Thought Komodia/Superfish Bug Was Really, Really Bad? It's Much, Much Worse!

from the getting-worse-by-day dept

With each passing day, it appears that new revelations come out, detailing how the Komodia/Superfish malware is even worse than originally expected. If you don’t recall, last week it came out that Lenovo was installing a bit of software called “Superfish” as a default bloatware on a bunch of its “consumer” laptops. The software tried to pop up useful alternative shopping results for images. But in order to work on HTTPS-encrypted sites, Superfish made use of a nasty (and horribly implemented) “SSL hijacker” from Komodia, which installed a self-signed root certificate that basically allowed anyone to issue totally fake security certificates for any encrypted connection, enabling very easy man-in-the-middle attacks. Among the many, many, many stupid things about the way Komodia worked, was that it used the same certificate on each installation of Superfish, and it had an easily cracked password: “komodia” which was true on apparently every product that used Komodia. And researchers have discovered that a whole bunch of products use Komodia, putting a ton of people at risk. People have discovered at least 12 products that make use of Komodia.

But it gets worse. Filippo Valsorda has shown that you didn’t even need to crack Komodia’s weak-ass password to launch a man-in-the-middle attack, but its SSL validation is broken, such that even if Komodia’s proxy client sees an invalid certificate, it just makes it valid. Seriously.

At this point a legit doubt is: what will the Komodia proxy client do when it sees a invalid/untrusted/self-signed certificate? Because copying it, changing its public key and signing it would turn it into a valid one without warnings.

Turns out that if a certificate fails validation the Komodia proxy will still re-sign it (making it trusted), but change the domain name so that a warning is triggered in the browser.

Okay, but at least there’s a warning, right? Well, no, because… as Valsorda notes, there’s another horrible part of the implementation that gets around this: alternative names.

The Komodia proxy copies the server certificate almost entirely… What will it do with alternative names?

Alternative names are a X509 extension that allows to specify in a special field other domains for which the certificate is valid.

Boom. The Komodia proxy will take a self-signed certificate, leave the alternate names untouched and sign it with their root. The browser will think it’s a completely valid certificate.

So all you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure.

An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.

As Valsorda points out, because of this, attackers don’t even need to know which Komodia-compromised software you’re running. They can just fuck with them all.

Thought we were done with how bad this is? Nope. Not yet.

Because another security researcher, going by the name @TheWack0lian, found that Komodia uses a rootkit to better hide itself and make it that much harder to remove.

Komodia appears to have implemented its system in the worst way possible, and a whole bunch of companies agreed to use its product without even the slightest recognition of the fact that they punched a massive vulnerability into the computers of everyone who used their products. What’s really stunning is that many of these products actually pitch themselves as “security” products to better “protect” your computer.

Filed Under: , , , , , ,
Companies: komodia, superfish

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Thought Komodia/Superfish Bug Was Really, Really Bad? It's Much, Much Worse!”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

At this point this is far, far, far bigger than Lenovo, or Superfish. The company at the root of all this is Komodia, an entirely separate company from those two. Lenovo’s customers are actually only a fractions of the people involved at this point. For example, Lavasoft is one of those companies affected, and they have a nice rundown of their involvement:

That One Guy (profile) says:

At this point, I almost have to wonder if it’s not stupidity, but outright malice behind all of this. Seriously, to screw up this bad, they have got to be doing it intentionally.

Throwing together software that turns out to have a security hole is bad, but expected, as you can’t catch them all, but this? One security flaw hidden by another, this all but screams ‘This was done on purpose’.

Anonymous Coward says:

Re: Re:

Well, at the off all this is Komodia, an Israeli company. From their about page at the internet archive:

“Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF’s Intelligence Core. A custom solution provider to customers worldwide, Komodia first released its open source TCP/IP library in 2001. Through numerous projects in the past ten years, the company has found a niche in multiple areas of programming with one common theme: scarce documentation and a lack of experts. Today the company is focused on marketing its flagship product: Komodia’s Redirector.”

I really hate to don a tinfoil hat, but a company founded by ex-Israeli IDF intelligence sounds for penetration by Israeli intelligence.

Anonymous Coward says:

Re: Re: Re:

Not to mention that redirectors and marketing are othwer words for hijacking and adware.

10 years ago this kind of activity would have been reserved for hackers and virus-manufacturers. Today hijacking and adware are par for the course. Backdoors are becoming more commonly used in more “legitimate” businesses.

I wonder how long it will take before hacking becomes kosher for hardware and software manufacturers?

Fred Garvin (profile) says:

Re: Re: Re:

No tinfoil required. Israel actively spies on the US (and other nations), even though their leadership promised to cease such activity after the Pollard case. Their activity is in the same category as China and France, which is to say very competent.
Komodia is dragged along with many ISV products, which is one heck of a stealth distribution system.

Nop (profile) says:

Re: Re:

I’m probably being paranoid, but I can’t help but wonder if a spook agency or criminal organisation (but I repeat myself) are behind Superfish.
I’ll be interested to see if Lenovo sue them; I certainly would if I were in their shoes, considering how expensive this is going to be for them in terms of mitigation & reputational costs.

Bamboo Harvester (profile) says:

Re: Re:

“At this point, I almost have to wonder if it’s not stupidity, but outright malice behind all of this. Seriously, to screw up this bad, they have got to be doing it intentionally. “

Agreed. The Certificate mess could have been pushed out by Programming to meet a deadline, but to install a Rootkit? That’s definitely deliberate.

Add to that all the screeching the NSA an GHCQ have been doing over people switching to HTTPS only recently, and they very well may have been TOLD to install these “bugs”.

That Anonymous Coward (profile) says:

This is should be punished by the full extend of the law. They are hacking peoples systems & making them vulnerable.
It no longer matters if this was a boo-boo or not.

The outcome is horrific, and there is no excuse for this.
Sadly many people who have been hacked by this crapware still are unaware of the danger. This is one of those moments when they should moved to seize all of the records of this company and contact everyone they ever dealt with to alert them. The code should be dissected so that tools can be written to secure these victims systems and make everyone safer.

The creators need to pay the price for their hubris.

Anonymous Coward says:

Re: Re: Re: Re:

According to Wikipedia Criminal offences under the act include:

(1) having knowingly accessed a computer without authorization Lenovo did not access anything so this is out

(2) intentionally accesses a computer without authorization Lenovo did not access peoples computers
(3) intentionally, without authorization to… Lenovo did not intentionally create a security problem
(4) knowingly and with intent to defraud, accesses a protected computer without authorization Lenovo did not access peoples computers
(5), (6) and (7) all require knowingly or intentionally and as stated before Lenovo did not knowingly or intentionally do any of the things listed in those sections

So no, Lenovo did not break the law, what they did was pre-install some software that turns out to have security flaws. Just installing Windows as provided by Microsoft would subject users to security flaws.

To conclude, it is not illegal to pre-install software unless you do it for some nefarious reason meeting the criteria listed in laws.

There may be some civil laws that apply, I think gross incompetence is the place to start there but nothing criminal.

That Anonymous Coward (profile) says:

Re: Re: Re:2 Re:

Well how about Superfish did they do something wrong?
What about Komodia?

They created a certificate that signs basically ANY certificate it encounters and makes bad ones good in the process.

This is not a bug, this is defective and deceptive by design.
At no point did they disclose everything it did to their buyers, no one would purchase a piece of software that makes you more open to being hacked but this entire piece of software does just that.

Michael (profile) says:

Re: Re:

This is should be punished by the full extend of the law

It will be…there was no law broken here.

That is actually good (in my opinion) because the backlash of customers not wanting to purchase lenovo equipment should be enough to keep this from happening again. Not every stupid, greedy, ignorant business decision needs to lead to jail time, a company out of business, some people losing investment money, and a bunch of customers going elsewhere is a really good free-market result.

Whoever says:

NSA behind this?

The way that Komodia is broken is so bad, it’s hard to believe that it is not deliberate.

*Puts tin foil hat on*
I suspect that the NSA is behind this, that they paid Komodia to put out a product with badly broken security. It makes hacking into companies like Gemalto so much easier.

