Lenovo laptop owners are at risk for man-in-the-middle attacks as a vulnerability disclosed in pre-installed Superfish adware went nuclear this morning.
Researcher Rob Graham of Errata Security published a report in which he said he cracked the password protecting the digital certificate shipped with Superfish. Superfish, according to Lenovo, analyzes images on the Internet and serves up ads for products similar to the image.
“The consequence is that I can intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot,” Graham wrote.
Graham explains the details of how he was able to extract the private key—the digital certificate is the same on all Lenovo laptops shipped with Superfish through January of this year. In this way, Superfish is its own root certificate authority.
“This is just a lousy idea,” said Johns Hopkins professor Matthew Green. Superfish is essentially an proxy that generates certs for HTTPS connections. Now that the password is cracked, anyone in control can read traffic that’s supposed to be protected, even if certificate pinning is in place.
The risk is that an attacker in a MiTM position could hijack traffic and redirect it to a malicious website.
Green said Lenovo users are in a bind because the company is unlikely to push a patch to its users that will wipe Superfish off machines.
Instead, he said users’ most likely salvation is that Google and Mozilla could push out security updates that would revoke the keys.
Lenovo could also make a manual patch available, but it’s unlikely that most users would go to the trouble of finding it and then installing it. “Beware: the current uninstall package does not remove the certificate from the root store,” Green said.
A more desperate option is that Microsoft could use Windows Update or its free security tool, Windows Defender, to remove the adware. “Microsoft is probably loath to push out updates like this without massive testing and a lot of advice from the lawyers,” Green said.
Even the browser vendors’ revocation option is dicey because Google could break Lenovo machines with Superfish still installed and running, Green said. Another option is for warning pages in Chrome for Lenovo machines with the Superfish cert running or in their list of trusted roots.
“This seems much nicer, but runs into two problems,” Green said. “First, someone has to write this code — and in a hurry, because attacks may begin happening immediately. Second, what action item are these warnings going to give people? Manually uninstalling certificates is hard, and until a very nice tool becomes available a warning will just be an irritation for most users.”