Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

Discussion in 'Technical' started by stg58, Feb 22, 2015.

  1. stg58

    stg58 Monkey+++ Founding Member

    How surprising a ChiCom company would install spyware..

    Needless to say I will never buy a Lenovo product including their Motorola phones.

    I would view a Lenovo uninstall as another chance for them to place more spyware on a PC.
    Superfish Uninstall Instructions - Lenovo Support (US)

    Lenovo Superfish Adware Vulnerable to HTTPS Spoofing | US-CERT
    Lenovo was founded in Beijing in 1984 as Legend and was incorporated in Hong Kong in 1988. Lenovo acquired IBM's personal computer business in 2005 and agreed to acquire its Intel-based server business in 2014. Lenovo entered the smartphone market in 2012 and as of 2014 is the largest vendor of smartphones in Mainland China. In January 2014, Lenovo agreed to acquire the mobile phone handset maker Motorola Mobility from Google, and in October 2014 the deal was finalized.
    Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. However, Superfish was reportedly bundled with other applications as early as 2010. This software intercepts users’ web traffic to provide targeted advertisements. In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack. Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with. Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed. This means websites, such as banking and email, can be spoofed without a warning from the browser.

    Although Lenovo has stated(link is external) they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.

    The underlying SSL decryption library from Komodia has been found to be present on other applications, including KeepMyFamilySecure. Please refer to CERTVulnerability Note VU#529496 for more details and updates.

    To detect a system with Superfish installed, look for a HTTP GET request to:
    Yard Dart likes this.
  2. melbo

    melbo Hunter Gatherer Administrator Founding Member

    For the record, SM uses OCSP stapling and HSTS (strict) which warns of MITM attacks.. I imagine that if you had one of these Lenovo units, you would get an error when trying to connect to SM.

    We're also in the HSTS preload lists that Chrome, FF and Safari use so your browser will balk if a MITM pops in: plug surivivalmonkey.com in here: HSTS Preload Submission

    Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated] | Ars Technica
    Last edited: Feb 24, 2015
survivalmonkey SSL seal        survivalmonkey.com warrant canary