Unfortunately, the same broken security can be used by anyone.

Anonymous Coward says:

Re: NSA behind this?

You’ve stolen my tin foil hat there, Whoever. I made a similar comment on the earlier story.

My supposition, though, was that NSA knew about the flaw, but were using Lenovo as cover. No need for Lenovo, superfish, or Komodia to be coopted, they’d done it to themselves, a zero-day flaw just waiting for exploitation.

But it’s a bit of a stretch to posit corruption of Komodia alone for the Lenovo issue. Lenovo used Superfish used Komodia, making three separate points of contact. Too complex, to many points of failure.

Taking advantage of Komodia’s flaws, on the other hand, that’s easy.

And tinfoil hat aside, once the story broke, you can bet that the NSA added this to its armament package within the day.

Whoever says:

Re: Re: NSA behind this?

But it’s a bit of a stretch to posit corruption of Komodia alone for the Lenovo issue.

I don’t posit that Lenovo was the NSA’s target, rather a bonus. My suggestion is that Komodia was subsidized by the NSA to the point that adoption would be fairly widespread. That’s all the NSA needed. Lenovo pre-installing it (via Superfish) was a bonus.

Attaches tinfoil really tightly
It’s possible that the NSA subsidized both Komodia and Superfish. Superfish’s logs would be very revealing about an individual. Again, all the NSA needed was widespread adoption. Enabling these companies to offer their products at a very low price would achieve this.

Rich Kulawiec (profile) says:

Oh, come now, this isn't so bad

It’s not like they did something really bad, something so destructive and damaging to the privacy and security of millions of people that it required immediate attention from federal law enforcement agencies combined with the threat of aggressive prosecution that could result in decades in prison…something like, oh, I don’t know, downloading scientific research papers?

JustShutUpAndObey says:

Of course it's all deliberate.

It required some level of effort to implement this, so it was definitely done with malice and forethought.

It gets even better/worse: Now that everyone knows about this, lots of other companies will start implementing this. After all, they’ll only get sued if they get caught, and no one ever expects to be caught.

By now, it ought to be obvious from all the evidence that everyone wants to spy on you without limit and restraint.

Michael (profile) says:

Re: Of course it's all deliberate.

It required some level of effort to implement this, so it was definitely done with malice and forethought.

As always, never attribute to malice that which is adequately explained by stupidity.

This is most likely the work of someone that did not make the connection that this security hole they were creating would ever get exploited by someone with intent other than their own.

Hans says:

Root Certificates

This whole thing is possible largely because they can insert a root certificate in the trust store, and you and I have very little idea what certificates are in the trust store.

This isn’t too different from the various CA hacks (think DigiNotar). You’re trusting everyone everyone with a certificate in your trust store and you don’t even know who they are….

DB (profile) says:

Don’t confuse malice and avarice.

If they intended to take over your machine, they wouldn’t have taken this approach. They would do what virus makers do — exploit the hole, and then harden security so that they retain control of the machine.

Instead they were sociopaths. They solely cared about the advertising money, not the negative effects of their actions.

It’s not that they didn’t understand the vulnerabilities they were creating. The implementation indicates they fully understood the architecture of certificate based authentication, and where they would need to insert the man-in-the-middle attack to substitute advertisements.

Normal people don’t think this way. Even if you hate someone enough to murder them, normal people don’t bring down a plane full of people or poison a whole town. Or create a public panic so that they can profit from shorting a drug company stock. Sociopaths can’t see the difference, they don’t empathize with the innocent victims or see the systemic damage. They don’t care about the results beyond their own benefit.

Rich Kulawiec (profile) says:

Re: Re:

Normal people don’t think this way.

Precisely so. We only see this behavior in sociopaths, as in this case or with mass murderers/serial killers, serial rapists, spammers, and other similarly evil people. They don’t stop because they can’t stop — and it’s rarely, if ever, possible to cure them.

Mark my words: they’ll do this again. It’ll be subtler and hidden behind layers of misdirection, but they’ll do it again.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...