It's always a busy month in the field of security. This month has seen its share of ugly stories, including the growing amount of state tax fraud, massive bank heists, and another depressing breach of our personal privacy by a major business. Those stories are all big, but the one that really captivated the attention of our community has been the one about Lenovo and Superfish.
That story has all the requisite narrative pieces to be a big tale that riles the enthusiast: a large PC maker pushing crapware onto untold numbers of users, that crapware being adware afflicted with a major security flaw, and the players involved doubling down on a large dose of stupid. Add the spicy dash of conspiracy that this is covert government espionage to the mix, and I think we're well on way to a Tom Clancy novel.
It's not hard to lay some of the blame for this mess on the general decline of the broader PC industry. The PC market has long been one of low margins and low costs, and that's still the case today. The need to find additional revenue sources has undoubtedly helped foster the rise of crapware. Of the major PC makers navigating the changing seas of this market, Lenovo has arguably done well for itself.
We saw some bang-up coverage of the Lenovo-Superfish story last week. Ars Technica has been solidly on top of it, and Geoff and Cyril here at TR have done a phenomenal job of detailing the saga, too. The passing of time has helped flesh out more of the details, and I figured now was a good time to sum everything up.
Superfish is an advertising company that developed a product called Visual Discovery. Visual Discovery takes a different approach to serving targeted ads. The software isn't interested in keywords; instead, it processes the images of pages you visit in order to learn your interests. That capability can be implemented through something like a browser extension, but browser support would potentially limit the software's reach. Another approach is to use a Layered Service Provider (LSP) or Windows Filtering Platform (WFP) injected into the stack of the OS. Such an approach enables support across any browser, but it does have one tiny downside: because SSL/TLS encryption is implemented within the browser, encrypted traffic passing through the filter would be obfuscated from Visual Discovery. What Superfish needed was not only a filter in the stack, but also a proxy that could negotiate the SSL/TLS encryption with the outside resource and the local browser.
Superfish apparently lacked either the skillset or the desire to build the necessary software to carry out a man-in-the-middle attack. So they went looking for an all-in-one solution to their problem. Komodia sells a development kit called an "SSL hijacker," which implements the needed proxy functionality to enable the attack. To be fair, this sort of interception is a tool—and like all tools, it can be used for good or for ill. Many anti-virus solutions and host-intrusion-detection prevention systems use these filter drivers and proxy capabilities to identify malicious traffic before your system can process a malicious application's payload. Of course, Superfish isn't an anti-malware program. It's an adware program, and it has no business being integrated into the TCP/IP stack.
As terrible as what I've already described is, the situation is only going to get worse. Over the course of a few days, security researchers have plumbed the depths of the Komodia engine and found numerous implementation problems. More concerning is the fact that this flawed engine is integrated into not just Superfish Visual Discovery, but also numerous other products. Komodia claims to have more than 100 clients using their product. The names of additional programs found to use the Komodia engine keeps growing. In short, Lenovo is just the tip of iceberg.
The Komodia engine's poor security design includes blunders like:
Jumping onto a public Wi-Fi hotspot and using a tool like PwnStar against a machine sporting one of these certificates would be devastating to the victim.
In other words, the entire Komodia engine is a hopelessly broken implementation of public key infrastructure.
So, what can you do about it?
Perhaps in some backhanded way, Lenovo has done us a favor. One wonders how much longer Komodia's poorly built product would have escaped notice without their pursuit of profits at the expense of the end user. Thanks, Lenovo!
|AMD drops prices on the Radeon RX 460 and RX 470||14|
|Reports: Radeon RX 470D is a budget Polaris card for China||2|
|Examining reports of slow write speeds on the 32GB iPhone 7||18|
|Cellular Insights dissects iPhone 7 Plus modem performance||10|
|Deals of the week: scads of high-performance storage and more||7|
|Tobii's Eye Tracker 4C knows where your head is||0|
|GeForce driver 375.57 is prepared for Titanfall 2||6|
|Phanteks Eclipse P400 gets a tempered glass option||0|
|Radeon 16.10.2 drivers add support for October's big games||10|
|A real "console monitor" would be 720p @ 30 Hz ;P||+58|