Lenovo's Superfish adware cracked with relative ease, exposing users to attacks

This story just keeps getting worse for Lenovo. After getting called out for inserting additional ads into user's browsing experience and claiming to have disabled and stopped installing the offending software, Lenovo's "Superfish" adware has seen its certificate cracked by security researchers. The worst part is, it evidently was easy to break the app's security. The end result is that affect Lenovo computer users — and there are potentially hundreds of thousands of them — could see their computers needlessly exposed to attack.

Per computer security researcher Rob Graham:

"I extracted the certificate from the SuperFish adware and cracked the password ("komodia") that encrypted it. […] The consequence is that I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot."

Learn more about malware and antivirus for Windows

The worst part is that the certificate was cracked using a run-of-the-mill dictionary attack, running through words in the dictionary until access was granted. And so, within 10 seconds, Graham was in and able to run "man-in-the-middle" traffic interception attacks on any affected Lenovo user with Superfish installed.

What's frightening about this sort of attack is that it offers access to your outgoing and incoming data. The attacker can simply record it, or can actually intercept and change what you're downloading or uploading, all without your knowledge.

Source: Errata Security; Via: The Verge

CATEGORIES
Derek Kessler

Derek Kessler is Special Projects Manager for Mobile Nations. He's been writing about tech since 2009, has far more phones than is considered humane, still carries a torch for Palm, and got a Tesla because it was the biggest gadget he could find. You can follow him on Twitter at @derekakessler.