A security flaw was discovered in software that was pre-installed on some Lenovo laptops. Lenovo has issued the following Press Release. The story has been reported on multiple sites (for example, here and here). We applaud Lenovo for quickly publishing details on affected models and instructions for removing the flaw. The problem lies in the software from a company called Superfish that was pre-installed by Lenovo on certain computers. The main function of the software was to intervene when the user performed web searches in IE or Chrome browsers, and insert Superfish’s content into the search result page. Lenovo enabled this software to “help users find and discover products visually”, by incorporating relevant search results not offered by the search engine.
Interjecting content in web pages is not new (for example, via browser add-ons), but Superfish’s approach was novel, and didn’t use a browser add-on. Instead, the software intercepted all traffic between the browser and the network external to the computer. But since most large search engines (such as, Google, Bing, and Yahoo) now serve all content over https, the Superfish software couldn’t read (and more importantly, modify) any of that encrypted traffic. To get around this, an SSL Man-in-the-Middle (MITM) was set up in the computer itself, creating fake SSL certificates with the domain name of the intended web site. These certificates were signed by or chained up to Superfish’s private root certificate. Ordinarily, browsers would display a prominent warning that such a certificate wasn’t trusted, so that was addressed that by injecting Superfish’s root certificate into the Windows trusted root store during manufacture. To make all this work, of course, the private key corresponding to that root certificate had to be pre-installed on all of these computers. Superfish took steps to encrypt that private key, but the encryption was trivial and quickly broken.
The result is that attackers now have the private key corresponding to a root certificate that is trusted in these Lenovo computers, and that can be abused in too many ways to describe here.
In some ways, this is similar to the recent incident with Gogo inflight wifi service. Both make use of an SSL MITM technique to insert themselves into the otherwise secure connection between a browser user and the websites they visit. See our recent blog post to learn how SSL MITM attacks work. In Gogo’s case, the MITM (the actor generating certificates on the fly) was in Gogo’s network; in Superfish’s case, the MITM is in the computer itself.
As we’ve said before, SSL Man-in-the-Middle solutions can be justified within an enterprise, for example, to monitor employees’ web traffic. But the well-intentioned inclusion of Superfish had unintended consequences far beyond web searching, and created a potential for malicious MITM attacks. Pre-installing any root that does not belong to an audited Certificate Authority and marking it as trusted undermines the trust model created and maintained by platform vendors, browser vendors, and Certificate Authorities. Platform and browser vendors go to great lengths to validate the Certificate Authorities whose roots they include in their trusted root store. Microsoft provided the ability for an enterprise to add additional roots to the Windows trusted root store, and Google Chrome explicitly avoids performing public-key pinning checks for such added roots. As a result, Chrome users receive no warning of the MITM, as they did in the Gogo incident.
If you think you may have an affected Lenovo computer, visit this web site to check. Uninstalling the Superfish software isn’t enough to remove the vulnerability – you must also remove the Superfish root from the Windows trust store. The instructions provided by Lenovo achieve both objectives.