Thought Komodia/Superfish Bug Was Really, Really Bad? It's Much, Much Worse!
from the getting-worse-by-day dept
With each passing day, it appears that new revelations come out, detailing how the Komodia/Superfish malware is even worse than originally expected. If you don’t recall, last week it came out that Lenovo was installing a bit of software called “Superfish” as a default bloatware on a bunch of its “consumer” laptops. The software tried to pop up useful alternative shopping results for images. But in order to work on HTTPS-encrypted sites, Superfish made use of a nasty (and horribly implemented) “SSL hijacker” from Komodia, which installed a self-signed root certificate that basically allowed anyone to issue totally fake security certificates for any encrypted connection, enabling very easy man-in-the-middle attacks. Among the many, many, many stupid things about the way Komodia worked, was that it used the same certificate on each installation of Superfish, and it had an easily cracked password: “komodia” which was true on apparently every product that used Komodia. And researchers have discovered that a whole bunch of products use Komodia, putting a ton of people at risk. People have discovered at least 12 products that make use of Komodia.
But it gets worse. Filippo Valsorda has shown that you didn’t even need to crack Komodia’s weak-ass password to launch a man-in-the-middle attack, but its SSL validation is broken, such that even if Komodia’s proxy client sees an invalid certificate, it just makes it valid. Seriously.
At this point a legit doubt is: what will the Komodia proxy client do when it sees a invalid/untrusted/self-signed certificate? Because copying it, changing its public key and signing it would turn it into a valid one without warnings.
Turns out that if a certificate fails validation the Komodia proxy will still re-sign it (making it trusted), but change the domain name so that a warning is triggered in the browser.
Okay, but at least there’s a warning, right? Well, no, because… as Valsorda notes, there’s another horrible part of the implementation that gets around this: alternative names.
The Komodia proxy copies the server certificate almost entirely… What will it do with alternative names?
Alternative names are a X509 extension that allows to specify in a special field other domains for which the certificate is valid.
Boom. The Komodia proxy will take a self-signed certificate, leave the alternate names untouched and sign it with their root. The browser will think it’s a completely valid certificate.
So all you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure.
An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.
As Valsorda points out, because of this, attackers don’t even need to know which Komodia-compromised software you’re running. They can just fuck with them all.
Thought we were done with how bad this is? Nope. Not yet.
Because another security researcher, going by the name @TheWack0lian, found that Komodia uses a rootkit to better hide itself and make it that much harder to remove.
Komodia appears to have implemented its system in the worst way possible, and a whole bunch of companies agreed to use its product without even the slightest recognition of the fact that they punched a massive vulnerability into the computers of everyone who used their products. What’s really stunning is that many of these products actually pitch themselves as “security” products to better “protect” your computer.
Filed Under: alternate domains, https, komodia, man in the middle, root certificate, rootkit, superfish
Companies: komodia, superfish
Comments on “Thought Komodia/Superfish Bug Was Really, Really Bad? It's Much, Much Worse!”
So, when is Lenovo issuing a public apology along with a fix and compensation for those that were ‘hacked’ because of their screw up?
Re: Re:
At this point this is far, far, far bigger than Lenovo, or Superfish. The company at the root of all this is Komodia, an entirely separate company from those two. Lenovo’s customers are actually only a fractions of the people involved at this point. For example, Lavasoft is one of those companies affected, and they have a nice rundown of their involvement:
https://www.facebook.com/lavasoft.adaware/posts/10153070107783361
Re: Re:
Except for the compensation, they are doing the rest.
At this point, I almost have to wonder if it’s not stupidity, but outright malice behind all of this. Seriously, to screw up this bad, they have got to be doing it intentionally.
Throwing together software that turns out to have a security hole is bad, but expected, as you can’t catch them all, but this? One security flaw hidden by another, this all but screams ‘This was done on purpose’.
Re: Re:
It was, forcing adverts on people is the highest purpose there is.
Re: Re:
Well, at the off all this is Komodia, an Israeli company. From their about page at the internet archive:
“Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF’s Intelligence Core. A custom solution provider to customers worldwide, Komodia first released its open source TCP/IP library in 2001. Through numerous projects in the past ten years, the company has found a niche in multiple areas of programming with one common theme: scarce documentation and a lack of experts. Today the company is focused on marketing its flagship product: Komodia’s Redirector.”
