Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.
The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there’s something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.
Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.
Rob Graham, CEO of security firm Errata Security, has cracked the cryptographic key encrypting the Superfish certificate. That means anyone can now use the private key to launch man-in-the-middle HTTPS attacks that won’t be detected by machines that have the certificate installed. It took Graham just three hours to figure out that the password was “komodia” (minus the quotes). He told Ars the certificate works against Google even when an end-user is using Chrome. That confirms earlier statements that certificate pinning in the browser is not a defense against this attack (more about that below). Graham has a detailed explanation how he did it here.
The adware and its effect on Web encryption has been discussed since at least September in Lenovo customer forum threads such as those here and here. In the latter post, dated January 21, a user showed a root certificate titled Superfish was installed:
Surprisingly, the behavior largely escaped the notice of security and privacy advocates, until now. On Wednesday evening, following several lengthy Twitter discussions about the overlooked behavior, security researcher Chris Palmer bought a Lenovo Yoga 2 Pro for $600 at a San Francisco Bay Area Best Buy store. He quickly confirmed that the model was pre-installed with the Superfish software and self-signed key.
When Palmer visited https://www.bankofamerica.com/, he found that the certificate presented to his browser wasn’t signed by certificate authority VeriSign as one would expect, but rather by Superfish.
He saw the same Superfish-signed certificate misrepresenting itself when he visited other HTTPS-protected websites. In fact, there isn’t a single TLS-protected website that wasn’t affected.
Palmer was later able to confirm that the private key for the Superfish certificate installed on his Yoga 2 contained the same private key as a Superfish certificate installed on a different person’s Lenovo PC. That means there’s a good chance attackers could use the certificate to create fake HTTPS websites that wouldn’t be detected by vulnerable Lenovo machines. At the time this report was being prepared, there were no reports of anyone testing and confirming the hypothesis, but several researchers agreed the scenario seemed highly likely.
No, certificate pinning won’t save you
The Superfish software hijacks encrypted Web sessions no matter which browser someone uses. Worse yet, certificate pinning in Google Chrome will do nothing to alert users that something is amiss. As Google points out in a post explaining certificate pinning, the mechanism isn’t set up to validate certificates chained to a private anchor, such as a root certificate installed in the operating system of the connecting device. “A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites,” the Google page warned. “‘Data loss prevention’ appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.”
[Update: Lenovo has released a list of models that may have had Superfish installed.
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30]
While Apple’s Macs obviously come clean of any additional junkware, Google also forces Chromebook manufacturers to not tamper with the software. But Microsoft doesn’t seem to care that PC manufacturers are packing their PCs with software that slows them down and installing root certificates that destroy a computer’s security. If you buy a computer from a typical retail store, an online shopping site, or direct from a manufacturer — well, you have no guarantee it’s not packed with software like Superfish.
But Microsoft does care about “Signature PCs” that you can buy from the Microsoft Store. When you buy a computer from the Microsoft Store — either one of Microsoft’s physical stores, or the Microsoft Store website online — you’re guaranteed to get a “Signature Edition” of that computer. Microsoft controls the software that ships on these PCs, and they strip out the worst stuff to ensure you have a clean copy of Windows with only useful utilities and drivers.
So, if you want a safe Windows PC, buy it from the Microsoft Store. And yes, Microsoft offers a wide variety of Windows PCs, not just their own Surface line.
You could also just reinstall Windows on your new PC, too. Geeks often do this. On a new Windows 8 or 8.1 PC, this should be easier than ever. You can download the Windows installation media straight from Microsoft to create a Windows 8.1 disc or USB drive with the latest update and install it on your new PC. Modern Windows PCs often have their product key embedded in the UEFI firmware, so you may not even have to enter a key when installing it.
Unfortunately you can’t reinstall Windows from your computer’s recovery partition or even Refresh or Reset it, that’ll just bring all the junkware back.
Getting a computer that isn’t packed with junk that spies on you and opens massive security holes is difficult enough. But it’s not just a problem when you buy a PC. You’ll have to keep dodging this terrible software because download sites and Windows freeware authors want to smuggle this unwanted software onto your computer. That’s how they make their money.
So to be safe, buy your PCs from trusted Microsoft Store, reinstall Windows after you buy a new PC from other sources, and be careful what you are installing on your computer.