It has recently been brought to light that Lenovo has been shipping a software known as VisualDiscovery by a company called Superfish with their consumer notebook products. This software is apparently not shipped with business laptops.
According to Lenovo, they shipped Superfish software with notebooks in a short window between September and December, 2014.
Lenovo has claimed it stopped preloading the software in January, 2015 and does not plan to preload it in the future.
SuperFish is a company that makes and sells visual search products.
They have been making the news this week after the revelation that their product VisualDiscovery has been shipped (preinstalled) with Lenovo laptops, a product that injects advertisements into the browser.
What is worrisome about this software is :
Every machine generally comes with some preinstalled Root Certificate Authorities (CAs). The main purpose of a Root CA is to verify the identity of entities that a secure (HTTPS) connection is setup with - somewhat akin to a passport checking machine that checks the validity of passports at airports and detects counterfeit ones. In our context, the equivalent of a passport would be a certificate. Websites used certificates as proof of their identity, which are then verified by Root CAs at the client side.
Normally, these Root CAs are entities that are widely trusted by computer manufacturers and users, like Microsoft, and well known companies/signing authorities like Verisign, DigiCert, SecureTrust etc. This is the part of the authentication chain where human trust comes in i.e. a manufacturer assumes these signing authorities can be trusted and a consumer assumes the manufacturer is only preinstalling reliable Root CAs on the machines it sells. All other certificate operations are based on mathematical calculations that are difficult to cheat.
The blunder Lenovo did in this situation is to include the Root CA of Superfish Inc. on machines it sells, a company that doesn’t fall into the above category. This could be considered similar to a manufacturer of the passport checking machines tweaking its machine to approve counterfeit passports of a certain kind.
The real damage can be caused if somehow a certificate can be created that will be approved by this Root Certificate Authority (CA). In the passport checker analogy, this would be similar to printing a counterfeit passport that would be approved by the tampered passport checking machines.
Luckily for attackers, figuring out how to do so is easier with fake certificates than with counterfeit passports. All that is needed is to figure out what the VisualDiscovery transparent proxy is doing. The figure below shows how the proxy works.
The proxy mainly intercepts HTTPS traffic, creates a certificate for the website on-the-fly and uses this certificate to pass on traffic to the browser. The certificate will be approved by the browser thanks to the Superfish Root CA on the machine.
An attacker could study this software to launch an attack by figuring out its certificate creation mechanism (already cracked by a security researcher), use the counterfeit certificate on their (possibly malicious) website, and a Lenovo machine with the Superfish Inc. Root CA present on it will authenticate it without any problem. Since the certificate creation mechanism is the same on all affected machines (same password), the same counterfeit certificate would work for all machines with the Superfish Inc. Root CA installed.
Internet Explorer, Google Chrome and Firefox have all been found to be affected.
The software can be uninstalled by clicking on
Control Panel > Programs > Uninstall a program
and uninstalling VisualDiscovery from the list of software available.
Uninstalling the software doesn’t remove the certificate, leaving the machine vulnerable to MitM attacks.
It can be removed manually in the following steps:
Both procedures are explained with screenshots here.
The adware is detected as Adware/SuprFish (Sig ID: 100288714)