massive mistake. They have gone on record saying: “We messed up badly here. We made a mistake. Our guys missed it. We’re not trying to hide from the issue – we’re owning it.”
In case you’re using a Lenovo computer and are worried about having the Superfish vulnerability on your system or if you just want to make sure that you don’t have any Komodia-powered software on your computer, you can visit Valsorda’s online Superfish CA test If the page displays a “YES”, you can follow Lenovo’s instructions to remove the software.
You can also get more information from CERT/CC at http://www.kb.cert.org/vuls/id/529496.