Lenovo’s CTO has admitted the company made a mistake by installing Superfish adware on PCs that left the machines open to attack. From SIMs to spies, this week was a reminder the threat is closer than you realise.
Lenovo CTO Peter Hortensius confirmed that the factory installed adware assigns itself certification authority on computers and could leave machines vulnerable to man-in-the-middle attacks by intercepting web traffic and issuing a security certificate that hackers can spoof.
Lenovo has conducted an engineering review and has confirmed the severity of the risk as “high.”
If this past week has thought us anything it is that we have been looking at security entirely the wrong way.
Earlier this week it seemed the two most dangerous things on the planet – technologically and financially – were those unicorns in San Francisco who could topple the entire tech economy with their hyper valuations and Russian president Vladimir Putin who has been buzzing supersonic nuclear jets around the English channel.
The most sophisticated cyber attack group on the planet
Hooded hacker image via Shutterstock
But now it appears a more insidious threat exists on the very machines that sit on our desks or in our pockets. The very machines we use – or have been using – could have been compromised before we started using them or right now are vulnerable to being hacked.
It appears that new computers can be intercepted before they leave the factory or en route to the customer and infected with undetectable malware. In a report this week Russian security software maker Kaspersky Labs outlined the tools and techniques used by the Equation Group, but stopped short of linking them to the NSA or the US government’s Cyber Command.
The Equation Group, described by Kaspersky as “one of the most sophisticated cyber attack groups in the world” has been active since 1996 and uses a specific implementation of the RC5 encryption algorithm through their malware.
As well as web-based exploits the Equation Group infected victims using physical media like CD-ROMs, USB sticks and hard drives.
One novel way of attacking victims included giving CD-ROMs to delegates at a scientific conference in Houston, Texas.
Another way of attacking institutions or suspects was by intercepting computers that were about to leave the US and replace them with a “trojanised” version.
It says it has identified several malware platforms used by the group, including a worm that uses the same zero-day vulnerabilities found in Stuxnet. Stuxnet disabled 1,000 centrifuges in Iran’s nuclear programme and was part of a programme code-named Olympic Games run jointly by the US and Israel.
Countries hit by Equation include Iran, Russia, Pakistan, Afghanistan, India and China and targets included telecoms companies, embassies, research institutions and Islamic scholars.
Few people who buy PCs tolerate the adware that comes on new machines, but with the Lenovo/Superfish debacle things have gotten ugly. Catfish ugly.
Lenovo says it has had a minor commercial relationship with Superfish, but this is one situation it has come to rue. Ostensibly Superfish was designed to improve the web experience of users by noting the images you see during searches to improve discovery.
“So, instead of selling clicks to potential advertisers based on the words you read, Superfish can sell clicks based on the images you see,” explained Paul Ducklin in the Naked Security blog.
“That sounds OK, assuming that you are aware that Visual Discovery was installed onto your computer, and assuming that the software keeps track of your browsing in a way that doesn’t put your online privacy and security at risk.
“Unfortunately, for many users of Lenovo computers, that wasn’t the case.”
The Superfish adware included a proxy or filter that intercepted traffic before it reached the user’s browser. “Instead of treating your HTTPS traffic as sacrosanct, and leaving it alone so it remains end-to-end encrypted all the way from the server to your browser, Superfish uses keybridging, also known as Man in The Middle, or MiTM.”
This Ducklin asserts could enable hackers to create fake certificates for any site it likes, at any time, and then unilaterally sign those certificates to make them trusted.
The bottom line is every site you visit whether it’s your bank or an e-commerce site could be at risk. “The Superfish certificate could be abused by cyber crooks not only to trick you into trusting a fake website, but also to trick you into trusting any software that you download from it,” said Ducklin who issued removal instructions for anyone who bought a Lenovo notebook between September 2014 and February 2015.
The SIMs! The SIMs are attacking us
SIM card image via Shutterstock
Scarier than the Lenovo crisis was the latest revelation by Edward Snowden that potentially billions of SIMs on the planet – those tiny chips that sit inside every mobile device – can be hacked by the NSA and GCHQ.
Snowden has claimed that the NSA and GCHQ spied on Gemalto and its employees in order to get the encryption keys that allowed them to be able to access voice and data communications without networks or phone owners being aware.
As well as Gemalto’s network, the spy agencies are understood to have targeted unnamed mobile operators’ core networks, gaining access to sale staff’s machines as well as network engineer’s computers for network maps.
They also used the operators’ billing servers to suppress charges to conceal spying activities on an individual’s phone.
The spy agencies also penetrated authentication servers to decrypt data and voice communications between a target’s phone and the network, according to Snowden’s revelations.
Gemalto – which produces 2bn SIMs a year for global consumption – has pledged to investigate the alleged hacking has inferred that it was one SIM maker among others who were possibly part of a wider net cast by the spy agencies.
“There have been many reported state sponsored attacks as of late, that all have gained attention both in the media and amongst businesses, this truly emphasises how serious cyber security is in this day and age,” Gemalto said.
The enemy of my enemy is my friend
When we first grappled with things like security, viruses and passwords, we comforted ourselves as we hid behind seemingly impregnable firewalls.
But then the threats became mobile in such a way that you could compare the shift between the trench warfare of the First World War (think the Somme) to the evolving battlefields of the Second World War (think Kursk). We stopped just building perimeters and focused on protecting the files.
But now the threat is more insidious as the very machines we carry could have been compromised long before we paid hard earned money for that shiny new laptop or smartphone.
Who knows, perhaps the tablet or smartphone you are reading this on now could be part of an attack that hasn’t happened yet and all it takes is for a script kiddy in Fresno or a cyber kingpin in Minsk or Hong Kong to flip a switch (think of Order 66 to clone troopers to turn on their Jedi Masters in the Star Wars saga).
As we move from an era of information technology to the Internet of things, machine-to-machine, big data and ultimately artificial intelligence it is worth noting how Prof Stephen Hawking has warned of the potential dangers of artificial intelligence (AI), asserting that the technology “could spell the end of the human race.”
While this is quite a jump from dodgy adware on personal computers, perhaps we should pay more attention to what’s happening on the machines and not just on the wider networks.
Could machines one day be the masters and we the slaves?
War machine image at top via Shutterstock