Windows users are also vulnerable to FREAK snooping attacks

The “FREAK” vulnerability that downgrades and weakens secure web connections doesn’t just affect Google and Apple users — according to a security advisory from Microsoft, all supported versions of Windows are vulnerable too.

FREAK (Factoring attack on RSA-EXPORT Keys) is a recently discovered hangover from the early 90s, when the U.S. government banned the export of most software that used strong encryption. The SSL web security protocol was for that reason built with a special mode that uses key lengths considered weak today. The law was changed but the weak cipher suites remain, and although most modern browsers are supposed to avoid them like the plague, a widespread bug means they don’t always do that.

The FREAK flaw allows “man-in-the-middle” snoopers to downgrade a session’s security to that mode – as long as the browser is vulnerable and the server accepts those weak old cipher suites — then crack the keys and spy away.

When the flaw was publicized earlier this week, it was Apple’s Safari browser and the stock Android browser that were on the firing line for being vulnerable, endangering those users who communicate with servers that accept “export-grade” encryption – apparently a whopping third of servers with browser-trusted certificates. But it turns out the list of affected browsers and systems is way longer than that.

The big one is Windows. In pretty much every version of Windows that’s out there, Internet Explorer and whatever else uses the Schannel security package are vulnerable to the FREAK attack.

In its advisory, Microsoft said:

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Per the researchers who brought this all to our attention, here’s the current list of browsers that need patching:

  • Internet Explorer
  • Chrome on OS X (patch available)
  • Chrome on Android
  • Safari on OS X (patch expected next week)
  • Safari on iOS (patch expected next week)
  • Stock Android browser
  • BlackBerry browser
  • Opera on OS X
  • Opera on Linux

As a Firefox user, I’m feeling slightly smug this week — the researchers’ FREAK test tool just gave my browser a clean bill of health, and told me my never-used IE installation is vulnerable. Not too smug though, given the impact on other Windows software.

Good thing the anti-strong-encryption nonsense that caused this mess is a relic of past decades, eh? Oh wait…

Beyond Superfish: Turns out SSL-trashing spyware is widespread

Last week Lenovo found itself in deep trouble over the Superfish spyware that it installed on many recent consumer laptops. Designed to insert ads into customers’ browsing experiences, the software has very insecure foundations and basically made users vulnerable to hacking attacks.

Turns out it’s not just Lenovo customers who should be worried about their exposure — the insecurity of Superfish is largely due to its use of technology from an Israeli company called Komodia, and quite a few software packages in the areas of antivirus and parental protection also use Komodia’s engine. Examples highlighted by the U.S. Department of Homeland Security include products from parental control outfits Qustodio, Kurupira, Infoweise and Komodia’s own KeepMyFamilySecure, and security firms such as Lavasoft and Websecure.

Qustodio wrote in a Saturday blog post that it was working on a “fix in order to avoid potential phishing attacks from external malicious users.”

These various packages, including the Superfish software that Lenovo quietly installed on its consumer laptops late last year, used Komodia to put a fake root certificate authority (CA) on each user’s PC, together with a private key, in order to be able to intercept and analyze even encrypted “SSL” browsing sessions. However, this mechanism was really badly implemented.

As Facebook’s Matt Richard noted, the reuse of the same root CA across multiple machines (with the same “komodia” private key password) means bad actors could “potentially obtain that CA file and perform ‘man-in-the-middle’ (MITM) attacks on untrusted networks like public Wi-Fi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the internet.”

Cloudflare researcher Filippo Valsorda wrote about the potential manipulation of Komodia’s mechanism even without the need for extracting the private key: “An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.”

In short, this software greatly increases insecurity, which is why the DHS is urging people to uninstall all software that uses the Komodia Redirector and SSL Digestor libraries, and all associated root CA certificates, and why Mozilla is considering blacklisting those certificates in Firefox.

That’s kind of ironic, seeing as so many of these software applications are intended to protect their users. The same goes for Comodo, an actual certificate authority that also puts out a security-focused browser called Comodo Dragon. As researcher Hanno Böck wrote on Monday, this and other Comodo products ship with a “privacy” tool called PrivDog that supposedly replaces ads in webpages with ads from “trusted sources” – and as with Komodia’s tools, this one also verifies dodgy certificates when it shouldn’t.

CloudFlare’s Valsorda has come up with a tool called Badfish that was originally designed to detect infections by Superfish, but now also scans for those by other Komodia-using products and PrivDog as well. If you’re a Windows user and you’re using parental control software or certain antivirus products, it might be worth giving that page a visit to see if you need to be uninstalling anything.

Lenovo in hot water over Superfish adware, but dismisses security worries (updated)

Reports from security consultants, media, and Lenovo users indicate that there’s bloatware pre-installed on recent Lenovo Windows PCs that’s a bit more sinister than a set of superfluous ThinkPad tools. It appears that adware called Superfish had been running on consumer laptops sold by Lenovo between September 2014 and this past January, raising significant security concerns.

In a statement issued on Thursday, Lenovo said although it had disabled Superfish “server side interactions” since January, it could “not find any evidence to substantiate security concerns.” It also promised not to pre-load Superfish in the future, while clarifying that Superfish requires users to approve its terms of use, and that it hasn’t been installed on devices since “December.”

