What is SuperFish?

Quick, go to https://filippo.io/Badfish/ to see if your Lenovo computer is vulnerable to the Superfish security hole.

What the heck is Vonnie talking about here?

Here’s the story: between the months of September and December 2014, Lenovo (the biggest maker of consumer PCs) authorized the installation of bundled software that not only displays contextual based Google advertisements without the users consent but also opens a hole for hackers to steal sensitive encrypted data.

What is it?

The SuperFish bug refers to the presence of a program called SuperFish Inc. VisualDiscovery that hopefully isn’t sitting in your installed programs list.

It shows up as VisualDiscovery.exe in the Task Manager

SuperFish hanging out in my Task Manager

It basically opens a door for hackers to snoop on all your online activities.

That’s because the SuperFish program surreptitiously installs it’s own self signed certificate authority which makes a man-in-the-middle (MITM) attack possible.

The self-signed cert  allows Superfish to decrypt secure web transactions on the fly.  The reason this happens is because a self-signed certificate is functionally a root certificate.  In other words, it’s the highest ranking certificate authority (CA) in a chain of certs.  It’s the core certificate that all the other certificates bank on.  If someone alters that – the entire system breaks down.

And this is why Superfished systems are susceptible to a man-in-the-middle attack (and why it’s such a big deal).  The self-signed root cert means it can intercept all the encrypted traffic that you visit – basically rendering encryption pointless.  When a Superfished user visits a HTTPS site such as his online bank or gmail account, the digital certificate for those sites is completely controlled by Superfish.

And since the private key appears to be the same on all Lenovo systems (cracked in three hours by Rob Graham to be “komodia“)  anyone can steal encrypted Superfished traffic by simply hanging out in the proximity of a Superfished PC.

All you would need to do is connect to the same network and bust open a traffic analyzer like Wireshark to view the encrypted traffic in plain text.  Armed with the list of SuperFished Lenovo laptops you could simply walk through random coffee shops, public hotspots and hotel lobbies until you found a victim using your target laptop.

Yup, Lenovo, the worlds largest PC manufacturer fregging disseminated malware with their PC’s.

In light of the crazy news, I think Mike Shaver, Engineering Director at Facebook, said it best:

Lenovo installs a MITM cert and proxy called Superfish, on new laptops, so it can inject ads?  Someone tell me that’s not the world I’m in.

Mike Shaver tweet @shaver

Here’s how to end the madness.

Ending the chaos

On your Lenovo laptop, press the Windows Key + xf to see if Superfish hiding in there.

Superfished

Uninstall the app and then delete the certificate from your trusted root certification authorities.

Press the Windows Logo Keyq and type:

certmgr.msc

Click Trusted Root Certification Authorities in the left pane and expand Certificates.

Now scroll down and zap the Superfish certificate.  Keep in mind you have to be logged in as an Administrator to do this.

Delete SuperFish root CA

The good news is that Italian security guru Filippo Valsorda discovered you can run Windows Defender to destroy it.

Image credit Filippo Valsorda

Is Lenovo sorry?

Mark Hopkins, Program Manager for Lenovo Social Media didn’t seem very contrite.  He actually had the temerity to justify why the malware is safe:

To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.

Furthermore, in an interview with the Wall Street Journal, Lenovo’s CTO, Peter Hortensius, admitted that they didn’t do enough due diligence before installing Superfish but he still contended that the app is benign…

I read the interview and all I hear is bullshit bullshit bullshit.  Why doesn’t Lenovo just admit that it fucked up?

The really slimy part is that Lenovo didn’t warn anyone what it was doing.

Despite what Lenovo wants you to believe this isn’t just a potentially unwanted program (PUP) – it’s malware.  Lenovo needs to quit the euphemistic bullshit and ‘fess up.  The company made an egregious mistake and will suffer an irreparable loss to it’s reputation.

It doesn’t matter that Lenovo released a detailed guide (PDF) for detecting and removing SuperFish. – the damage is done and there’s no way to reverse it.

Here’s a detailed list of the affected Lenovo models:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30

By the way, you can also go to https://lastpass.com/superfish/ to see if your machine is safe from the big fish.


 

So, what do you think of the Superfish bug?  Share your comments below!  I’m really curious – am I the only one here that thinks this is bananas?

About

Connect with Vonnie on Twitter

Posted in News Tagged with: , ,