Irreal

The lawyers will be happy.

Apologies to Jimmy Durante but everyone, it seems, is waging man-in-the-middle attacks. The latest perpetrator is the provider of in-flight WiFi, Gogo. Google security engineer Adrienne Porter Felt, while on a flight, discovered that Gogo was serving up fake SSL certificates that claimed to be from Google.

Unlike the SuperFish exploit, Gogo couldn’t put a fake root CA certificate on their users’ laptops so those users got a warning that the Google certificate was not signed by a trusted issuer. Of course many users don’t understand any of that stuff and just click OK. Once they do, Gogo can read their HTTPS conversations.

Gogo’s excuse is that there is very limited total bandwidth available for everyone on the plane so they want to prevent users from streaming video from YouTube, which is prohibited by their terms of service. That’s reasonable. What’s not reasonable is staging a man-in-the-middle attack on their users to enforce that prohibition. Add in what some describe as Gogo’s over solicitous cooperation with law enforcement and you can see why privacy advocates are concerned.

Really, this behavior should be illegal. Arguably, it already is but it needs to be made explicit: break into an HTTPS connection and you get treated just like any other cracker regardless of your reasons. In the mean time, spread the word: Never continue with a connection that your browser warns is questionable.

It’s infuriating that Lenovo continues to deny that SuperFish is a security threat. They keep saying that they’ve stopped installing it but that in any case SuperFish didn’t collect or store any private information. Doubtless that’s true but it’s a straw man that no one is claiming. The problem is that SuperFish installed a fake CA root certificate and that this certificate can be and was recovered by third parties. Anyone holding that certificate can easily set up a man-in-the-middle attack in coffee shops and other places offering free WiFi.

Robert Graham, who demonstrated how easily the certificate could be extracted has provided a demonstration of a working MITM attack. He shows it collecting a (fake) login credential to Bank of America. Yet, Lenovo continues to say, “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”

If you have an infected Lenovo laptop, Graham’s demonstration should terrify you. Everything you do is subject to surveillance by anyone with a modicum of technical ability. Or for that matter, anyone who can read Graham’s article.

Lenovo, to their credit, has made a SuperFish removal tool available on Github. The Github repository also has a link where you can download an executable. If you’re paranoid—and who could blame you—you can read the code and build the app yourself. Again, if you have an infected laptop, it’s imperative that you do this. Either that or share your banking credentials with J. Random Cracker.

Just in case you think that man-in-the-middle attacks are just for the victims of Lenovo’s shenanigans, there’s this

.@mountain_ghosts Such as this lovely device, which goes by the Orwellian name of an "SSL Visibility Appliance": https://t.co/TEmLfOTZnt

— Nick Stenning (@nickstenning) February 21, 2015

You’ve almost certainly heard about the astoundingly stupid actions on the part of Lenovo. Forget about the security implications for a minute. What this boils down to is that Lenovo sold out their customers for a few pieces of silver by installing adware that, despite Lenovo’s protestations, no customer would want. Think about that for a moment. You pay good money for a relatively expensive product and the company selling it to you purposely makes it less useful than what you thought you were buying: unwanted ads pop up and other software stops working.

But of course security is the main story here. The adware, SuperFish, works by intercepting the victim’s HTTP stream so that it can inject ads. That’s bad but even worse is that it also snooped on SSL/TLS (HTTPS) connections by waging a man-in-the-middle (MITM) attack. It’s as if Lenovo had never heard of what happened when sony tried something like this. The spying on encrypted connections is arguably illegal and you can be sure there will be law suits, perhaps from the states as happened in the Sony case. Regardless, Lenovo’s reputation has suffered significant, perhaps mortal, damage.

But it gets worse. The MITM attack was effected by installing a self-signed certificate to act as a trusted CA certificate. Of course, if SuperFish could use the certificate, so could anyone else. SuperFish encrypted it but, obviously, the key to the encryption had to be in the binary in order for SuperFish to use it. It took Robert Graham no time at all to recover the key and decrypt the certificate. That means that anyone using an infected laptop at a coffee shop or some other public WiFi hot spot is subject to being hacked.

Lenovo’s reaction to all this is appalling. The best interpretation is that they’re clueless about the security implications. The more likely explanation is that they’re in CYA mode. Lenovo continues to insist that SuperFish represents no security problems despite Graham’s definitive demonstration to the contrary. As I said, expect law suits.

UPDATE: certificated → certificate

UPDATE2: I just don’t understand this. Lenovo has proven they don’t care about their users or their safety. Why would you reward them with your trust or money?

UPDATE3: Here’s Robert Graham again putting the lie to Lenovo’s “theoretical concerns” with an actual working exploit. If you’ve got one of these laptops, you need to take action immediately.