Thought Komodia/Superfish Bug Was Really, Really Bad? It's Much, Much Worse!
from the getting-worse-by-day dept
With each passing day, it appears that new revelations come out, detailing how the Komodia/Superfish malware is even worse than originally expected. If you don't recall, last week it came out that Lenovo was installing a bit of software called "Superfish" as a default bloatware on a bunch of its "consumer" laptops. The software tried to pop up useful alternative shopping results for images. But in order to work on HTTPS-encrypted sites, Superfish made use of a nasty (and horribly implemented) "SSL hijacker" from Komodia, which installed a self-signed root certificate that basically allowed anyone to issue totally fake security certificates for any encrypted connection, enabling very easy man-in-the-middle attacks. Among the many, many, many stupid things about the way Komodia worked, was that it used the same certificate on each installation of Superfish, and it had an easily cracked password: "komodia" which was true on apparently every product that used Komodia. And researchers have discovered that a whole bunch of products use Komodia, putting a ton of people at risk. People have discovered at least 12 products that make use of Komodia.But it gets worse. Filippo Valsorda has shown that you didn't even need to crack Komodia's weak-ass password to launch a man-in-the-middle attack, but its SSL validation is broken, such that even if Komodia's proxy client sees an invalid certificate, it just makes it valid. Seriously.
Okay, but at least there's a warning, right? Well, no, because... as Valsorda notes, there's another horrible part of the implementation that gets around this: alternative names.At this point a legit doubt is: what will the Komodia proxy client do when it sees a invalid/untrusted/self-signed certificate? Because copying it, changing its public key and signing it would turn it into a valid one without warnings.
Turns out that if a certificate fails validation the Komodia proxy will still re-sign it (making it trusted), but change the domain name so that a warning is triggered in the browser.
The Komodia proxy copies the server certificate almost entirely... What will it do with alternative names?As Valsorda points out, because of this, attackers don't even need to know which Komodia-compromised software you're running. They can just fuck with them all.
Alternative names are a X509 extension that allows to specify in a special field other domains for which the certificate is valid.
Boom. The Komodia proxy will take a self-signed certificate, leave the alternate names untouched and sign it with their root. The browser will think it's a completely valid certificate.
So all you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure.
An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.
Thought we were done with how bad this is? Nope. Not yet.
Because another security researcher, going by the name @TheWack0lian, found that Komodia uses a rootkit to better hide itself and make it that much harder to remove.
Komodia appears to have implemented its system in the worst way possible, and a whole bunch of companies agreed to use its product without even the slightest recognition of the fact that they punched a massive vulnerability into the computers of everyone who used their products. What's really stunning is that many of these products actually pitch themselves as "security" products to better "protect" your computer.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: alternate domains, https, komodia, man in the middle, root certificate, rootkit, superfish
Companies: komodia, superfish
Reader Comments
The First Word
“It no longer matters if this was a boo-boo or not.
The outcome is horrific, and there is no excuse for this.
Sadly many people who have been hacked by this crapware still are unaware of the danger. This is one of those moments when they should moved to seize all of the records of this company and contact everyone they ever dealt with to alert them. The code should be dissected so that tools can be written to secure these victims systems and make everyone safer.
The creators need to pay the price for their hubris.
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
https://www.facebook.com/lavasoft.adaware/posts/10153070107783361
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Throwing together software that turns out to have a security hole is bad, but expected, as you can't catch them all, but this? One security flaw hidden by another, this all but screams 'This was done on purpose'.
[ link to this | view in chronology ]
Re:
It was, forcing adverts on people is the highest purpose there is.
[ link to this | view in chronology ]
Re:
"Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF’s Intelligence Core. A custom solution provider to customers worldwide, Komodia first released its open source TCP/IP library in 2001. Through numerous projects in the past ten years, the company has found a niche in multiple areas of programming with one common theme: scarce documentation and a lack of experts. Today the company is focused on marketing its flagship product: Komodia’s Redirector."
I really hate to don a tinfoil hat, but a company founded by ex-Israeli IDF intelligence sounds for penetration by Israeli intelligence.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
yeesh.
[ link to this | view in chronology ]
Re: Re:
10 years ago this kind of activity would have been reserved for hackers and virus-manufacturers. Today hijacking and adware are par for the course. Backdoors are becoming more commonly used in more "legitimate" businesses.
I wonder how long it will take before hacking becomes kosher for hardware and software manufacturers?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Your comment is anti-semitic so you better keep quiet or they will come for you.
[ link to this | view in chronology ]
Re: Re:
Komodia is dragged along with many ISV products, which is one heck of a stealth distribution system.
[ link to this | view in chronology ]
Re:
I'll be interested to see if Lenovo sue them; I certainly would if I were in their shoes, considering how expensive this is going to be for them in terms of mitigation & reputational costs.
[ link to this | view in chronology ]
Re:
Agreed. The Certificate mess *could* have been pushed out by Programming to meet a deadline, but to install a Rootkit? That's definitely deliberate.
Add to that all the screeching the NSA an GHCQ have been doing over people switching to HTTPS *only* recently, and they very well may have been TOLD to install these "bugs".
[ link to this | view in chronology ]
It no longer matters if this was a boo-boo or not.
The outcome is horrific, and there is no excuse for this.
Sadly many people who have been hacked by this crapware still are unaware of the danger. This is one of those moments when they should moved to seize all of the records of this company and contact everyone they ever dealt with to alert them. The code should be dissected so that tools can be written to secure these victims systems and make everyone safer.
The creators need to pay the price for their hubris.
[ link to this | view in chronology ]
Re:
Nope, better go after Kim Dotcom.
[ link to this | view in chronology ]
Re:
Lenovo simply pre-installed software on a computer, nothing illegal about that.
If it was illegal to install software that contains security flaws surely Billy Gates would be at Gitmo by now.
[ link to this | view in chronology ]
Re: Re:
Seriously?
CFAA dude. They hacked people's computers without their permission.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
(1) having knowingly accessed a computer without authorization Lenovo did not access anything so this is out
(2) intentionally accesses a computer without authorization Lenovo did not access peoples computers
(3) intentionally, without authorization to... Lenovo did not intentionally create a security problem
(4) knowingly and with intent to defraud, accesses a protected computer without authorization Lenovo did not access peoples computers
(5), (6) and (7) all require knowingly or intentionally and as stated before Lenovo did not knowingly or intentionally do any of the things listed in those sections
So no, Lenovo did not break the law, what they did was pre-install some software that turns out to have security flaws. Just installing Windows as provided by Microsoft would subject users to security flaws.
To conclude, it is not illegal to pre-install software unless you do it for some nefarious reason meeting the criteria listed in laws.
There may be some civil laws that apply, I think gross incompetence is the place to start there but nothing criminal.
[ link to this | view in chronology ]
Re: Re: Re: Re:
What about Komodia?
They created a certificate that signs basically ANY certificate it encounters and makes bad ones good in the process.
This is not a bug, this is defective and deceptive by design.
At no point did they disclose everything it did to their buyers, no one would purchase a piece of software that makes you more open to being hacked but this entire piece of software does just that.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
The CFAA is only used against people the government doesn't like, and I doubt they give a shit about this.
[ link to this | view in chronology ]
Re: Re:
Two question comes up
1) Did the end user give consent
2) Was the end user informed well enough to even be able to give consent
[ link to this | view in chronology ]
Re: Re: Re:
2) No, but since when does that count? EULAs are always having the user give consent for things that they don't really understand (by design).
[ link to this | view in chronology ]
Re: Re:
I don't think that any law was broken, especially not by Lenovo.
However, there may be a violation of the UCC "fitness for a particular purpose" clause. The machines that contained this software were certainly not fit to use for connecting to the internet.
[ link to this | view in chronology ]
Re:
Judges issue orders in court and there is a lack of followup - why should anyone expect your request will have meaning?
[ link to this | view in chronology ]
Re:
It will be...there was no law broken here.
That is actually good (in my opinion) because the backlash of customers not wanting to purchase lenovo equipment should be enough to keep this from happening again. Not every stupid, greedy, ignorant business decision needs to lead to jail time, a company out of business, some people losing investment money, and a bunch of customers going elsewhere is a really good free-market result.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Just like it kept it from happening in the first place, huh?
[ link to this | view in chronology ]
Re:
You do realize that there are different laws for different people, don't you? The full extent of the law is much different for some people than it might be you or I.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Huh.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
NSA behind this?
*Puts tin foil hat on*
I suspect that the NSA is behind this, that they paid Komodia to put out a product with badly broken security. It makes hacking into companies like Gemalto so much easier.
Unfortunately, the same broken security can be used by anyone.
[ link to this | view in chronology ]
Re: NSA behind this?
My supposition, though, was that NSA knew about the flaw, but were using Lenovo as cover. No need for Lenovo, superfish, or Komodia to be coopted, they'd done it to themselves, a zero-day flaw just waiting for exploitation.
But it's a bit of a stretch to posit corruption of Komodia alone for the Lenovo issue. Lenovo used Superfish used Komodia, making three separate points of contact. Too complex, to many points of failure.
