Lenovo is so screwed. The world’s largest manufacturer of PCs and laptops has been caught pre-installing software that completely subverts users’ security to insert adverts into their web browsing — and leaving them vulnerable to attack. The company’s response has been nothing short of pathetic. The brand is likely to suffer irreparable damage, and deservedly so.
The software, called Visual Discovery and made by a company called Superfish, analyses the web pages that a user visits and inserts advertising for related products. Many web browsing sessions are of course encrypted to preserve users’ privacy. But Superfish breaks into those sessions by presenting fake credentials — and it does so in such a ham-fisted way that an attacker could easily take advantage of those fake credentials to break in.
As Graham Cluley explains, or as Ars Technica details in its more technical overview, this is what information security practitioners call a “man in the middle” (MITM) attack. Users think they’re communicating security with the intended website, but in reality their communication is being intercepted, decrypted, monitored and re-encrypted before being passed on to its intended destination.
Lenovo customers first noticed and complained about Superfish’s software a few months back. In January the company announced that it had stopped installing it on new computers, and that it had turned off the servers that did the analysis at its end. But even if users uninstall the software, Lenovo’s hack to Windows that made it possible remains, and users are still vulnerable.
Lenovo’s statement was remarkably tone-deaf. A childish we-didn’t-do-nuffin:
“To be clear, Superfish technology is purely based on contextual/image and not behavioural. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.”
Lenovo denies any security risk. “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” the company wrote. But it can’t have investigated very hard.
The global information security community became aware of Lenovo’s activities yesterday, and the reaction has been scathing. Wired called the response “astonishingly clueless”:
“Robert Graham, the CEO of [an] internet security firm called Errata Security, doesn’t mince words in assessing the situation. ‘This is a bald-face lie,’ he says of Lenovo’s statement. ‘It’s obvious that there is a security problem here.'”
“Graham took just three hours to crack Superfish’s security.
“‘I can intercept the encrypted communications of Superfish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot,’ Graham wrote in a blog post detailing how he did this.”
It’s possible that things haven’t completely gone to shit. Yet. Security researcher H D Moore tweeted that he’d scanned the public internet and didn’t find any secure web servers trying to exploit this vulnerability.
But if I were running a malicious site, I’d make sure I didn’t present fake credentials to any IP address that had ever been associated with Moore. Besides, even if the internet were clean when Moore scanned it, that doesn’t mean it was clean last month, or will continue to be clean tomorrow. This morning I’ve already seen one tweet reporting a site trying this trick.
Pulling on the tinfoil hat a little more snugly, consider the history of Superfish. As Thomas Fox-Brewster documents for Forbes:
“Ex-surveillance agents, operating in both the private and public spheres, have ostensibly combined their powers to force ads onto people’s computers, leaving web users open to other forms of attack. That’s startling and frightening for anyone who cares about privacy or security.”
If you’ve bought a Lenovo computer since about June 2014, check whether you’re vulnerable by heading to https://filippo.io/Badfish/. If you get to that site without seeing a security warning about a certificate error you’re vulnerable, so follow the instructions. The test doesn’t work properly in the Firefox web browser, though. Use Chrome or Internet Explorer.
This isn’t the only infosec scare story this week. There are two more, but there’s little you can do about them.
Russian security company Kaskersky Lab has revealed the existence of an operation it has dubbed The Equation Group, which has subverted the hard drives of computer in such a way that the spyware they install can survive a complete rebuild of the computer — and it has been operating for at least 14 years.
And today The Intercept revealed the latest from Edward Snowden’s trove: America’s NSA and Britain’s GCHQ stole the encryption keys from one the world’s largest largest manufacturers of SIM cards — meaning any communication by devices using those SIMs can be decoded at their leisure.
Have a lovely weekend.
Disclosure: In recent years Stilgherrian has travelled to Kuala Lumpur and Canberra as a guest of Kaspersky Lab.