Thursday, 19 February 2015

Adware Lenovo Laptops Brings SSL Connection In Danger

Chinese computer maker Lenovo installs default very aggressive adware on the laptops that sells to the customer, allowing all users to set up SSL connections that are at risk. It was some time known that Lenovo installs the Superfish-adware on laptops, only now its impact appears to be much greater than was assumed initially.

According to researcher Marc Rogers adware performs a "Man-in-the-middle attack" to gain access to sensitive data running over SSL connections and inject ads. In addition, Lenovo also installs a weak certificate on the system, so users no SSL connection that they can set up more confidence.

The problem was already on 21 January by a user on the Lenovo forum reported. According to the user hijacks Superfish, also known as Visual Discovery and Similar Products, all SSL / TLS connections using a self-signed root certificate authority that is trusted by the browser. The user in question has returned to his laptop and asked for his money back.

Through Superfish ads are displayed on the computer. Rogers calls it an infamous piece of adware that hijacks legitimate connections, user activity monitors, collects personal information and upload to servers, pop-up displays with adware and another attacking users of SSL connections and uses a self-signed certificate. Superfish used also a weak SHA1 certificate.SHA-1, however, has been replaced by SHA-256, SHA-1 as attacks on can now be carried out using standard computers. It also appears that there is a 1024-bit RSA key is used which is to crack.

The researcher suggests that Lenovo is therefore ignorant and reckless busy. "It's probably the worst I've seen put on a supplier customers." In a reaction that enables Lenovo Superfish temporarily of laptops has been removed. In addition, the manufacturer notes that the plug-in can not hurt.

Or the plug-in is removed only on new laptops and Lenovo can do this on existing computers is unclear. It is also unclear whether in this case the self-signed root certificate authority is removed. The Next Web reports that Firefox users are not at risk, because the open source browser uses its own certificate store. Furthermore, virus scanners would Superfish detect adware and recommend to remove.

Lenovo said in a statement that Superfish from January 2015 not installed on new systems. Furthermore Superfish would already sold Lenovo machines are turned off. According to the manufacturer the adware on only a "select few" consumer models installed.

Superfish Domains & IP Addresses
Security Researcher Conrad Longmore has published a list of IP addresses and domain names used by Superfish. He notes that the information is sent to US IP addresses. Superfish itself is Israeli. "What seems to be a popular place to develop adware," he notes.

Owners of a Lenovo laptop can through this page, check the Superfish Certificate Authority trusted by their browser and they are therefore at risk.

Several researchers have meanwhile managed to crack the password that the private key of the Superfish certificate used.The password proved "komodia" to be, according to an analysis by researcher Robert Graham . In theory it would be possible thus to perform man-in-the-middle attacks and encrypted traffic to intercept Lenovo users. For this, an attacker would have to place between the user and the Internet. Further says researcher Erik Loman that contrary to what was first reported Firefox users be vulnerable.

Lenovo showed earlier know Superfish is no longer installed in new laptops and existing installations were off.Whether this also the self-signed certificate is removed is unclear. Lenovo has asked for clarification but received no reply.

Lenovo late know that it completely stops Superfish and not on machines will install the software. Additionally, the software off in January of this year on the server side of Lenovo. Thereby Superfish would no longer be active. Or users themselves must remove the self-signed certificate is unclear. This question is still open at Lenovo.

The computer manufacturer also states that it has extensively researched the technology, but has found no evidence to justify the resulting safety concerns. "But we know that users are concerned about this problem and therefore immediate action taken by products with this software to deliver any more.

No comments:

Post a Comment