Security Sense: Superfish and Nasty Root Certs Are Bad, but It’s Worse than That

Security Sense: Superfish and Nasty Root Certs Are Bad, but It’s Worse than That

Is Superfish really that bad? By now we’ve come to expect what is uncharitably referred to as “crapware” on a new machine. Isn’t this just more of the same? No, this is in a class of its own and not because of the technology itself, but rather because of what it signals both on Lenovo’s behalf and that of the industry in general.

Is Superfish really that bad?

By now we’ve come to expect what is uncharitably referred to as “crapware” on a new machine. Isn’t this just more of the same? No, this is in a class of its own and not because of the technology itself, but rather because of what it signals both on Lenovo’s behalf and that of the industry in general.

But first to the key question – is the software really that bad? The way Lenovo positions it, Superfish is there to help you:

“Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually.”

Isn’t “visually” the way we usually find things anyway? Of course what’s really meant by this statement is that you’ll get ads injected into your Google search results. If there’s one thing we like even less than ads, it’s third parties messing with communications we thought were otherwise secure, which brings us to one of the really concerning aspects of the story – the Superfish root certificate.

For the most part, SSL protected communications do a pretty good job of keeping our HTTPS things private. Done right, this means private from eavesdroppers and private from manipulation so an attacker couldn’t say, inject an unprotected login page with a keylogger. But it’s all predicated on the premise of a cert being issued from a legitimate certificate authority and the client validating that the cert checks out. So how do you break this layer of security? You add your own root cert to the target which then trusts a “rogue” cert that appears to come from the site the target is visiting and can be injected into the communication layer. Before you know it, an attacker is impersonating the Bank of America and to the layman, everything looks just fine.

If there was any doubt whatsoever about Superfish being viewed as malicious software, Microsoft has updated Windows Defender to nuke it off the machine. That’s not something they do with mere crapware; this is what happens when there’s a real and imminent security threat. Part of that may also be due to the fact it’s trivial to extract the cert, which opens up a whole world of potential nastiness around compromising the communication of “infected” machines.

But here’s the real kicker in all this and what has me a little more worried – a major PC manufacturer thought this was ok. More than the ads, more than the root cert, what should really concern people is the surreptitious installation of this class of software on machines. We got a bit cranky when we learned that the NSA would intercept machines in transit and “play” with them then just last week we learned that they’d compromised hard disk firmware, but this was against selected targets and in the interest of national security. This wasn’t indiscriminate across a huge number of machines.

But what has me really concerned is that Lenovo is not alone -- and in fairness, we shouldn’t be just singling them out. They’re the biggest manufacturer with the most exposure and they’re clearly contrite about it, but they’re not the only ones. Already, researchers are identifying others who’ve taken shortcuts with our security and this signals a far broader prevalence of this class of risk. It almost certainly goes beyond Lenovo alone and frankly, the industry needs a bit of a cleanup. Superfish has done a great job of highlighting the issue, but it’s likely just scratched the surface and there’s a lot more to come yet.

Written on my Lenovo which I love… and rebuilt the day it arrived!

Troy Hunt
http://troyhunt.com
@troyhunt
Microsoft MVP - Developer Security

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish