February 19, 2015 at 17:57Lenovo laptops come with Superfish malware and its CA certificate and private key in the vault
The Superfish program, which comes with Lenovo Y50, Z40, Z50, G50 and Yoga 2 Pro laptops, is a typical Malware that listens to traffic, analyzes user searches and inserts ads on pages of third-party sites. This application works at the system level, intercepting, including, HTTPS traffic. To do this, the application installs the Superfish CA certificate in the Windows keystore and proxies all traffic between the host and browser, replacing the certificate with your own. This software has been supplied since at least June 2014. The first message about this program on the Lenovo forum is dated September 2014.
This news in itself is already unpleasant, but today one detail has become known that significantly increases the level of danger for the owners of these laptops: it turned out that inside the program there is not only a public CA certificate, but also a private key to it, in an encrypted form. There is no problem finding a password for this key - “komodia”: supersat
twitter image
This means that any attacker who is able to carry out a MitM attack (for example, on a public Wi-Fi network) can use this certificate to proxy HTTPS- traffic through your computer and decrypt it unnoticed by the victim.
Lenovo representative on the forum reportsthat they stopped delivering this software with new laptops since January 2015 and turned off Superfish for all owners of laptops already purchased. An instruction is available for removing malware , which, however, does not include removing the root certificate from the store.
Service for checking the availability of Superfish certificate in OS storage
Certificate and private key Superfish in PEM format
Article in Forbes (does not mention the presence of a private key)
Article from Marc Rogers (does not mention the presence of a private key)
Article from Errata Security
How did you get the private key and password
Information on EFF
Windows Defender Detects Superfish
This news in itself is already unpleasant, but today one detail has become known that significantly increases the level of danger for the owners of these laptops: it turned out that inside the program there is not only a public CA certificate, but also a private key to it, in an encrypted form. There is no problem finding a password for this key - “komodia”: supersat
twitter image
This means that any attacker who is able to carry out a MitM attack (for example, on a public Wi-Fi network) can use this certificate to proxy HTTPS- traffic through your computer and decrypt it unnoticed by the victim.
Lenovo representative on the forum reportsthat they stopped delivering this software with new laptops since January 2015 and turned off Superfish for all owners of laptops already purchased. An instruction is available for removing malware , which, however, does not include removing the root certificate from the store.
Service for checking the availability of Superfish certificate in OS storage
Certificate and private key Superfish in PEM format
Article in Forbes (does not mention the presence of a private key)
Article from Marc Rogers (does not mention the presence of a private key)
Article from Errata Security
How did you get the private key and password
Information on EFF
Windows Defender Detects Superfish