Man-in-the-Middle Attacks on Lenovo Computers
It’s not just national intelligence agencies that break your https security through man-in-the-middle attacks. Corporations do it, too. For the past few months, Lenovo PCs have shipped with an adware app called Superfish that man-in-the-middles TLS connections.
Here’s how it works, and here’s how to get rid of it.
And you should get rid of it, not merely because it’s nasty adware. It’s a security risk. Someone with the password—here it is, cracked—can perform a man-in-the-middle attack on your security as well.
Since the story broke, Lenovo completely misunderstood the problem, turned off the app, and is now removing it from its computers.
Superfish, as well, exhibited extreme cluelessness by claiming its sofware poses no security risk. That was before someone cracked its password, though.
EDITED TO ADD (2/20): US CERT has issued two security advisories. And the Department of Homeland Security is urging users to remove Superfish.
EDITED TO ADD (2/23): Another good article.
EDITED TO ADD (2/24): More commentary.
EDITED TO ADD (3/12): Rumors are that any software from Barak Weichselbaum may be vulnerable. This site tests for the vulnerability. Better removal instructions.
Anura • February 20, 2015 4:01 PM
A lot of corporate organizations do this too. Where I work, every single computer has a corporate root certificate installed which allows them to perform a man in the middle against all SSL connections so they can scan the content. Now, they generate their own certificate. This is a much more stupid implementation in which everyone uses the same root certificate and the private key is accessible to anyone with access to a Lenovo, pretty much rendering signed certificates useless.