Thursday, 19 February 2015

Good luck Lenovo and thank you for the Superfish!


When you purchase a laptop it comes with some default, pre-installed applications. I personally hate this and it is quicker to format the laptop with a fresh install than go down the route of uninstalling all the <r@p-ware one by one. 

Have you ever bought a new Vaio? The amount of extras installed and running in the background take upon most of the resources. 
However, this post is about the Lenovo laptops which also contain a number of added "features". One of the added "features" is an adware which activates when taken out of the box for the first time. This adware ships with all consumer PCs from Lenovo and uses a certificate to perform a man-in-the-middle attack in order to inject ads into the user's browser. 

The name of the adware is Superfish (SuperPhish might be more appropriate as a name) and it is responsible for injecting third-party ads on searches you do on Google without the user's permission of course. 
Superfish installs its own root CA certificate (Superfish Inc aka VisualDiscovery aka Similarproducts application) which effectively allows the software to snoop on secure connections, like banking websites, using a man-in-the-middle (MiTM) attack*. Uninstalling the software however, does not remove the certificate [1], it needs to be done manually by going into the Windows system. 

As a side note, Lenovo products were banned from the most highly restricted networks at GCHQMI5 and MI6, according to reports on Jul/2013. [2] 


The spokesman for Lenovo defended the software  by stating that it "helps users find and discover products.." and that a user can always refuse the Terms and Conditions when setting up a laptop, which will end up having the software disabled. 

For those of you who have actually bought a new laptop and tried to set it up, you will probably agree that this is not always straight forward. Most of the time the T&C tick box refers collectively to all the features the manufacturer included in the setup, such as the battery saving service, HDD anti-shock protection, etc. 

*Mozilla Firefox does not to appear to be affected by the SSL MiTM, as it has its own certificate store. 


If you have a lenovo, and you want to test if you have the CA certificate installed, visit the following URL: https://filippo.io/Badfish/

If you are looking for more technical information about the root CA Certificate, Rob Graham a.k.a. @ErrataRob, did all the work for you and you can find all the details on his blog [3]. He extracted the SuperFish certificate and cracked the password. The password is "komodia" which it is interesting enough because in Greek it stand for comedy or ridiculous situation, depending on how it is being used in a sentence. 

Update: Lenovo has released a list of models that may have had SuperFish installed.
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

[1] http://techcrunch.com/2015/02/18/lenovo-superfish/

[2] http://www.telegraph.co.uk/technology/news/10208578/Spy-agencies-ban-Lenovo-from-secret-networks.html
[3] http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

No comments:

Post a Comment