Pierluigi Paganini February 19, 2015

The presence of the Superfish software in Lenovo laptops exposes the users to serious risks of hacking. The researcher Graham explained the reason.

The news of the presence of Superfish adware in the laptops sold by the Chinese Lenovo has shocked the IT industry. The company has intentionally pre-installed a malware on laptops, but which are the consequence of the presence of the malicious code in the Lenovo devices?

Superfish represents a serious menace for the users privacy and security, it could be exploited to run man-in-the-middle attack to inject malicious code or to hack the targeted system injecting ads.

The presence of the Superfish malware makes Lenovo users more exposed to hacking attacks. To give you a clear idea of what is happening I suggest you to read an excellent post written by Robert Graham, CEO of Errata Security.

Graham explained that Superfish is a malware that hijacks and throws open encrypted connections, a circumstance that could be exploited by attackers to eavesdrop the users’ traffic.

“The software throws open encryptions by giving itself authority to take over connections and declare them as trusted and secure, even when they are not.” said Graham.

By simply extracting the certificate of the Superfish adware, the researcher was able to intercept the encrypted traffic of Lenovo laptops.

The expert reverse engineered the malicious software in a debugger (or IDApro), he cracked the password with a dictionary attack hyphotesizing that the password is probably also in the clear in the memory dump.

“I extracted the certificate from the SuperFish adware and cracked the password (“komodia”) that encrypted it. I discuss how down below. The consequence is that I can intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot. Note: this is probably trafficking in illegal access devices under the proposed revisions to the CFAA, so get it now before they change the law” wrote the researcher.

Finally, Graham has found the password, “komodia”, in 10 seconds with a dictionary attack using some constraint to limit the number of attempts.

“Note that the password “komodia” is suggestive — that’s a company that makes an SSL “redirector” for doing exactly the sort of interception that SuperFish is doing. They market it as security software so you can spy on your kids, and stuff.”

The administrator at Lenovo official forum confirmed that since Jan. 23 it has temporarily removed Superfish from its Laptops, a statement that continues to cause confusion among users and that demonstrate the negligence of the company.

“The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” said Eric Rand from Brown Hat Security. “This amounts to a wiretap.”

The most disconcerting aspect of the story is that one of the leaders of global PC market violated in a so blatant and intentional manner the privacy of its customers.

If you want to remove the Superfish malware follow the precious guide published by the expert Filippo Valsorda.

I wrote a guide on removing Superfish since I couldn’t find one easy and comprehensive enough. Feedback VERY welcome https://t.co/QFjnP6goEf

— Filippo Valsorda (@FiloSottile) 19 Febbraio 2015

Pierluigi Paganini

(Security Affairs –  Lenovo, Factory pre-installed malware)