Bundled Adware: Not Only Unethical but Unsecure

Many consumers are using the system infected with adware at an increased security risk.

February 20, 2015 • Published by

Lenovo and Superfish

The Internet is abuzz with the news that Lenovo has been installing an adware named Superfish on a number of consumer laptops. The adware not only injects third-party ads on Google searches and websites without the user’s permission, but also has the capability to intercept and hijack SSL/TLS connections to websites, due to the installation of a self-signing certificate authority on affected machines.

Lenovo has issued statements to media outlets saying that "Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in the market from activating Superfish. Superfish was preloaded on to a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish.”

Here’s where it gets dicey

The adware apparently installs its own self-signed certificate authority which effectively allows it to monitor secure connections, such as with a secure banking website or an e-commerce website. This is a malicious technique commonly known as a man-in-the-middle (MITM) attack.

For those who are interested, OWASP offers a great primer into MITM. In a nutshell, MITM enables the attacker to both monitor and alter or inject messages into a communication channel. The attack aims to circumvent mutual authentication, and can succeed only when the attacker impersonates each endpoint as expected from the other end.

Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certification authority. However, because the certificate authority Superfish installed had the same private key across laptops, third-party eavesdroppers can intercept communications if they extract the key.

Ultimately, these practices put consumers using the system infected with adware at an increased security risk.

So now what?

Lenovo got caught and now they’re making amends… Starting with mea culpas and following up by publishing a Superfish removal tool (click the link if you think you’ve been affected).

But how many other hardware and software manufacturers are distributing malicious “solutions” that put their consumers’ security at risk? I suspect there is yet more to be uncovered. Stay tuned.

Subscribe to this blog for additional tips and webinar announcements.