It began last night with a tweet and two screen captures. “Well that certainly looks like the behavior of an SSL MITM intercept on a new Lenovo. #trust.” Kenn White, the co-director of the Open Crypto Audit Project, revealed that his Lenovo laptop was intercepting a secure web session using a forged digital certificate, subverting the chain of trust that allows secure communications around the globe.
The way the company went about this imperils the security of owners of affected Lenovo laptops, who should immediately follow these instructions to remove the ad software and the root certificate. (Update: 2/20. Lenovo has released automated removal tools for the software, the root certificate installed directly into Windows, and the root certificate installed for Mozilla products.) Users can test if they have this software and certificate installed. In a statement posted on its site, Lenovo says laptops affected shipped between September and December. Those purchased from the Microsoft Store have fresh versions of Windows installed that avoid third-party add-ons and aren’t vulnerable. Lenovo’s own Superfish uninstaller is inadequate, as it leaves the root certificate in place; in a forum posting, the company said it would provide certificate removal instructions, which it added later in the day. Even if you opt out of the Superfish software when setting up your laptop, the risky certificate is installed on your machine. Lenovo’s statement was updated during the day to add a list of affected models.
Full understanding of what happened here requires further explanation by Lenovo. But even the least alarming scenario is a great big deal.
What emerged over a few hours on Wednesday evening was the troubling news that in order for its partner Superfish to feed out contextually related ads in a Lenovo customer’s stream, Lenovo had installed its own security information that allows Superfish to impersonate any secure website. Lenovo did not reply to a request for comment. White credits Chris Palmer of Google and Karl Koscher of the University of Washington with untangling the matter, which he then proceeded to detail.
Because of this, any malicious party now has the means to intercept data from vulnerable machines on the same local network, push software updates that appear to come from Microsoft, or wage remote phishing attacks via email that would redirect to public Internet sites that rely on the forged information.
“The decision by Lenovo to ship this software was wildly and catastrophically irresponsible,” says Peter Eckersley of the Electronic Frontier Foundation. “Not only was the nominal purpose of the Superfish software to inject advertising into secure HTTPS web pages without those websites’ consent, but the software was engineered in such a way that it has broken the security of all HTTPS connections from the affected laptops on an ongoing basis.”
The root of trust for the web and other secured Internet communications comes from certificate authorities (CAs), which provide a cryptographic signature for the digital certificates used by websites, email servers, and other services to create secure connections. Relying parties like Apple, Microsoft, Google, and Mozilla choose which CAs they trust, and preinstall validation information about them in their operating systems or browsers. (In pure coincidence, Fast Company had a general story about CAs ready to go that explains the background.)
Lenovo installed a “self-signed” certificate authority into Windows as part of its imaging process to set up a new laptop. Because the laptop trusts this CA, it doesn’t look any further to validate digital certificates signed by the CA. Thus, when the Superfish software intercepts a secure connection on a Lenovo laptop, the software commits a man-in-the-middle (MitM) attack, sending its forged certificate claiming it’s mail.google.com or facebook.com or literally any other site.
Internet Explorer and other browsers that rely on the Windows list of valid CAs accept the Superfish connection as valid. Still in the laptop, the ad software examines the page, queries remotely for contextually appropriate material, and also creates a silent connection to the true site in question. When the correct site responds, the software rewrites the incoming page and presents it to the user, who has no idea any interception or modification has occurred. (Lenovo notes it discontinued the ad-insertion lookups in January.)
The Mozilla Foundation says through a spokesperson that it believed Firefox isn’t vulnerable, because it doesn’t consult the Windows root CA list. However, the EFF has now confirmed that they have found Firefox browsers among those whose sessions were intercepted. (Mozilla offers generic instructions to remove a root certificate from Firefox and Thunderbird.)
As noted in our certificate authority story, several methods of double-checking a certificate’s validity outside of a CA’s say-so are being rolled out into browsers and operating systems. The most popular, pinning, likely fails in this case, according to Ivan Ristić, the author of Bulletproof SSL and TLS and a researcher at Qualys. Browsers that support pinning will only accept digital certificates signed by specific CAs. However, Ristić notes, a locally installed root authority will bypass his protection.
Other tools, such as global observation of improperly issued certificates, might go unnoticed depending on how the interception took place. EFF posted information today that they had tracked 44,000 Superfish certificates, although it didn’t previously signal an alarm. That is likely to change as multiple certificates observation projects will tweak what they look for.
This subversion of user trust is just the first level of trouble, however. The digital certificate installed for the fake CA by Lenovo is identical across all the laptops it shipped, and it had an easily cracked password, allowing the retrieval of the certificate’s private key. Robert Graham of Errata Security demonstrated in a post the straightforward procedure he went through to obtain the password and the key.
With that private key, hackers can sign their own certificates that appear entirely valid to any affected Lenovo laptop, allowing MitM attacks. Criminals, governments, and vandals now have several points of attack they can make against affected laptop owners.
On a local network, an attacker could use any of multiple forms of attack to redirect a laptop user’s traffic through a malicious server, including spoofing a local hotspot or Wi-Fi network’s name (“evil twin”), or poisoning the local (ARP) or remote (DNS) network lookups on the same network to redirect traffic.
Security researcher Matthew Green, a professor at Johns Hopkins University, says, “This requires you to make fake access points, which is more work, but could easily work in dense areas like a typical Manhattan Starbucks.” He notes that a hotspot login is required for Comcast’s Xfinity and other networks, allowing easy interception of valuable user credentials that are typically reused elsewhere.
Outside of a local network, groups that engage in phishing—sending email or messages to get someone to visit a malicious website—have another tool in their arsenal of respectability. Some users do look to signs of security in a browser that indicate SSL/TLS (a lock, a blue bar, and so forth), and this would allow phishers to show those signs.
It’s unclear whether illegitimate Windows updates could be pushed remotely, but the potential for locally pushed malicious software is clear, as those updates are signed by a certificate that can be spoofed with one signed using the Superfish CA.
Eckersley of EFF notes, “This represents such a profound breach of trust by Lenovo against their customers that I suspect a lot of people will be reevaluating their decisions to purchase ThinkPad computers.” The Federal Trade Commission (FTC) may also have a stake, as it intervenes when consumer privacy rules are violated or misrepresentations are made, which could be the case here.
Because Lenovo preinstalls Windows on its PCs, this breach also has implications for Microsoft. We asked the Redmond company to comment, and are still waiting to hear whether it wants to chime in.
This has the potential to become as severe and industry-changing an issue as Sony BMG’s rootkit scandal in 2005, in which that music company installed copy-protection malware into Windows. In its posted statement, Lenovo said at one point that there was no basis for any security concerns, then deleted that to focus entirely on the advertising and privacy issues. It will have to own up, and soon.