Yes, the Lenovo-Superfish security hole was the biggest tech-customer betrayal in a decade. It was ghastly that Lenovo unwittingly preinstalled security-defeating adware/malware on some of its laptops. And now we know this: It gets worse.
Microsoft, long used to cleaning up the messes of terrible Windows apps, stepped in late last week and updated its antivirus software to remove Superfish’s adware, which opened up numerous Lenovo laptop models to trivially simple man-in-the-middle attacks from anyone on your Wi-Fi network. Consequently, the immediate damage appears to have been at least partly contained. (You can bet there were some angry phone calls from Microsoft execs to Lenovo.) Yet the details that have emerged since then reveal irresponsible and incompetent behavior on the part of numerous companies (not just Lenovo and Superfish), establish that the security hole was even worse than it already seemed (not an easy feat), and indict a number of other software publishers foolish enough to use it—including antivirus makers.
There are three major players in the debacle: Lenovo, the “visual search” startup Superfish, and software “solution provider” Komodia. Lenovo included Superfish’s adware on its laptops. In order to inject its own recommendations into users’ search results, Superfish used Komodia’s technology in its adware. Lenovo has distanced itself from Superfish; Superfish has pointed the finger at Komodia. In the face of Lenovo’s initial denials, shrugs, and dismissals of security concerns, it was initially difficult to assess exactly how the disaster occurred. Now that Lenovo’s done a 180 and is groveling for forgiveness, we know enough to conduct a postmortem. And thanks to the great work of security researchers Rob Graham, Marc Rogers, Filippo Valsorda (who made a Superfish-tester Web page), and others, we can trace how the security hole wormed its way into Lenovo’s factory installs.
So were Lenovo, Superfish, and Komodia acting out of ill intentions, or just haplessness? I’ve given them scores on both counts, although I tend to side with Goethe on such matters. As he put it, “Misunderstandings and indolence cause more mishaps in this world than cunning and malice do.”
Lenovo went from dismissing concerns over Superfish’s adware to cutting all ties with the company in days. What Lenovo didn’t say is how on earth it let Superfish’s disasterware onto its laptops in the first place. Infoworld’s Simon Phipps got an interview with Lenovo vice president Mark Cohen, who’s responsible for Lenovo’s “Windows Ecosystem,” that revealed the backstory:
Cohen went on to explain that Lenovo had screened the software from Superfish before it was installed on Lenovo's consumer laptop lines last September and had asked Superfish to remove certain features that abused SSL connections. Superfish claimed it did this for Lenovo, which then felt confident to ship a feature Cohen told me it saw as a value-add rather than as adware. Cohen claimed the company was unaware of the certificate injection issues until yesterday.
I am inclined to believe most of Cohen’s story because it makes Lenovo look terrible. First off, Lenovo knew that Superfish messed with SSL connections before it had even shipped it. Rather than dropping Superfish like a rock, which is what you’re supposed to do when a software partner compromises your customers’ security, it told Superfish to fix it. Second, after Superfish claimed to have fixed it, Lenovo didn’t bother to check the fix. In other words, Lenovo’s protocols for validating preinstalled third-party software are somewhere between broken and nonexistent.
Lenovo’s latest apology promises “a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week.” It is entirely fair to question whether they know how to do this. So far, Lenovo’s actions so far don’t inspire confidence. The Superfish incident speaks not just to a security problem, but to an organizational one in which any competent voices were either missing or ignored. From firsthand experience, I can tell you such problems don’t go away with a wave of the hand. A change in culture—and usually in people—is necessary.
There’s been much talk of thin profit margins on consumer PCs and the trend of manufacturers installing bloatware in order to make a few extra pennies on each sale. That may well have been the underlying motive (only a dope would consider ad-injecting malware to be “value-add”), but after the security vulnerability became known to Lenovo, the company should have deemed Superfish more trouble than it’s worth. Did someone at Lenovo push to keep Superfish in? Did Superfish have connections to Lenovo? Regardless, Lenovo’s negligence is simply off the charts, even if it stemmed from little more than corporate penny-pinching.
Evil Rating: 2/5
Incompetence Rating: 5/5
Superfish is a much sleazier story. The company offers a clever yet intrusive form of adware that injects its own results into your searches. By doing this on secure Web pages, using “SSL hijacker” technology purchased from Komodia, Superfish catastrophically compromises the security of your entire machine. A software company cannot integrate an “SSL hijacker” into its product without having some idea of what it’s doing.
Superfish CEO Adi Pinhas apparently comes from the “Never apologize, never explain” school of startup management: Even after being abandoned by Lenovo, he’s sticking to the line that he did nothing wrong. Instead the company blamed “false and misleading statements made by some media commentators and bloggers.” “A vulnerability was introduced unintentionally by a third party,” Pinhas pleaded, pointing the finger at Komodia. He insisted last week that Lenovo and Superfish had tested the software. Since then, Pinhas has gone off the grid. Mashable’s JP Mangalindan showed up at Superfish’s headquarters, only to find the place deserted before an apparent employee told him to leave the building.
