By now, the entire tech world has heard all about the egg on Lenovo’s face. The incident — Superfish’s catastrophic security screw-up — was all over the news last week: "New Lenovo PCs shipped with factory-installed adware," said Engadget. "Lenovo poisoned its own PCs with Superfish adware," from CNET. "Lenovo caught preloading 'Superfish' adware on laptops," according to TechSpot.
The coverage has been extensive, detailed and informative. There’s one big problem with it, though: it’s all wrong.
Superfish is far, far worse than anything those articles might have led you to believe. It’s more accurate to say that it’s a near-total gutting of your machine’s network security. Security analyst Marc Rogers described Superfish as “quite possibly the single worst thing I have seen a manufacturer do to its customer base.” Here’s why.
It’s Not Just Adware
Superfish is a “visual search” tool: a bit of software that can analyze an image and make guesses about what it portrays. One of the obvious applications for that technology, unsurprisingly, is ad targeting.
If the software can tell kind of images you’re looking at, it can select similar ads for you to view. And so one of Superfish’s major products is an advertising “proxy server” that runs on your computer. By positioning itself between your web browser and the Internet, Superfish can peek at the web pages you’re loading, note whether they tend to have pictures of cars or pictures of carnations, and then can slip in advertisements for automotive dealerships or garden supply stores, depending on which one seems more likely to catch your fancy.
That would be creepy enough all by itself. But it gets worse.
The ad proxy that Superfish set up still shouldn’t be able to snoop on encrypted connections. If Superfish decrypted and re-encrypted a web page on its way to you, your browser would raise a big prominent alert that the page you’re viewing wasn’t really encrypted by the site it claims to be from.
That’s because a root certificate authority, which typically goes to the trouble of authenticating the certificate owner, has digitally signed every proper SSL certificate. The root certificate authority is what gives you confidence that your “https” links are actually going to Amazon.com and not to some shady offshore hacker.
So how did Superfish get around that restriction? Simple. Using a “SSL hijacker” tool from a security company called Komodia, it installed its own root certificate on each Lenovo machine. Installing its own root certificate means that Superfish can securely impersonate any site on the Internet, even under supposedly authentic HTTPS connections.
And then it gets even worse.
Incompetence on Top of Malice
Root certificates are incredibly powerful documents. Because they’re used to authenticate secure connections for the entire Internet, they could be devastating if controlled by a malicious user. That’s why the root certificates themselves are encrypted, with a strong password that only the owner knows.
So what’s the only thing Komodia could have done to make this situation even worse? That’s right: It used the same password for every root certificate it deployed. The same simple, easily guessable password … “komodia," to be precise. Anyone who guesses that password can, in principle, take advantage of the root certificate on anyone’s Lenovo computer.
And yes, hard as it may be to believe, it gets even worse.
There are even more layers of failed security in Komodia’s SSL interceptor. The result: if one of these compromised Lenovo machines is connected to a Wi-Fi network run by a bad guy, it can be tricked into thinking that absolutely any machine is, say, Comcast or Yahoo or Citibank or PayPal.
So that’s why it’s so insufficient to say that this is a scandal about “adware.” The fact that an adware tool is involved is the least of the problems here. This is not just bad. It’s astonishingly bad. If it is possible to release a security product that has done every single thing wrong, Komodia and Superfish may have hit the jackpot.
Incredibly, after the fallout, Superfish continued to insist that its proxy "does not present a security risk." It's wrong. By any objective standard, this is a phenomenally huge security risk.
It’s as if a locksmith, after being called out to change the locks on a residential house, replaces them with locks that he keeps a skeleton key for, and it’s a key that just happens to match the keys of everyone else who lives in town.
What you can do
Fortunately, there are some things that you can do to keep yourself safe, even if you don’t take the most extreme and impractical options like “throw away your computer” or “buy a Mac.”
- Test to see if you’re affected. Security researcher Filippo Valsorda has released a simple tool that you can use to see if your system is vulnerable to the Superfish problem. Make sure to test it with all of the browsers you have installed.
- Uninstall Superfish. Lenovo quickly released a tool to remove Superfish from your system. Given its track record on this, a reasonable person might be skeptical that the company got it right. However, Lenovo clearly wants to minimize damage to its users at this point, and I think this is unlikely to hurt.
- Install Microsoft Signature. Replacing the OEM system with Microsoft Signature will generate a system that’s not laden down with the third-party ads, toolbars and apps that computer vendors can’t seem to resist. It’s important to do a full reinstall and make sure that the system is wiped completely clean, so back up your own data first. This is a bigger hassle but also a more certain solution.