In his 1983 Turing Award acceptance speech, “Reflections on Trusting Trust”, Ken Thompson popularized the concept of a compiler backdoor where the compiler not only inserts a backdoor during compilation of a program but also compiles in the code that inserts the backdoor when compiling itself.
The core idea of his speech is that we can only trust a machine to be secure if we trust every layer of it. As very few of us have the time, skill, or resources to audit every aspect of the computers we use, we have no choice but to trust the security of many of the layers.
In our modern, interconnected world, layers of trust are the backbone of SSL-secured communication. The certificate presented by a server is not a single certificate but really a chain of certificates where each link in the chain is verified by the one above it. This continues upward until a root certificate is reached. But who certifies the root? The root certificate is verified as authentic by decree.
There isn’t just one certificate authority in the world. There are hundreds or thousands, each with its own root certificate. Each website a user visits on a normal day could use a certificate issued by a different authority. It would be a user’s nightmare to have to find, validate and install the certificate of the root authority each time a new one was encountered.
To simplify this process, web browsers and operating systems come pre-installed with a number of root certificates. As we inherently trust the operating system out of the box, we also trust the certificates that the manufacturer has said are valid and trustworthy. As the keeper of this trust, the web browser or operating system’s root certificate store is sacrosanct. But this trust has been violated.
Recent Lenovo laptops come pre-installed with software called SuperFish. This software acts as an SSL man-in-the-middle in order to collect data and inject ads into websites. This is accomplished seamlessly because SuperFish installs its certificate as a root certificate in the Windows root certificate store. Any certificate SuperFish generates will be validated unquestionably, as if it were issued by Microsoft itself.
But, it gets worse. The SuperFish root certificate is installed without any restrictions. This means that malicious software signed with a SuperFish-generated certificate will also be implicitly trusted by the operating system. Should the SuperFish private key be extracted, which has already happened, anyone would be able to intercept the communications or generate valid software signatures for these computers.
When a user can no longer trust their computer out of the box something is broken.
Removing the SuperFish software is not a complete remediation of the issue because the root certificate also has to be removed from the certificate store. More information on how to remove SuperFish, including Microsoft’s step-by-step guide and a list of official root certificates, can be found in this post: What You Need to Know About Superfish, The Man-in-the-Middle Adware Installed on Lenovo PCs.
As the fallout from this continues, Tripwire Security Analyst Ken Westin points out it will be interesting to see how this affects Lenovo’s sales and brand reputation.
“With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetization strategies,” he said.
“If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk.”