Thinkpad X1

News broke last night that Lenovo has been shipping laptops with a horrifically dangerous piece of software called Superfish, which tampers with Windows’ cryptographic security to perform man-in-the-middle attacks against the user’s browsing. This is done in order to inject advertising into secure HTTPS pages, a feature most users don’t want implemented in the most insecure possible way.

There’s been some discussion about whether all copies of Superfish use the same root key to perform the MITM attacks. We can report that the Decentralized SSL Observatory has seen 44,000 Superfish MITM certificates, all of which have been signed by the same Superfish root cert. The fact that there are significant numbers of Firefox victims somewhat contradicts the speculation that Firefox is safe because it doesn’t use the Windows root store. This either indicates that Superfish also injects its certificate into the Firefox root store, or that on a large number of occasions Firefox users have been clicking through certificate warnings caused by Superfish MITM attacks.

Lenovo has not just injected ads in a wildly inappropriate manner, but engineered a massive security catastrophe for its users. The use of a single certificate for all of the MITM attacks means that all HTTPS security for at least Internet Explorer, Chrome, and Safari for Windows, on all of these Lenovo laptops, is now broken. If you access your webmail from such a laptop, any network attacker can read your mail as well or steal your password. If you log into your online banking account, any network attacker can pilfer your credentials. All an attacker needs in order to perform these attacks is a copy of the Superfish MITM private key. There is (apparently) a copy of that key inside every Superfish install on every affected Lenovo laptop, which has now been extracted and posted online.

Using a MITM certificate to inject ads was an amateurish design choice by Superfish. Lenovo’s decision to ship this software was catastrophically irresponsible and an utter abuse of the trust their customers placed in them.

If you purchased a Lenovo laptop recently (we have observed reports of the Superfish cert from the Decentralized SSL Observatory as early as October 2014), you can check if your machine is vulnerable here. We’ll have more updates with details and defensive options later today.

Source : Electronic Frontier Foundation