Threat Update | SuperFish
February 25, 2015
Lenovo products shipped between September 2014 and February 2015 have come with preloaded software known as “SuperFish”. It is very common for Manufacturers and OEMs to preload applications onto the Operating System; however, what makes SuperFish “unique” is that it is designed to intercept all HTTP and HTTPS communication. SuperFish is designed to provide analytics to better enhance the user’s Internet Shopping experience, regardless of how you are browsing the web.
In order to provide analytics on encrypted traffic (HTTPS and SSL) the application must perform a man-in-the-middle attack. Standard HTTPS communication is the exchanging of certificates and encryption information between a Client and Server to create one secure SSL tunnel, while a Man-in-the-Middle attack is when exchanging of certificates and encryption information is between the Client and the Attacker to make one SSL tunnel, and the Server and the Attacker to make a second SSL Tunnel. This gives the attacker the opportunity to literally be in-the-middle of the secure communication between the Client and Server.
The SuperFish application is forcing the Web Browsers to establish an SSL tunnel with the application rather than with the secure website that the user tried to visit. This means that when a user goes to a banking website, instead of creating a secure SSL tunnel, via HTTPS, to the banking website, SuperFish is getting in between that connection. This Man-in-the-Middle attack is no different than the methods used by Proxies to provide visibility into SSL traffic, however Proxy appliances are designed to give Administrators the ability to limit their scope of visibility – SuperFish does not provide that flexibility. Proxy Administrators do not want to intercept SSL traffic for Banking and other personal activities – SuperFish cannot distinguish the difference. Proxy appliances are also deployed with the consent of the stakeholders – SuperFish is not.
Although the SuperFish application may not have been installed with malicious intent, it is a major breach in security. Forcing users to trust the SuperFish application for SSL rather than the actual secure website that they are trying to reach opens a plethora of security vulnerabilities. For example, a malicious user has the ability to hijack SSL sessions by decrypting the SuperFish SSL Certificate1.
Lenovo has taken action to correct this situation and has released official statements surrounding the SuperFish application, including descriptions on the application and affected models2, removal instructions3 and an official apology4. Microsoft has also released updated signatures for Windows Defender to detect and remove SuperFish5.
If you believe your team leverages a Lenovo product shipped between September 2014 and February 2015 we recommend following the removal instructions outlined here.
Update: February 25, 2015
Due to the increased awareness of the security concerns surrounding SuperFish, Security Researchers have dug deeper into both the SSL Functionality and the actual programing behind SuperFish
It has been confirmed that the coding used to handle the SSL/Man-in-the-middle capabilities of SuperFish is done with software from a company known as “Komodia”.
Through minimal efforts, the SSL processes provided by Komodia have been fully reverse-engineered. Hackers now have the full capabilities of hijacking SSL sessions by impersonating other Komodia SSL applications – Not just those with SuperFish. This means that the vulnerabilities and security concerns posed by SuperFish have been extended to any application that uses Komodia coding for SSL.
The following programs suffer the same vulnerability and security concerns as SuperFish:
- CartCrunch Israel LTD
- WiredTools LTD
- Say Media Group LTD
- Over the Rainbow Tech
- System Alerts
- Objectify Media Inc
- Catalytix Web Services
Herjavec Group strongly recommends reviewing the installed applications of the various endpoints in your environment, to ensure that none of the above are installed.