Late last night, reports started coming out that Lenovo was shipping PCs with man-in-the-middle adware that breaks HTTPS connections.
Lenovo, like most manufacturers, ships its PCs with pre-installed software. In this case, the software is Superfish, which inserts visual advertisements into web pages such as Google search results. And while this pre-installed adware is annoying to PC owners, the bigger issue is that Superfish appears to be violating user privacy and introducing serious security risks.
Lenovo claims that Superfish was only pre-installed on consumer laptops that were shipped from October to December 2014, and that it has since stopped the practice. However, for consumers who purchased devices during this time, the damage may already be done. Affected Lenovo laptops shipped with a self-signed SSL root certificate from Superfish, which is not a trusted Certificate Authority. When an owner of an affected Lenovo laptop visits a site secured with HTTPS, the site certificate is signed and controlled by Superfish, which falsely represents itself as the official website certificate. This allows Superfish to decrypt and view information submitted on any one of these Lenovo machines, presumably to help its algorithm serve up better search results.
Worse than that, the self-signed root certificate was signed with its private key (not public key), and the same key is used for the root certificate on every machine. Researchers have since extracted the private key, meaning that attackers could conduct a man-in-the-middle (MITM) attack by using the private key to imitate legitimate sites and get users to enter private information without knowing what they’re doing.
How Does This Violate Trust?
By shipping pre-installed software with a self-signed root certificate, Lenovo is violating security best practices and the PKI system that supports online trust. This self-signed root certificate is not recognized or issued by a publicly trusted Certificate Authority (CA) and thus was not subject to the various audits and standards that ensure publicly trusted CAs are issuing certificates correctly and securely. Certificates issued from publicly trusted CAs are also moderated through CA pinning, Certificate Transparency, and other technologies.
In addition to the controls that CAs must undergo, as security providers CAs are aware of security best practices and ensure that the certificates they issue are compliant with the latest standards. One such standard is the use of 1024-bit RSA keys, which were deprecated by the CA/Browser Forum at the end of 2013. The certificate that Superfish issued was signed with a 1024-bit key, further demonstrating Superfish’s ignorance of or disregard for good security practices.
Because the certificate was issued outside of the standard trust system, it also makes remediation difficult. When a root certificate is included in the browser’s root store, it can be revoked if it is ever compromised. However, in this case since the certificate was inserted directly into the trust store on the computer, each individual user must remove the root certificate from their store.
Similarly, proactive measures such as certificate pinning in Google Chrome will not alert users in cases like this because it doesn’t validate certificates chained to a private anchor.
What Needs to Be Done Next?
Affected Lenovo consumers need to take immediate steps to protect themselves.
Consumers must first determine if they are affected, and if so, remove trust for the Superfish root certificate, in addition to uninstalling the Superfish adware. In the immediate aftermath of this incident, several tools have been introduced, including the following:
Filippo Valsorda made a web-based tool to determine if your machine trusts the certificate.
You can also find instructions for identifying and removing a root certificate from Windows here.
If you think you might have been vulnerable to this MITM attack, you might also consider changing passwords for any sites you may have visited and monitor your accounts for signs of fraud.
This event is a reminder that, as a community, we should expect more of the companies we work with. Security cannot be an afterthought to other business needs, and best practices should always be followed. Even non-security providers need to think about the security implications of their actions for end users.
It also reinforces the importance for a system of publicly trusted and vetted trust anchors from audited CAs and root stores that are accountable to their constituencies. The use of self-signed certificates poses significant threats to online trust.
We also must continue to educate consumers on understanding the basics of how to evaluate certificates, including who’s issuing them, trust stores, and how to tell to what level a company’s identity has been vetted.