An Object Lesson in Response: Lenovo Breaks SSL Trust, Bungles Messaging
February 20, 2015 Leave a comment
- Don’t break security protocols for the sake of a few shekels. The loss of trust from customers far outweighs the benefits.
- Don’t try to downplay the severity of your mistake. Doing so will only hinder efforts to regain customer trust.
There seems to be a neverending series of object lessons from overzealous IT vendors looking to increase their bottom line by exploiting the trust of their customers. This week, news broke causing shock and outrage that Lenovo had installed a broadly permissive CA certificate and secret key into the trusted certificate store of consumer laptops it sold, allowing it to vouch for anything. Lenovo also installed software on new consumer laptops that intercepted web connections and analyzed web images and then inserted targeted advertising into web pages to help. The intended purpose of Superfish, according to Mark Hopkins, program manager of Lenovo’s Social Media (Services) is to “[help] users find and discover products visually … [and] presents identical and similar product offers that may have lower prices,” said in one of its forums.
Superfish got into the middle of supposedly secure SSL and TLS connections by generating web site certificates and signing them with the permissive CA certificate on the fly. You thought you had an end to end encrypted session with your bank but in reality, Superfish was in the middle decrypting the session, analyzing the content for targeted advertising, potentially inserting ads, and then encrypting the session.
The trust in SSL/TLS is based on having a trusted CA certificate on the client computer which the browser can use to validate websites using SSL/TLS. By installing a certificate on the computer, Lenovo subverted the entire trust model of an already fragile system. But it doesn’t stop there. Lenovo representatives have been attempting to downplay the severity of Superfish saying the attacks are theoretical and that they, Lenovo, have seen no nefarious activity. However, Steve Ragan over at CSO Online has posted a blog showing a thoroughly practical attack. Lenovo should never have installed Superfish on its system images and put its customers at risk.
Regardless, there are some lessons for IT vendors:
- Neither customers nor content providers want third parties injecting ads into their web experience so don’t be helpful and do it for them. It will only raise the ire of the Internet and cause lots of outrage directed at your company.
- Don’t break your customer’s security for any reason, ever. Injecting ads into HTTP might have earned Lenovo a black eye. Breaking TLS and creating a security problem that extends far outside the scope of Superfish is going to result in a lack of trust and confidence in Lenovo, and is already a PR nightmare.
- Don’t try to downplay the severity of the problem because it only makes the company look as if they don’t have a clue about security and further brings into question how trustworthy the company is.
- Don’t change parts of your official statement to cover up mistakes like Lenovo did by removing “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns” from their official statement because it further erodes consumer trust.
- Move swiftly to rectify the situation for customers. Lenovo did move quickly to tell customers how to remove the Superfish software after the story “broke” this week, but forum posts go back to September 2014.