Lenovo has really stepped in it this time. Pre-installing software (made by Superfish) that injects ads into a customer’s web activity is bad enough, but adding a component which intercepts SSL encrypted traffic is far and away worse. In the post-Snowden era any security issue of this caliber is going to make headlines, and headlines it has made.
The fact that Lenovo is claiming ignorance on this front is troubling in more than one way. Firstly, if Lenovo put said software on their new laptops with full knowledge of what the software actually did it shows utter disregard for customer information security. Secondarily, if Lenovo truly did not have full understanding of the security implications of this particular “pack in” software it shows an extreme lack of research and technical understanding of their side-load revenue. I’m honestly not sure which is the bigger problem or whether there is a clear distinction between the two.
On the one hand you have a corporation selling your privacy to essentially lower the cost of production for their hardware, on the other you have a corporation making business deals with software vendors with apparently complete ignorance of what said software actually does. Either way it is a big loss of mindshare (and therefore revenue) for Lenovo, but are they the only losers here? Certainly not. Superfish will suffer as a result of this as well, since the only time nearly everyone in the world has heard of them is through this PR disaster. Consumers definitely have already suffered loss because of this partnership – communications that were assumed secure due to SSL encryption are now under suspicion.
Superfish, Komodia, and you:
Let’s take a minute to break down what the Superfish / Komodia issue really is. Essentially Superfish enables a “man in the middle” attack on end users’ encrypted web traffic. In a man in the middle attack, the “middle” party (in this case Komodia) is able to pose as both sides of a secure transaction to the opposite sides of said transaction. Instead of rehashing the issue you can read an excellent and easy to understand example in the Main in the middle Wikipedia article.
Komodia’s “SSL Digestor” is expressly used for well, let’s just read what Komodia has to say about their product:
Our advanced SSL hijacker SDK is a brand new technology that allows you to access data that was encrypted using SSL and perform on the fly SSL decryption. The hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.
With that knowledge in hand the severity of the issue becomes that much more obvious. Errata Security CEO Rob Graham did some white-hat hacking and within 3 hours was able to crack the Superfish SSL certificate password to enable said man-in-the-middle attack. Worse yet, as detailed by Marc Rogers, a principal security researcher at Cloudflare, “Komodia certificates are EVERYWHERE”. What is a consumer to do? I’m going to get on my soap-box here a bit, so bear with me.
As many readers of this blog know I’m a strong proponent of the Free Software Foundation. I used to think that Richard Stallman’s stance on Open Source was a little extreme. The man insists on all aspects of software (and hardware!) he uses to be open. I still have a hard time identifying with some of his stances, but as I gain new knowledge of what it truly means to live in today’s information age – I understand his stances more and more. The FSF is all about controlling your data and not selling your security for convenience. Someone running an FSF-approved operating system on their computer and only installs Free, Open Source Software (FOSS) is impervious to the Superfish / Komodia issue. I will admit that none of my hardware is actually “Open”, but the more we see more issues revealed in the post-Snowden era I genuinely see the appeal of fully Open hardware. If you know every function of your hardware you can know that you aren’t being observed or intercepted, so long as you are making security conscious choices in your computing activities. Stallman uses an e-mail-only web browsing tactic wherein websites are parsed and emailed to him for offline consumption; again I applaud his ideology, but it’s not a very practical method of keeping up to date on news or other information.
With all that aside, Lenovo has essentially admitted they messed up big time and has been working with Microsoft and McAfee on removal tools / definitions – so hopefully the security issue will be mitigated for most of the customers that purchased the affected Lenovo computers. One thing is certain though, the Superfish fiasco is just another drop in the bucket of our cyber-security woes.