Superfish security certificate password cracked, creating new attack vector
Thu 19 Feb 2015
Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the installed adware which has caused such a controversy for Chinese laptop and PC manufacturer Lenovo in the last 24 hours.
Since the password – ‘komodia’ – is now known, Lenovo machines with SuperFish’s adware installed now present a workable attack vector for hackers, in the form of software which can perform ‘man-in-the-middle’ https interceptions, using a self-signed certificate with a known password. Effectively it presents a pre-installed hacking environment which would be extremely difficult to arrange with conventional ingenuity.
Until now the ability of the SuperFish adware to insert commercials into any point in the end-user’s web-browsing was only being used for the commercial benefit of the parties involved – SuperFish and Lenovo; the use of the self-signed certificate meant that ad pop-ups would not be interrupted during connections to sites using secure https protocols – including banking sites.
With the password available, the chain of security between a ‘SuperFished’ Lenovo machine using the adware’s self-signed certificate and secure sites will remain apparently unaffected – even though a hacker may be ‘listening in’.
It’s not even a good password. Komodia is the name of a company whose flagship product is the Komodia Redirector framework. The KR framework ‘allows you to change TCP/IP network sessions with a few simple clicks. The platform intercepts traffic (using LSP/WFP) on the local machine based on rules that you define, and it includes many built in functions that you can use without writing a single line of code.’
Lenovo’s semi-apologetic statement [PDF] on the scandal characterises the company’s relationship with Superfish as ‘not financially significant’, declaring that its goal was ‘to enhance the experience for users’.
The Superfish software was preloaded onto a select number of laptop and desktop machines produced by the Beijing-based tech giant in the last few years. SuperFish’s Visual Discovery search technology led to the company being ranked by Forbes at one point as the 64th most promising company in the United States.
The complete statement reads:
Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:
1. Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
2. Lenovo stopped preloading the software in January.
3. We will not preload this software in the future.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.
To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.
We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detailed information is available at http://forums.lenovo.com