Lenovo Settles with FTC for “SuperFish” Security Incident
Lenovo Will Pay $3.5 Million For Software That Exposed HTTPS Interception Risk
Two years ago Lenovo was in hot water for bloat-ware (unwanted programs pre-installed on consumer computers) called Superfish which included man-in-the-middle capabilities that put user HTTPS traffic at risk of compromise.
Regarded as a serious security incident, Lenovo had received only bad press for their actions. Until now.
This week the FTC (plus the Attorneys General of 32 U.S. states) announced a settlement with Lenovo over the pre-installed Superfish software on consumer laptops. The settlement will only cost Lenovo $3.5 million dollars – not much for compromising the entirety of a user’s HTTPS traffic.
Perhaps more significant is that Lenovo will have to “implement a comprehensive software security programs for most consumer software preloaded on its laptops” for the next 20 years, which will be subject to third-party audits.
Lenovo will also have to get consumer’s “‘affirmative consent” before pre-installing similar software in the future.
Super Phishy
The appropriately named “Superfish” was a marketing company and product that injected tailored ads into your search results.
The nasty part of Superfish was how it worked. Superfish would insert itself in the middle of your internet connections using a proxy. Instead of connecting directly to Website.com, you would first connect to the Superfish software, living within your computer, which in turn would connect to the website.
Lenovo shipped laptops with a root certificate owned by Superfish that was used in combination with its software to intercept your traffic. This allowed Superfish to view and analyze all your traffic across all browsers – data it needed to show you those tailored ads – essentially making it a super phish.
When you connected to Google.com, instead of using its certificate you were using a fake certificate created on-the-fly by Superfish. It was treated as a trusted cert because Lenovo pre-installed it as a root.
Spying on all your traffic for some extra cash is gross enough – but to make things worse, the private key for that root certificate was also shipped on Lenovo laptops. That made it very easy to maliciously mis-use the Superfish root. An attacker could easily take the private key – which was re-used across every installation of Superfish – and view all user traffic. This would work wonderfully in the “Coffee shop” scenario where the attacker and victim are on the same public Wi-Fi network.
When it comes to compromising HTTPS security, this is about as bad as it gets. A malicious CA has ultimate power – it can create certificates that can masquerade as trusted for any website without any noticeable difference to the user.
This incident made headlines in 2015, coming at a terrible time for Lenovo who had recently become the world’s largest seller of PCs. US-CERT issued a security alert about the Superfish software and many outlets characterized it as malware.
Forbes believes Lenovo made less than $500,000 from Superfish for bundling the software with their laptops. While Lenovo is still the king of the PC market, this ordeal certainly cost it much more than half a million dollars.
Unfortunately, a $3.5 million fine is likely not enough to act as a real deterrent for other companies. Per usual, user security is grossly abused by companies and that comes with a rather insignificant punishment.
Superfish’s fate may be more appropriate. They closed the company and attempted to restart themselves as “Just Visual” in 2015, to get away from the negative press. But their website is no longer online, and many key employees no longer have the company listed as their current employer – so they may be dead for good after all.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown