Thought Komodia/Superfish Bug Was Really, Really Bad? It's Much, Much Worse!

from the getting-worse-by-day dept

With each passing day, it appears that new revelations come out, detailing how the Komodia/Superfish malware is even worse than originally expected. If you don't recall, last week it came out that Lenovo was installing a bit of software called "Superfish" as a default bloatware on a bunch of its "consumer" laptops. The software tried to pop up useful alternative shopping results for images. But in order to work on HTTPS-encrypted sites, Superfish made use of a nasty (and horribly implemented) "SSL hijacker" from Komodia, which installed a self-signed root certificate that basically allowed anyone to issue totally fake security certificates for any encrypted connection, enabling very easy man-in-the-middle attacks. Among the many, many, many stupid things about the way Komodia worked, was that it used the same certificate on each installation of Superfish, and it had an easily cracked password: "komodia" which was true on apparently every product that used Komodia. And researchers have discovered that a whole bunch of products use Komodia, putting a ton of people at risk. People have discovered at least 12 products that make use of Komodia.

But it gets worse. Filippo Valsorda has shown that you didn't even need to crack Komodia's weak-ass password to launch a man-in-the-middle attack, but its SSL validation is broken, such that even if Komodia's proxy client sees an invalid certificate, it just makes it valid. Seriously.

At this point a legit doubt is: what will the Komodia proxy client do when it sees a invalid/untrusted/self-signed certificate? Because copying it, changing its public key and signing it would turn it into a valid one without warnings.

Turns out that if a certificate fails validation the Komodia proxy will still re-sign it (making it trusted), but change the domain name so that a warning is triggered in the browser.

Okay, but at least there's a warning, right? Well, no, because... as Valsorda notes, there's another horrible part of the implementation that gets around this: alternative names.
The Komodia proxy copies the server certificate almost entirely... What will it do with alternative names?

Alternative names are a X509 extension that allows to specify in a special field other domains for which the certificate is valid.

Boom. The Komodia proxy will take a self-signed certificate, leave the alternate names untouched and sign it with their root. The browser will think it's a completely valid certificate.

So all you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure.

An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.

As Valsorda points out, because of this, attackers don't even need to know which Komodia-compromised software you're running. They can just fuck with them all.

Thought we were done with how bad this is? Nope. Not yet.

Because another security researcher, going by the name @TheWack0lian, found that Komodia uses a rootkit to better hide itself and make it that much harder to remove.

Komodia appears to have implemented its system in the worst way possible, and a whole bunch of companies agreed to use its product without even the slightest recognition of the fact that they punched a massive vulnerability into the computers of everyone who used their products. What's really stunning is that many of these products actually pitch themselves as "security" products to better "protect" your computer.

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 23 Feb 2015 @ 10:14am

    So, when is Lenovo issuing a public apology along with a fix and compensation for those that were 'hacked' because of their screw up?

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 23 Feb 2015 @ 10:36am

    At this point, I almost have to wonder if it's not stupidity, but outright malice behind all of this. Seriously, to screw up this bad, they have got to be doing it intentionally.

    Throwing together software that turns out to have a security hole is bad, but expected, as you can't catch them all, but this? One security flaw hidden by another, this all but screams 'This was done on purpose'.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 10:42am

      Re:

      This was done on purpose'.

      It was, forcing adverts on people is the highest purpose there is.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 11:18am

      Re:

      Well, at the off all this is Komodia, an Israeli company. From their about page at the internet archive:

      "Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF’s Intelligence Core. A custom solution provider to customers worldwide, Komodia first released its open source TCP/IP library in 2001. Through numerous projects in the past ten years, the company has found a niche in multiple areas of programming with one common theme: scarce documentation and a lack of experts. Today the company is focused on marketing its flagship product: Komodia’s Redirector."

      I really hate to don a tinfoil hat, but a company founded by ex-Israeli IDF intelligence sounds for penetration by Israeli intelligence.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Feb 2015 @ 11:18am

        Re: Re:

        *root of

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Feb 2015 @ 11:54am

        Re: Re:

        Not to mention that redirectors and marketing are othwer words for hijacking and adware.

        10 years ago this kind of activity would have been reserved for hackers and virus-manufacturers. Today hijacking and adware are par for the course. Backdoors are becoming more commonly used in more "legitimate" businesses.

        I wonder how long it will take before hacking becomes kosher for hardware and software manufacturers?

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Feb 2015 @ 6:26pm

        Re: Re:

        How long will this take to get traced back to NSA through the Israeli intelligence?

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 Feb 2015 @ 12:13am

        Re: Re:

        And once again, Israel.
        Your comment is anti-semitic so you better keep quiet or they will come for you.

        reply to this | link to this | view in chronology ]

      • icon
        Fred Garvin (profile), 24 Feb 2015 @ 9:55pm

        Re: Re:

        No tinfoil required. Israel actively spies on the US (and other nations), even though their leadership promised to cease such activity after the Pollard case. Their activity is in the same category as China and France, which is to say very competent.
        Komodia is dragged along with many ISV products, which is one heck of a stealth distribution system.

        reply to this | link to this | view in chronology ]

    • icon
      Nop (profile), 24 Feb 2015 @ 2:28am

      Re:

      I'm probably being paranoid, but I can't help but wonder if a spook agency or criminal organisation (but I repeat myself) are behind Superfish.
      I'll be interested to see if Lenovo sue them; I certainly would if I were in their shoes, considering how expensive this is going to be for them in terms of mitigation & reputational costs.

      reply to this | link to this | view in chronology ]

    • icon
      Bamboo Harvester (profile), 24 Feb 2015 @ 5:32am

      Re:

      "At this point, I almost have to wonder if it's not stupidity, but outright malice behind all of this. Seriously, to screw up this bad, they have got to be doing it intentionally. "

      Agreed. The Certificate mess *could* have been pushed out by Programming to meet a deadline, but to install a Rootkit? That's definitely deliberate.

      Add to that all the screeching the NSA an GHCQ have been doing over people switching to HTTPS *only* recently, and they very well may have been TOLD to install these "bugs".

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 23 Feb 2015 @ 10:51am

    This is should be punished by the full extend of the law. They are hacking peoples systems & making them vulnerable.
    It no longer matters if this was a boo-boo or not.

    The outcome is horrific, and there is no excuse for this.
    Sadly many people who have been hacked by this crapware still are unaware of the danger. This is one of those moments when they should moved to seize all of the records of this company and contact everyone they ever dealt with to alert them. The code should be dissected so that tools can be written to secure these victims systems and make everyone safer.

    The creators need to pay the price for their hubris.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 11:05am

      Re:

      Legitimate critical security threat with widespread real-world consequences?
      Nope, better go after Kim Dotcom.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 11:08am

      Re:

      While I agree heads should be rolling the trouble is I cannot see what law was broken.

      Lenovo simply pre-installed software on a computer, nothing illegal about that.

      If it was illegal to install software that contains security flaws surely Billy Gates would be at Gitmo by now.

      reply to this | link to this | view in chronology ]

      • identicon
        PRMan, 23 Feb 2015 @ 11:34am

        Re: Re:

        "While I agree heads should be rolling the trouble is I cannot see what law was broken."

        Seriously?

        CFAA dude. They hacked people's computers without their permission.

        reply to this | link to this | view in chronology ]

        • icon
          Chronno S. Trigger (profile), 23 Feb 2015 @ 12:07pm

          Re: Re: Re:

          The PCs security was compromised before you owned it. They compromised the security on their PCs.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 23 Feb 2015 @ 1:06pm

          Re: Re: Re:

          According to Wikipedia Criminal offences under the act include:

          (1) having knowingly accessed a computer without authorization Lenovo did not access anything so this is out

          (2) intentionally accesses a computer without authorization Lenovo did not access peoples computers
          (3) intentionally, without authorization to... Lenovo did not intentionally create a security problem
          (4) knowingly and with intent to defraud, accesses a protected computer without authorization Lenovo did not access peoples computers
          (5), (6) and (7) all require knowingly or intentionally and as stated before Lenovo did not knowingly or intentionally do any of the things listed in those sections

          So no, Lenovo did not break the law, what they did was pre-install some software that turns out to have security flaws. Just installing Windows as provided by Microsoft would subject users to security flaws.

          To conclude, it is not illegal to pre-install software unless you do it for some nefarious reason meeting the criteria listed in laws.

          There may be some civil laws that apply, I think gross incompetence is the place to start there but nothing criminal.

          reply to this | link to this | view in chronology ]

          • icon
            That Anonymous Coward (profile), 23 Feb 2015 @ 3:07pm

            Re: Re: Re: Re:

            Well how about Superfish did they do something wrong?
            What about Komodia?

            They created a certificate that signs basically ANY certificate it encounters and makes bad ones good in the process.

            This is not a bug, this is defective and deceptive by design.
            At no point did they disclose everything it did to their buyers, no one would purchase a piece of software that makes you more open to being hacked but this entire piece of software does just that.

            reply to this | link to this | view in chronology ]

        • icon
          JMT (profile), 23 Feb 2015 @ 3:57pm

          Re: Re: Re:

          "CFAA dude."

          The CFAA is only used against people the government doesn't like, and I doubt they give a shit about this.

          reply to this | link to this | view in chronology ]

      • identicon
        Bengie, 23 Feb 2015 @ 12:19pm

        Re: Re:

        Intercepting and modifying secure data is against the law, unless it's for your own computers, like a company.

        Two question comes up
        1) Did the end user give consent
        2) Was the end user informed well enough to even be able to give consent

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 23 Feb 2015 @ 2:21pm

          Re: Re: Re:

          1) Yes, in the clickwrap that came up on first boot.
          2) No, but since when does that count? EULAs are always having the user give consent for things that they don't really understand (by design).

          reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 23 Feb 2015 @ 2:19pm

        Re: Re:

        "I cannot see what law was broken."

        I don't think that any law was broken, especially not by Lenovo.

        However, there may be a violation of the UCC "fitness for a particular purpose" clause. The machines that contained this software were certainly not fit to use for connecting to the internet.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 11:30am

      Re:

      This is should be punished by the full extend of the law

      Judges issue orders in court and there is a lack of followup - why should anyone expect your request will have meaning?

      reply to this | link to this | view in chronology ]

    • identicon
      Michael, 23 Feb 2015 @ 11:30am

      Re:

      This is should be punished by the full extend of the law

      It will be...there was no law broken here.

      That is actually good (in my opinion) because the backlash of customers not wanting to purchase lenovo equipment should be enough to keep this from happening again. Not every stupid, greedy, ignorant business decision needs to lead to jail time, a company out of business, some people losing investment money, and a bunch of customers going elsewhere is a really good free-market result.

      reply to this | link to this | view in chronology ]

      • identicon
        PRMan, 23 Feb 2015 @ 11:35am

        Re: Re:

        The CFAA was broken. They did far more than they said upon installation, against the will of the user of the computer ("unauthorized").

        reply to this | link to this | view in chronology ]

        • identicon
          Michael, 23 Feb 2015 @ 11:49am

          Re: Re: Re:

          Go read the TOS and End User agreements for your lenovo laptop (if you have made that unfortunate choice) and you will probably find that everything they have done was clearly authorized.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Feb 2015 @ 4:42pm

        Re: Re:

        "That is actually good (in my opinion) because the backlash of customers not wanting to purchase lenovo equipment should be enough to keep this from happening again."

        Just like it kept it from happening in the first place, huh?

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 4:40pm

      Re:

      "This is should be punished by the full extend of the law."

      You do realize that there are different laws for different people, don't you? The full extent of the law is much different for some people than it might be you or I.

      reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 24 Feb 2015 @ 5:56am

      Re:

      Not to worry. I'm sure they will be punished as much as Sony was punished for Sony's widespread rootkit distribution on CDs; which required large numbers of people to have their OSes reinstalled at their own expense back in 2005.

      reply to this | link to this | view in chronology ]

  • identicon
    David, 23 Feb 2015 @ 11:08am

    Huh.

    If a consortium of blackhats would have pooled a lot of money in order to get best value for their buck, would the outcome have been much different from Komodia?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Feb 2015 @ 11:10am

    Commode-ia sure picked the right name. their app should have been flushed before it ever came out.

    reply to this | link to this | view in chronology ]

  • identicon
    Whoever, 23 Feb 2015 @ 11:30am

    NSA behind this?

    The way that Komodia is broken is so bad, it's hard to believe that it is not deliberate.

    *Puts tin foil hat on*
    I suspect that the NSA is behind this, that they paid Komodia to put out a product with badly broken security. It makes hacking into companies like Gemalto so much easier.

    Unfortunately, the same broken security can be used by anyone.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Feb 2015 @ 12:43pm

      Re: NSA behind this?

      You've stolen my tin foil hat there, Whoever. I made a similar comment on the earlier story.

      My supposition, though, was that NSA knew about the flaw, but were using Lenovo as cover. No need for Lenovo, superfish, or Komodia to be coopted, they'd done it to themselves, a zero-day flaw just waiting for exploitation.

      But it's a bit of a stretch to posit corruption of Komodia alone for the Lenovo issue. Lenovo used Superfish used Komodia, making three separate points of contact. Too complex, to many points of failure.

      Taking advantage of Komodia's flaws, on the other hand, that's easy.

      And tinfoil hat aside, once the story broke, you can bet that the NSA added this to its armament package within the day.

      reply to this | link to this | view in chronology ]

      • identicon
        Whoever, 23 Feb 2015 @ 1:06pm

        Re: Re: NSA behind this?

        But it's a bit of a stretch to posit corruption of Komodia alone for the Lenovo issue.


        I don't posit that Lenovo was the NSA's target, rather a bonus. My suggestion is that Komodia was subsidized by the NSA to the point that adoption would be fairly widespread. That's all the NSA needed. Lenovo pre-installing it (via Superfish) was a bonus.

        *Attaches tinfoil really tightly*
        It's possible that the NSA subsidized *both* Komodia and Superfish. Superfish's logs would be very revealing about an individual. Again, all the NSA needed was widespread adoption. Enabling these companies to offer their products at a very low price would achieve this.

        reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 25 Feb 2015 @ 10:38am

      Re: NSA behind this?

      I don't think this would be much use to the NSA since the attacker has to be on the same Wi-Fi network as the target. They like to capture huge quantities of data from central locations.

      reply to this | link to this | view in chronology ]

      • icon
        Fred Garvin (profile), 25 Feb 2015 @ 1:02pm

        Re: NSA behind this?

        Au contraire. The man-in-the-middle attacks need not be on the same WiFi network--they're just easier.
        I'm pretty sure, though, this would require compromising one or more routers in the network--which is well within the capability of semicompetent black hats, not to mention NSA or Israel's Unit 8200.

        reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 23 Feb 2015 @ 11:39am

    Oh, come now, this isn't so bad

    It's not like they did something really bad, something so destructive and damaging to the privacy and security of millions of people that it required immediate attention from federal law enforcement agencies combined with the threat of aggressive prosecution that could result in decades in prison...something like, oh, I don't know, downloading scientific research papers?

    reply to this | link to this | view in chronology ]

  • identicon
    JustShutUpAndObey, 23 Feb 2015 @ 11:41am

    Of course it's all deliberate.

    It required some level of effort to implement this, so it was definitely done with malice and forethought.

    It gets even better/worse: Now that everyone knows about this, lots of other companies will start implementing this. After all, they'll only get sued if they get caught, and no one ever expects to be caught.

    By now, it ought to be obvious from all the evidence that everyone wants to spy on you without limit and restraint.

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 23 Feb 2015 @ 11:52am

      Re: Of course it's all deliberate.

      It required some level of effort to implement this, so it was definitely done with malice and forethought.

      As always, never attribute to malice that which is adequately explained by stupidity.

      This is most likely the work of someone that did not make the connection that this security hole they were creating would ever get exploited by someone with intent other than their own.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 23 Feb 2015 @ 2:24pm

        Re: Re: Of course it's all deliberate.

        "never attribute to malice that which is adequately explained by stupidity."

        Why not? In the end, it doesn't matter if it was malice or stupidity, and in this case malice (on the part of Komodia and Superfish) seems MUCH more likely than stupidity.

        reply to this | link to this | view in chronology ]

      • identicon
        David, 24 Feb 2015 @ 12:35am

        Re: Re: Of course it's all deliberate.

        You don't get to compromise all SSL traffic by mere stupidity.

