Last week, PC maker Lenovo was called out for shipping laptops with adware, called “Superfish,” pre-installed – an incident that led Facebook to investigate the larger issue of SSL-sniffing software being packaged as seemingly harmless applications to users.
Facebook found that more than a dozen other applications used the same third party SSL decryption library from Komodia that Superfish relies on “to modify the Windows networking stack and install a new root Certificate Authority (CA),” the company revealed Friday on its Protect the Graph security blog.
When the Lenovo news surfaced last week, security experts noted that the Superfish issue allowing man-in-the-middle (MitM) attacks via a self-signed root certificate was so troubling, because it meant attackers could intercept encrypted SSL connections, and, ultimately, eavesdrop and steal or modify data belonging to users as they peruse webmail or sign into online banking, among other online activities.
Matt Richard, a threats researcher on Facebook's security team, who authored the Friday post, explained that the company teamed with Carnegie Mellon University researchers in 2012 to start tracking the prevalence of SSL MitM attacks in the wild.
Through its research, released soon after the Lenovo-Superfish news, Facebook observed a number of certificate issuers, including CartCrunch Israel LTD, WiredTools LTD, Say Media Group LTD, and ArcadeGiant, leveraging the Komodia library.
“Although this list is not exhaustive, it represents certificates seen in more than 1,000 systems on the internet at any given point in time,” Richard wrote. “Some of these applications appear as games, while others seem to generate pop-ups based on your search behavior or claim to perform a specific function like Superfish's Visual Search. What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove," he said.
Facebook – which even detected software that was “more aggressively categorized as malware using Komodia's libraries,” such as the Windows trojan Nurjax – said that it was currently working with AV vendors to prevent similar infections among users in the future.
In a Monday interview with SCMagazine.com, Joe Siegrist, CEO of LastPass, a security company that created a security tool for users to check whether they have Superfish on their machine, said that after investigating the adware issue, LastPass found that a major browser maker outside of the U.S. appeared to be accepting invalid certificates generated by Superfish.
“In this particular case, the browser itself wasn't checking certificates at all,” Siegrist said, adding that the firm has not disclosed the company's name in order to give it time to resolve the security issue.
Ian Amit, Vice President of ZeroFOX, a social risk management and social media security firm, explained a practical way in which attackers could try to leverage MitM attacks against users running Superfish.
In a Monday interview, he said that simply uploading photos to social media networks, such as Facebook, Twitter or Flickr, where geolocation data is embedded in images, could prove useful to saboteurs.
“Once you know those users' locations, it's trivial to show up and abuse that [information] by claiming to be a Wi-Fi network [near them],” Amit explained. “It's very easy, even in a car next to their Starbucks or home, to pretend to be those wireless networks,” using Wi-Fi sniffing tools, he said. Amit added that attackers could, easily enough, pinpoint areas where Lenovo models running Superfish are likely to be – whether on university campuses or other locations where “finding those pockets of people on social media” is only a Google search away.
Soon after Lenovo apologized for its practice of pre-installing Superfish on customers' computers, security experts published directions on how to uninstall the adware and remove the certificate.