Taking advantage of Komodia's flaws, on the other hand, that's easy.
And tinfoil hat aside, once the story broke, you can bet that the NSA added this to its armament package within the day.
[ link to this | view in chronology ]
Re: Re: NSA behind this?
I don't posit that Lenovo was the NSA's target, rather a bonus. My suggestion is that Komodia was subsidized by the NSA to the point that adoption would be fairly widespread. That's all the NSA needed. Lenovo pre-installing it (via Superfish) was a bonus.
*Attaches tinfoil really tightly*
It's possible that the NSA subsidized *both* Komodia and Superfish. Superfish's logs would be very revealing about an individual. Again, all the NSA needed was widespread adoption. Enabling these companies to offer their products at a very low price would achieve this.
[ link to this | view in chronology ]
Re: NSA behind this?
[ link to this | view in chronology ]
Re: NSA behind this?
I'm pretty sure, though, this would require compromising one or more routers in the network--which is well within the capability of semicompetent black hats, not to mention NSA or Israel's Unit 8200.
[ link to this | view in chronology ]
Oh, come now, this isn't so bad
[ link to this | view in chronology ]
Of course it's all deliberate.
It gets even better/worse: Now that everyone knows about this, lots of other companies will start implementing this. After all, they'll only get sued if they get caught, and no one ever expects to be caught.
By now, it ought to be obvious from all the evidence that everyone wants to spy on you without limit and restraint.
[ link to this | view in chronology ]
Re: Of course it's all deliberate.
As always, never attribute to malice that which is adequately explained by stupidity.
This is most likely the work of someone that did not make the connection that this security hole they were creating would ever get exploited by someone with intent other than their own.
[ link to this | view in chronology ]
Re: Re: Of course it's all deliberate.
Why not? In the end, it doesn't matter if it was malice or stupidity, and in this case malice (on the part of Komodia and Superfish) seems MUCH more likely than stupidity.
[ link to this | view in chronology ]
Re: Re: Of course it's all deliberate.
This is clearly malice at work here. It may be leveraging itself over some pivoting points of stupidity, but the driving force is cunning, reckless and premeditated malice.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Root Certificates
This isn't too different from the various CA hacks (think DigiNotar). You're trusting everyone everyone with a certificate in your trust store and you don't even know who they are....
[ link to this | view in chronology ]
If they intended to take over your machine, they wouldn't have taken this approach. They would do what virus makers do -- exploit the hole, and then harden security so that they retain control of the machine.
Instead they were sociopaths. They solely cared about the advertising money, not the negative effects of their actions.
It's not that they didn't understand the vulnerabilities they were creating. The implementation indicates they fully understood the architecture of certificate based authentication, and where they would need to insert the man-in-the-middle attack to substitute advertisements.
Normal people don't think this way. Even if you hate someone enough to murder them, normal people don't bring down a plane full of people or poison a whole town. Or create a public panic so that they can profit from shorting a drug company stock. Sociopaths can't see the difference, they don't empathize with the innocent victims or see the systemic damage. They don't care about the results beyond their own benefit.
[ link to this | view in chronology ]
Re:
Precisely so. We only see this behavior in sociopaths, as in this case or with mass murderers/serial killers, serial rapists, spammers, and other similarly evil people. They don't stop because they can't stop -- and it's rarely, if ever, possible to cure them.
Mark my words: they'll do this again. It'll be subtler and hidden behind layers of misdirection, but they'll do it again.
[ link to this | view in chronology ]
Re:
Avarice always has malice standing by its side. Always.
[ link to this | view in chronology ]
Re:
Why not? Machine wide open, and slightly plausible deniability. "Your honor! We did it for advertising! Free market! Thwart communism!"
[ link to this | view in chronology ]
Who wants to play a game of Spot the Differences?
http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html
It's more appropriate to this story than it looks at first.
[ link to this | view in chronology ]
@43
[ link to this | view in chronology ]
They obviously are being paid by the NSA.
[ link to this | view in chronology ]
Just In Case
https://filippo.io/Badfish/
[ link to this | view in chronology ]
The list of "programs" at Ars Technica
[ link to this | view in chronology ]
This is what a "golden key" looks like.
And it looks like a whole lot of people being super vulnerable in the inevitable moment that the backdoor is revealed.
[ link to this | view in chronology ]
Never attribute to incompetence, that which can be attributed to double profits.
If they suffer absolutely not one iota of consequence for any of their actions, I'd say their federal affiliation is obvious.
---
[ link to this | view in chronology ]
[ link to this | view in chronology ]