It was almost a year ago, late in February 2005, that laptops from PC maker Lenovo that were shipped were found to be installed with adware called “Superfish”. Following this incident, Facebook investigated the issue of SSL-sniffing software being packaged as seemingly harmless applications.
This is what Facebook stated in a post titled ‘Windows SSL Interception Gone Wild’, made on 20 February 2015 — “This week researchers found that newer Lenovo laptops shipped with pre-installed software made by Superfish. The discovery is the latest reminder that our collective security depends on one another more than ever. As the news quickly rippled out, our Threat Infrastructure team at Facebook began performing an analysis of the details.”
Facebook found that though it’s not uncommon to ship devices with pre-installed applications, the Superfish one could cause issues. The Facebook post said — “It’s not uncommon for OEMs to ship devices with a number of pre-installed applications. The difference with Superfish is the software’s ability to intercept people’s connections to websites secured with SSL and then inspect the content. Superfish uses a third party library from a company named Komodia to modify the Windows networking stack and install a new root Certificate Authority (CA), allowing Superfish to impersonate any SSL-enabled site. The new root CA undermines the security of web browsers and operating systems, putting people at greater risk. The stated reason for this inspection functionality is to enable the Superfish Visual Search capability that looks at people’s search queries and makes suggestions based on proprietary processes.”
The Superfish-Lenovo incident, according to Facebook, could affect privacy and could cause “man-in-the-middle” (MITM) attacks as well. Privacy would be affected as the Superfish software could “see all of the computer user’s activity, including banking, email and Facebook traffic”. The MITM issue could happen as a result of the software installing a new root CA. Says the Facebook post- “The second problem is the use and installation of a new root CA, especially when that root CA is the same across many different computers. By reusing the same certificate, a bad actor could potentially obtain that CA file and perform “man-in-the-middle” (MITM) attacks on untrusted networks like public WiFi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the internet.”
Anyhow, Facebook had clarified that there was no knowledge of “anyone abusing this certificate in the wild” but agreed that it could pose a serious risk.
Facebook researchers observed more than a dozen other software applications that were using the same third party library (from Komodia) and many of the applications seemed to be suspicious. They even published a list of certificate issuers they observed and added — “Although this list is not exhaustive, it represents certificates seen in more than 1,000 systems on the internet at any given point in time. Some of these applications appear as games, while others seem to generate popups based on your search behavior or claim to perform a specific function like Superfish’s Visual Search. What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove. Furthermore, it is likely that these intercepting SSL proxies won’t keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers.”
Well, it’s really commendable that Facebook did such an exhaustive study, but what one feels after the Superfish Lenovo incident is that Facebook is in all likelihood more prone to SSL sniffing adware in the days to come.
