Superfish Compromises All SSL Connections On Lenovo Gear

More than just pre-installed adware on some Lenovo laptops, Superfish acts as a man-in-the-middle certificate authority, hijacking every SSL session the laptop makes.

PC manufacturer Lenovo has confirmed that it had -- between mid-2014 to mid-January -- shipped laptops pre-loaded with the Superfish adware application. The problem with Superfish isnt that its annoying adware. The problem is that it compromises the sanctity of
all
SSL connections a Lenovo client machine makes. (
As though SSL didnt have enough problems
.)
Security researcher Marc Rogers drew attention to the problem in a
blog post, Wednesday
. Paco Hope, principal consultant for Cigital, provided more analysis as well.
The intended purpose of Superfish is to serve targeted ads to Lenovo users. It does so by looking over users shoulders when theyre web browsing, peeking at the images being displayed, then serving up ads similar to those images -- the idea being that if a user is already interested in a vacuum cleaner, maybe theyd be grateful for more info about great deals on vacuum cleaners.
Lenovos reason for pre-loading Superfish is to make some extra cash, since they, like most client machine manufacturers, dont profit greatly from selling laptops.
If only spying on users and pelting them with ads was the worst Superfish did.
Essentially, Superfish hijacks every SSL connection and operates as a man in the middle certification authority (CA). See, every computer contains a certificate store with trusted certs pre-installed by the operating system or browser. Yet, Superfish also installs its own certificate -- not approved by the OS or browser -- into the laptops cert store -- meaning that the machine will always trust anything signed by Superfish.
And as it is implemented on those Lenovo clients,
everything
is signed by Superfish -- web sessions, VPNs, software updates, etc. For example, when a website -- say, Bank of America -- attempts to initiate a secure connection with a browser, Superfish intercepts the communication. It (not the browser) decrypts the site, inspects it for suitability of advertisements, and then a new encrypted connection will be made from the Superfish process to Bank of America, explains Hope. Likewise, the web page sent back by Bank of America might have advertisments inserted into the HTML by Superfish.
Adding insult to injury, Superfish does not seem to check whether or not the initial certificate (from Bank of America, or wherever) was, itself, legitimate. So, while a users browser might issue a warning message that this sites certificate is untrusted/expired, Superfish may not do that due diligence.
Plus, the Superfish certificate uses the SHA-1 algorithm -- so it may be trashing a stronger SHA-2 cert in favor of a weaker one.
It is hard to overstate how catastrophically bad this design is, writes Hope. [Superfish] doesn’t merely insert advertisements into web pages. It undermines every secure connection the Windows computer might make. Lots of software—way beyond web browsers—use the certificate store to fetch certificates. ... Everything on a Lenovo computer that says it is making a secure connection is now lying.
It gets worse.
The catastrophic failure, writes Hope, is that Superfish installs a certificate at the highest level of trust, and they ship both the public key and private key that belong to it on every single laptop. Once that private key is known, then anyone can issue certificates for web sites or VPN concentrators and sign them with this Superfish private key. Users of Lenovo laptops who trust the Superfish key will accept those certificates as genuine.
It effectively disables the laptop’s ability to distinguish genuine web sites from fake ones, he says.
Lenovo said that it stopped pre-loading Superfish last month and has since disabled existing implementations. Unfortunately, axing the app is not enough -- the more important job is deleting the certificate, and thats something users must do manually. (
Microsoft provides instructions
on how to do so. LastPass has done similarly, and
created a tool
for checking if Superfish is running on your machine.)
The damage to Lenovos reputation may already be done.
This is unbelievably ignorant and reckless of [Lenovo], Rogers wrote. Its quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch.
Recent revelations about Lenovo enabling MiTM attacks are similar to what was reported last month about the Gogo service, says Kevin Bocek, VP of security strategy and threat intelligence at Venafi. You’ve got good guys doing what the bad guys do. In this case, theyre breaking everything that’s been built over 20 years to create trust and privacy on the Internet, by inserting a CA into systems that can impersonate any trusted site.
This is exactly what bad guys do with Trojans and other malicious software, he adds, to trick users to access fake sites to surveil/monitor private communications.
Ken Westin, senior security analyst from Tripwire says that, despite the economic reasons for pre-loading its laptops with adware, Lenovo hasnt done itself any favors. With increasingly security- and privacy-conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetization strategies, he says. If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk.”
Timo Hirvonen, senior researcher of F-Secure put it succinctly:

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Superfish Compromises All SSL Connections On Lenovo Gear