Could Superfish possibly care about getting things right? It bought a dubious piece of code from Komodia that was actually marketed as an “SSL hijacker” and included it in its own software because it did what the company wanted. The words “SSL hijacker” should give pause to any responsible tech executive. By that measure, Pinhas is not a responsible tech executive. Unlike other companies that used Komodia (more on that below), Pinhas has displayed no interest in making things right, coming clean, or taking responsibility. Lenovo can be fixed, but with such venal leadership, Superfish cannot be.
In a January interview, Pinhas extolled the Tel Aviv startup culture: “We are not saying ‘Sorry;’ we are saying straight to your face, ‘This is a stupid idea.’ ” To Pinhas, I say: Using an SSL hijacker is a stupid idea. Superfish is a stupid idea.
Evil Rating: 4/5
Incompetence Rating: 6/5
Komodia is an object lesson in a little knowledge being a very dangerous thing. The company appears to be the brainchild of a single programmer, Barak Weichselbaum, who marketed an “SSL Digestor”/”SSL Hijacker” that not only defeated SSL security connections but contained the security hole that compromised all certificates on a machine—a true worst-case scenario. Weichselbaum was smart enough to figure out how to defeat SSL certificate authentication, but not smart enough to realize he was defeating user security itself in the process.
Weichselbaum has helpfully documented the history of his security-buster on his Komodia blog. He details his adventures with Windows’ network-intercepting “Layered Service Providers” (LSP). I have programmed LSPs: They are invasive, they are fragile, and they make me very nervous. Such concerns did not seem to trouble Weichselbaum. In 2009, he happily writes of his progress:
Good news is that our SSL hijacker has entered beta stage and is now working quite good, some fixes are still needed to make it work great but that's quite an achievement, specialy [sic] that there's no other product on the market that does that, without alerting the user that is.
His ingenuousness over the project makes for painful reading:
I have core functionality of an “SSL” hijacker which allows me to inspect and modify encrypted SSL data without alerting the browser.
Right, well, points for honesty. Paragraphs like this show Weichselbaum not to be some evil mastermind but a callow and opportunistic programmer looking to make a buck by doing something that hasn’t been done before.
Not an evil genius: Komodia’s Barak Weichselbaum explains his “SSL hijacker” technology.
I don’t want to downplay Weichselman’s astonishingly poor judgment, but I have to stress that he’s not the primary culprit here. Plenty of eager engineers build all sorts of irresponsible things and try to sell them to anyone willing to pay. Weichselbaum’s naive indifference to security makes it that much more appalling that other companies bought into his product without a second thought. Weichselbaum even called it an “SSL hijacker” and an “SSL digestor,” terms that should set off alarm bells in any security-conscious company. The problem isn’t that Weichselbaum wrote crap software; it’s that Superfish didn’t care enough to check, or simply didn’t care at all.
Evil Rating: 1/5
Incompetence Rating: 11/5
But it gets worse: Weichselman really opened the gates to hell. Ars Technica’s Dan Goodin has chronicled how Komodia’s little skeleton key has made it into a lot of other software, including parental control software and anti-adware software. According to one security researcher, parental control software Qustodio uses Komodia’s hijacker and bundles Komodia’s rootkit alongside it. Antivirus company Lavasoft rather ironically bundled Komodia into its Ad-Aware Web Companion. (To its credit, Lavasoft came clean immediately.) And security researcher Hanno Böck has described how the latest version of PrivDog, a piece of adware marketed as “privacy technology,” used the same exploit as Komodia to even more dangerous effect. The CEO of PrivDog creator AdTrustMedia is Melih Abdulhayoglu, who also happens to be CEO of Comodo Security, respected antivirus providers and one of the main certificate-issuing authorities. Naturally, Comodo has endorsed PrivDog and included PrivDog in its own antivirus suite Comodo Internet Security. Comodo users dodged a bullet, because PrivDog only started hijacking certificates in its latest standalone version. Yet the sight of a CEO creating software that defeats his own company’s certificates and security software could serve a mortal blow to Comodo’s reputation.
When even companies like LavaSoft and Comodo are attacking and compromising their own users’ security without doing due diligence, something is very broken in our software-development process. That they are doing it merely to show ads is even more galling. And the ease of manipulating certificates indicates that programmers need to better understand the trust mechanisms of certificates as well as construct safeguards that prevent intentional or unintentional manipulation of them, rather than just assuming Microsoft will clean up their messes. While Lenovo and Comodo will deservedly take the brunt of the beating because they really should have known better, there is no question that there is a larger epidemic of irresponsibility at work here. A lot more care for security and for the consumer is needed in order to prevent the free spread of dangerous nonsense like Komodia. As tech law professor James Grimmelmann put it, “The fact that there are people who will use man-in-the-middle attacks against SSL to show ads does not augur well for the future of humanity.”