Slashdot Mirror

← Back to Stories (view on slashdot.org)

Superfish Security Certificate Password Cracked, Creating New Attack Vector

Posted by timothy on from the for-this-to-work-you-may-need-windows dept.

In a followup to today's news about junk software included with Lenovo computers, an anonymous reader writes Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the adware which has caused Chinese computer manufacturer Lenovo such embarrassment in the last day. Since SuperFish is already capable of carrying out man-in-the-middle attacks over secure connections on the Lenovo machines which use the certificate, the disclosure of the certificate's password presents hackers with a 'a pre-installed hacking environment' which would be difficult to arrange by other means. The password, "komodia," is also the name of the Komodia Redirector framework, which allows its clients to manipulate TCP/IP network sessions "with a few simple clicks."

23 of 144 comments (clear)

  1. Re:Can Lenovo Be Sued? by Anonymous Coward · · Score: 4, Insightful

    Of course they can be sued. Can you actually win? Probably not. I would assume there's some agreement somewhere when you unwrap the computer saying you accept the software that's installed.

  2. Re:Stop deleting the NSA hard drive backdoor news by gcnaddict · · Score: 2

    Um, already discussed. http://yro.slashdot.org/story/...

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
  3. Time for a gov't-ordered safety recall??? by davidwr · · Score: 2

    Now that the vendor knows this, they may be legally obligated to do a "voluntary" factory recall or face a government-mandated involuntary recall.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  4. HEY! YOU HACKED OUR HACK! by arfonrg · · Score: 3, Funny

    What's next:

    LENOVO: "Hey! You can't exploit or exploit! DMCA DMCA!"

    --
    Your thin skin doesn't make me a troll
  5. Soo soo tired..... by dablow · · Score: 4, Insightful

    Anybody else work in IT and is starting to get depressed?

    I am just soo tried of trying to keep up with all the hacking, spying & stealing going on.......

    Constantly feeling attacked from all sides (gov, corporations etc.)

    Who can you even trust anymore?

    I would like to take a more active role in protecting my privacy and personal data, however I do not see how this is possible without completely abandoning all electronic gadgets and the internet?

    1. Re:Soo soo tired..... by webanish · · Score: 3, Insightful

      Between ignorance and despair is action...
      Start down that road, and you'll discover many a companion. Don't lose hope.

      Here's one example . I'm sure there would be many others.

    2. Re:Soo soo tired..... by MetalliQaZ · · Score: 4, Funny

      You need some military-grade ICE, man. Smooth as glass... it will flatline any intruder in the blink of an eye.

      --
      "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
    3. Re:Soo soo tired..... by whoever57 · · Score: 2

      I mean, it's important and all, but there's different levels of issues. Heartbleed and shellshock are one thing- this is a sketchy manufacturer doing something sketchy.

      Did you miss the part about how this software breaks the whole certifcate validation process? This is worse than Heartbeat for anyone who has an infected laptop. Any HTTPS website can masquerade as another HTTPS website and, because of the way Superfish works, the browser won't detect anything wrong.

      --
      The real "Libtards" are the Libertarians!
    4. Re:Soo soo tired..... by execthis · · Score: 5, Informative

      I was setting up a PC for a friend yesterday and needed to install a popular shareware archival app that has been recognized as the best in its category and has never been bundled with any crap.

      I opened up Firefox and typed the name in the search bar which had Yahoo set as the default search provider - as Firefox have notably done recently. I clicked on the first link that appeared, which for all intents and purposes appeared to be the link from the actual creator of said application.

      But in fact it was not. It was some sleazebag site which basically bundles a load of crapware into the installer. Even when I carefully unselected all the crapware it was trying to profer, it still installed a PUP IE addon that Malwarebytes picked up. In short, Yahoo has descended to the level of pushing shading companies which install malware on people's computers and hijack the installers of legitimate shareware products. And Firefox have descended to making this company (Yahoo) their default search provider.

      This is total shit. The model of the Internet as some kind of enhanced TV experience which tracks everything people do and targets and infiltrates them has got to stop.

      You are totally right in seeing that there is no qualitative difference between what corporations are doing, what governments are doing, and what scammers are doing. We have moved from an age of true innovation to one of scamming. Hence why banking and investment are so big.

    5. Re:Soo soo tired..... by cfalcon · · Score: 2

      It's worse than other bugs for anyone who has an infected laptop... but to get an infected laptop, you'd have to buy it from Lenovo and then not purge the disk promptly. It's not an issue because most people aren't ever going to have a Lenovo laptop, nor a bank who uses one, nor a common website that relies on it. Amazon isn't going to lose your credit card number because they run Lenovo laptops or whatever. Unlike the actual real bugs that cause problems, this one is just something that blights consumers who buy from sketchy companies in the brief window of "that company decides to abuse the fuck out of their customers" and "consumer backlash shits on their cash grab". That's guaranteed to be small.

      It's only news because, unlike the other bugs, this one had actual bad actors.