        This is clearly malice at work here. It may be leveraging itself over some pivoting points of stupidity, but the driving force is cunning, reckless and premeditated malice.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Feb 2015 @ 12:03pm

    I have to question this is just about ads. That's too convenient and pat excuse. Myself, I think they just put a hole in one of the backdoors for the spy agencies.

    reply to this | link to this | view in chronology ]

  • identicon
    Hans, 23 Feb 2015 @ 12:44pm

    Root Certificates

    This whole thing is possible largely because they can insert a root certificate in the trust store, and you and I have very little idea what certificates are in the trust store.

    This isn't too different from the various CA hacks (think DigiNotar). You're trusting everyone everyone with a certificate in your trust store and you don't even know who they are....

    reply to this | link to this | view in chronology ]

  • icon
    DB (profile), 23 Feb 2015 @ 12:58pm

    Don't confuse malice and avarice.

    If they intended to take over your machine, they wouldn't have taken this approach. They would do what virus makers do -- exploit the hole, and then harden security so that they retain control of the machine.

    Instead they were sociopaths. They solely cared about the advertising money, not the negative effects of their actions.

    It's not that they didn't understand the vulnerabilities they were creating. The implementation indicates they fully understood the architecture of certificate based authentication, and where they would need to insert the man-in-the-middle attack to substitute advertisements.

    Normal people don't think this way. Even if you hate someone enough to murder them, normal people don't bring down a plane full of people or poison a whole town. Or create a public panic so that they can profit from shorting a drug company stock. Sociopaths can't see the difference, they don't empathize with the innocent victims or see the systemic damage. They don't care about the results beyond their own benefit.

    reply to this | link to this | view in chronology ]

    • identicon
      Rich Kulawiec, 23 Feb 2015 @ 1:40pm

      Re:

      Normal people don't think this way.

      Precisely so. We only see this behavior in sociopaths, as in this case or with mass murderers/serial killers, serial rapists, spammers, and other similarly evil people. They don't stop because they can't stop -- and it's rarely, if ever, possible to cure them.

      Mark my words: they'll do this again. It'll be subtler and hidden behind layers of misdirection, but they'll do it again.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Feb 2015 @ 2:26pm

      Re:

      "Don't confuse malice and avarice."

      Avarice always has malice standing by its side. Always.

      reply to this | link to this | view in chronology ]

    • identicon
      David, 24 Feb 2015 @ 3:18am

      Re:

      If they intended to take over your machine, they wouldn't have taken this approach.

      Why not? Machine wide open, and slightly plausible deniability. "Your honor! We did it for advertising! Free market! Thwart communism!"

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Feb 2015 @ 1:23pm

    Who wants to play a game of Spot the Differences?

    Who wants to play a game of Spot the Differences?

    http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html

    It's more appropriate to this story than it looks at first.

    reply to this | link to this | view in chronology ]

  • identicon
    the threat to peace is the USA, 24 Feb 2015 @ 12:03am

    @43

    ummm they dont need ot you forget the nsa is building a large lab in israel

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Feb 2015 @ 12:09am

    Oh ffs, there is only so many things they can fuck up before it becomes suspicious.
    They obviously are being paid by the NSA.

    reply to this | link to this | view in chronology ]

  • identicon
    Nyarlathotep, 24 Feb 2015 @ 5:22am

    Just In Case

    I didn't have time to read every response but here's a website to detect if you possibly have problems with SuperFish or Komodia.

    https://filippo.io/Badfish/

    reply to this | link to this | view in chronology ]

  • identicon
    Tara Li, 24 Feb 2015 @ 10:26am

    The list of "programs" at Ars Technica

    Actually only seems to be a list of companies involved, and doesn't actually name the packages/programs. I'm a bit worried about what *actually* uses this library, and if there are other libraries that do the same thing.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 24 Feb 2015 @ 11:16am

    This is what a "golden key" looks like.

    Maybe those needing an example of what backdoor-enabled (Golden Key, Pixie Dust, whatever) encryption looks like, it looks like this.

    And it looks like a whole lot of people being super vulnerable in the inevitable moment that the backdoor is revealed.

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 24 Feb 2015 @ 7:40pm

    Never attribute to incompetence, that which can be attributed to double profits.

    Yep. Sounds to me like they're NSA Crew Companies - doing the NSA's legitimate dirty-tricks work and getting paid twice for the effort.

    If they suffer absolutely not one iota of consequence for any of their actions, I'd say their federal affiliation is obvious.

    ---

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2015 @ 12:30am

    Another reason to use GNU/Linux.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.