Lenovo Will Pay $3.5 Million For Software That Exposed HTTPS Interception Risk
Two years ago Lenovo was in hot water for bloat-ware (unwanted programs pre-installed on consumer computers) called Superfish which included man-in-the-middle capabilities that put user HTTPS traffic at risk of compromise.
Regarded as a serious security incident, Lenovo had received only bad press for their actions. Until now.
This week the FTC (plus the Attorneys General of 32 U.S. states) announced a settlement with Lenovo over the pre-installed Superfish software on consumer laptops. The settlement will only cost Lenovo $3.5 million dollars – not much for compromising the entirety of a user’s HTTPS traffic.
Perhaps more significant is that Lenovo will have to “implement a comprehensive software security programs for most consumer software preloaded on its laptops” for the next 20 years, which will be subject to third-party audits.
Lenovo will also have to get consumer’s “‘affirmative consent” before pre-installing similar software in the future.
The appropriately named “Superfish” was a marketing company and product that injected tailored ads into your search results.
The nasty part of Superfish was how it worked. Superfish would insert itself in the middle of your internet connections using a proxy. Instead of connecting directly to Website.com, you would first connect to the Superfish software, living within your computer, which in turn would connect to the website.
Lenovo shipped laptops with a root certificate owned by Superfish that was used in combination with its software to intercept your traffic. This allowed Superfish to view and analyze all your traffic across all browsers – data it needed to show you those tailored ads – essentially making it a super phish.
When you connected to Google.com, instead of using its certificate you were using a fake certificate created on-the-fly by Superfish. It was treated as a trusted cert because Lenovo pre-installed it as a root.
Spying on all your traffic for some extra cash is gross enough – but to make things worse, the private key for that root certificate was also shipped on Lenovo laptops. That made it very easy to maliciously mis-use the Superfish root. An attacker could easily take the private key – which was re-used across every installation of Superfish – and view all user traffic. This would work wonderfully in the “Coffee shop” scenario where the attacker and victim are on the same public Wi-Fi network.
When it comes to compromising HTTPS security, this is about as bad as it gets. A malicious CA has ultimate power – it can create certificates that can masquerade as trusted for any website without any noticeable difference to the user.
This incident made headlines in 2015, coming at a terrible time for Lenovo who had recently become the world’s largest seller of PCs. US-CERT issued a security alert about the Superfish software and many outlets characterized it as malware.
Forbes believes Lenovo made less than $500,000 from Superfish for bundling the software with their laptops. While Lenovo is still the king of the PC market, this ordeal certainly cost it much more than half a million dollars.
Unfortunately, a $3.5 million fine is likely not enough to act as a real deterrent for other companies. Per usual, user security is grossly abused by companies and that comes with a rather insignificant punishment.
Superfish’s fate may be more appropriate. They closed the company and attempted to restart themselves as “Just Visual” in 2015, to get away from the negative press. But their website is no longer online, and many key employees no longer have the company listed as their current employer – so they may be dead for good after all.