  6. No words by WaffleMonster · · Score: 5, Insightful

    Preloading advertising spyware with a new computer while knowingly disabling all https and code signing security.

    There is selfish, there is stupid, there is dumb and there is criminal batshit insanity.

    Having been a fan of Lenovo for years I sincerely hope they are sued into oblivion and face criminal prosecution. No need wasting your time wondering if I will ever buy anything from them again.

    1. Re:No words by Solandri · · Score: 2

      This needed to happen to a major vendor. Just so all the other computer makers can see how monumentally stupid an idea it is to let their Marketing division talk them into bypassing security for the sake of some ad revenue.

    2. Re:No words by Gr8Apes · · Score: 4, Interesting

      It already happened to Sony, recall the CD rootkit incident? That was even more evil, as it wasn't just malware, but an actual attack. Sony's still around but they seem to be having some financial trouble of late or something. Karma sure can be a bitch.

      --
      The cesspool just got a check and balance.
    3. Re:No words by SoCalChris · · Score: 4, Insightful

      Yes, this is monumentally stupid on their part. But I'll be shocked if there's any real consequences for it. The other manufacturers are all watching to see how much backlash there is, and how quickly people forget and move on to see if this is something that they'll want to do in the future as well. Consumers won't care about this, and business will carry on as usual soon enough.

    4. Re:No words by thegarbz · · Score: 2

      I sincerely hope they are sued into oblivion and face criminal prosecution

      I'm sure you'll find this feature listed in their terms of service. Sued ... maybe... Sued in to oblivion? Sued and likely to lose a single case? Probably not.

  7. Re:who uses stock os? by davidwr · · Score: 3, Informative

    legitimate question: what slashdotter still uses the stock OS on a laptop they purchase?

    If by "OS" you mean the factory-installed crypto-signed firmware/bootloader/OS stack which can't be changed without keys the end-user doesn't have, then the answer is "probably more than we would like to think."

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  8. Re:Bullshit by TsuruchiBrian · · Score: 2

    Summaries don't contain *all* the words (that's what makes them summaries rather than articles). Even dumb Americans know that.

  9. Re: Lenovo by ewhac · · Score: 2
    That's a nice concept as far as it goes, but at some point you're still dependent on hardware-specific drivers from Lenovo. As of this writing, you can pick up device drivers piecemeal. But once they get it into their tiny little brains to create a single "Universal Installer" that bundles all the necessary drivers with all the unnecessary, unwanted bloatware and spyware, you're back in the same leaky boat.

    Frankly, I'm having a hard time seeing how Lenovo recovers from this.

    --
    Editor, A1-AAA AmeriCaptions
  10. Re:LOL by Em+Adespoton · · Score: 2

    It doesn't take government operatives... At this point, it's a dupe. I already raised both the issue of all current manufacturers being affected and the fact that not enough actual information was released. It's not a conspiracy in this case, it's just bad reporting being moderated as such.

    If someone submits the Kaspersky article, maybe it'll get more traction. Instead, we keep getting submissions that are all hype and no substance, filled with editorialization and almost zero facts. People have tried to spin "custom targeted spyware inserted into firmware of targeted computers, regardless of drive manufacturer" into "firmware from all hardware vendors comes pre-loaded with spyware that reports back to the NSA"

  11. Re:This name.... by TheGratefulNet · · Score: 4, Funny

    superfish is the hidden, non-user interface version.

    note, the lesser known, CLI version is called shellfish

    (thank you, I'll be here all night.)

    --

    --
    "It is now safe to switch off your computer."
  12. Re:Nice try by KevReedUK · · Score: 3, Interesting

    Think it through...

    1) Drive F/W gets infected.
    2) Drive infects OS and UEFI on boot.
    3) You detect malware, but don't realise it's in the F/W of the drive. You disinfect the drive and reboot.
    4) You notice the malware is still evident, but can't find any trace of it on the drive. You detect it in the UEFI and flash that to get rid of it.
    5) You notice it's STILL there, so you assume it must be so deep in the UEFI that you can't get rid of it (which many would consider far more plausible than it being in the DRIVE F/W!). You therefore replace the whole PC, but swap the disk over as you believe the drive (which you have now "securely" wiped) is safe.
    6) Guess what's now infected!?!

    OR (more likely) you infect an external hard disk and find that you're still spreading malware from machine to machine throughout the PCs of your company/family/friends/whatever, even after you have "securely" wiped it.

    --
    Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
  13. Thanks for the info. by Rashdot · · Score: 2

    I missed the previous article. Just checked my son's laptop that I bought him for Christmas and had to remove this crap. Thanks to whoever exposed this.

    That was my first and last Lenovo ever (as in "my first Sony"). What were they thinking.

    --
    This is not the sig you're looking for.
  14. Re:Official Statement by herve_masson · · Score: 2

    > At Lenovo, we make every effort to provide a great user experience for our customers
    > In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish

    PR words are beyond amazingness; when did this became a supreme art like that ?
    Is this message really usefull to ... anything ?