Update: Sometime today, Lenovo changed its statement and quietly removed the line “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” The statement was most likely tweaked because there is actually a lot of evidence to back up that Superfish is a security problem. Lenovo also posted a PDF with instructions how to remove Superfish.

The Electronic Frontier Foundation called Superfish “horrifically dangerous” and a “security catastrophe.”

The worst part is, Superfish isn’t even tangentially useful to the consumer. It’s ad-placing software — so far, what it appears to do is to place it own ads against Google search results, which presumably generates income for both Lenovo, and Superfish, which is a privately-held Palo Alto-based company. Lenovo’s statement said that Superfish was included to “to help customers potentially discover interesting products while shopping.”

While ads might be annoying, the real problem with Superfish is the liberties it takes with users machines’ to serve those ads, which resembles a “man-in-the-middle” attack. The adware makes itself an unrestricted root certificate authority in Windows, so it is able to spoof SSL certificates. If you connect to a secure website, such as your bank, from Internet Explorer or Google Chrome on an affected Lenovo laptop, the security certificate will have been signed by Superfish, as opposed to a trusted SSL certificate services provider like VeriSign.

Essentially, this discovery means that HTTPS browsing on an affected Lenovo laptop is insecure. In fact, researchers have already cracked Superfish’s private key — which was the same on all affected laptops — meaning hackers could snoop on encrypted traffic while on the same network, or even install malware under the guise of a trusted program. Simply uninstalling the program doesn’t remove the unrestricted root certificate.

Lenovo is the top PC vendor in the world, according to IDC, and shipped over 16 million PCs in the fourth quarter of last year, part of the time period where Superfish was preinstalled on some devices. Here’s a online test to check whether your device is affected.

When it comes to smart home security, cameras are the worst

Don’t freak out, but the products inside your smart home have some serious security flaws, according to a new report out from enterprise security research firm Synack. The company tested 16 popular devices over the holidays and determined that connected cameras were the least secure. Products ranging from the SmartThings hub to the Nest and Lyric thermostats also had some problems.

Colby Moore, a security research analyst who compiled the report, said it took him about 20 minutes to break into each of the assorted devices and he only found one — the Kidde smoke detector — that didn’t have any significant flaws. But the Kidde isn’t actually connected. Before we break down each device’s big problems, the macro picture from the report was that there are no real standards in the connected home security space, and perhaps we should come up with some.

“Right now the internet of things is like computer security was in the nineties, when everything was new and no one had any security standards or any way to monitor their devices for security,” said Moore.

The Withings Home camera

The Withings Home camera

In general Moore suggests the following as basic best practices, even though he concedes that some users won’t like them:

  • Hardwire as many devices as possible. And when devices are wireless, make sure they have push notifications to the user when they are kicked offline.
  • Firmware updates should happen automatically, especially those dealing with security flaws and vulnerabilities. Don’t wait for the user to push them through.
  • Require strong passwords. Make sure they have combinations of numbers, special characters and letters and are more than 12 characters.
  • Send all the data to the cloud using a secured connection. Don’t store it on the device, which can be hacked.
  • If you are going to use SSL, check certificates at both ends. Apparently, some devices do not.
  • Use SSL pinning so your device is authenticated, as opposed to the network the device is on.

Some of these may be controversial. For example, stronger passwords can be a pain to enter on devices with tiny screens and no keyboards. Another issue is hardwiring everything. Wireless devices are simply more convenient and wireless connectivity is often a reason people buy a certain product over another. Finally, storing all of your data in the cloud might be more secure, but it’s only as secure as your cloud vendor. If the vendor get hacked, there go your data and your camera images.

Moore concedes these points, but says that even understanding these tradeoffs would help. I agree. It’s one thing to trust my camera data to Nest or Amazon, but another to trust it to a startup that just launched three months ago (although it’s highly likely that its cloud back-end is Amazon Web Services). So what about the specific devices?

Synack looked at four classes: cameras, thermostats, smart hubs and smoke detectors. It found the most flaws in the camera class, with Dropcam being the most secure.
camerassynack

In thermostats, Nest once again was the most secure, but most were dinged for their password policies. This is understandable, because most thermostats don’t have keyboards, making it tough to enter a password on the device itself.

thermostastssynack

When it comes to smoke detectors we see Kidde, the only device that got a perfect score from a security perspective, in part because it’s not connected. Why it’s on this report, I don’t know. There’s also the first mention of a supply chain–based attack, which is worth noting, because it means that someone would have to intercept the device and change a component. This isn’t specific to just smoke detectors, but any connected product. I thought this was tenuous, but Moore pointed out that we could see more of it in the future and that it really just took a bit more long-range planning. It could also be seen more in returned or second-hand devices.

co2synack

Finally we see his results from testing home automation hubs. While the Revolv isn’t sold anymore because Nest purchased the company for the engineers, the others are on the market.

hubsynack

While this report covers the devices themselves, I’d like more insight into how we secure the future, when we start linking these devices together. I tie many services together via Works with Nest, If This Then That and many other services, and suspect others will soon do the same. And while individual devices may get more secure, once they start sharing data between clouds, that introduces new weaknesses that this report doesn’t even get into. When asked about security in the smart home today, Moore said, “Security is abysmal.”

So, let’s work on that, but let’s think about how we’re planning for tomorrow, too.

Updated: This story was updated at 3:06pm PT to clarify that the Kidde smoke detector isn’t connected.