I really hate to don a tinfoil hat, but a company founded by ex-Israeli IDF intelligence sounds for penetration by Israeli intelligence.
Re: Re: Re:
*root of
Re: Re: Re: Re:
*sounds ripe for
yeesh.
Re: Re: Re:
Not to mention that redirectors and marketing are othwer words for hijacking and adware.
10 years ago this kind of activity would have been reserved for hackers and virus-manufacturers. Today hijacking and adware are par for the course. Backdoors are becoming more commonly used in more “legitimate” businesses.
I wonder how long it will take before hacking becomes kosher for hardware and software manufacturers?
Re: Re: Re:
How long will this take to get traced back to NSA through the Israeli intelligence?
Re: Re: Re:
And once again, Israel.
Your comment is anti-semitic so you better keep quiet or they will come for you.
Re: Re: Re:
No tinfoil required. Israel actively spies on the US (and other nations), even though their leadership promised to cease such activity after the Pollard case. Their activity is in the same category as China and France, which is to say very competent.
Komodia is dragged along with many ISV products, which is one heck of a stealth distribution system.
Re: Re:
I’m probably being paranoid, but I can’t help but wonder if a spook agency or criminal organisation (but I repeat myself) are behind Superfish.
I’ll be interested to see if Lenovo sue them; I certainly would if I were in their shoes, considering how expensive this is going to be for them in terms of mitigation & reputational costs.
Re: Re:
“At this point, I almost have to wonder if it’s not stupidity, but outright malice behind all of this. Seriously, to screw up this bad, they have got to be doing it intentionally. “
Agreed. The Certificate mess could have been pushed out by Programming to meet a deadline, but to install a Rootkit? That’s definitely deliberate.
Add to that all the screeching the NSA an GHCQ have been doing over people switching to HTTPS only recently, and they very well may have been TOLD to install these “bugs”.
This is should be punished by the full extend of the law. They are hacking peoples systems & making them vulnerable.
It no longer matters if this was a boo-boo or not.
The outcome is horrific, and there is no excuse for this.
Sadly many people who have been hacked by this crapware still are unaware of the danger. This is one of those moments when they should moved to seize all of the records of this company and contact everyone they ever dealt with to alert them. The code should be dissected so that tools can be written to secure these victims systems and make everyone safer.
The creators need to pay the price for their hubris.
Re: Re:
Legitimate critical security threat with widespread real-world consequences?
Nope, better go after Kim Dotcom.
Re: Re:
While I agree heads should be rolling the trouble is I cannot see what law was broken.
Lenovo simply pre-installed software on a computer, nothing illegal about that.
If it was illegal to install software that contains security flaws surely Billy Gates would be at Gitmo by now.
Re: Re: Re:
“While I agree heads should be rolling the trouble is I cannot see what law was broken.”
Seriously?
CFAA dude. They hacked people’s computers without their permission.
Re: Re: Re: Re:
The PCs security was compromised before you owned it. They compromised the security on their PCs.
Re: Re: Re: Re:
According to Wikipedia Criminal offences under the act include:
(1) having knowingly accessed a computer without authorization Lenovo did not access anything so this is out
(2) intentionally accesses a computer without authorization Lenovo did not access peoples computers
(3) intentionally, without authorization to… Lenovo did not intentionally create a security problem
(4) knowingly and with intent to defraud, accesses a protected computer without authorization Lenovo did not access peoples computers
(5), (6) and (7) all require knowingly or intentionally and as stated before Lenovo did not knowingly or intentionally do any of the things listed in those sections
So no, Lenovo did not break the law, what they did was pre-install some software that turns out to have security flaws. Just installing Windows as provided by Microsoft would subject users to security flaws.
To conclude, it is not illegal to pre-install software unless you do it for some nefarious reason meeting the criteria listed in laws.
There may be some civil laws that apply, I think gross incompetence is the place to start there but nothing criminal.
Re: Re: Re:2 Re:
Well how about Superfish did they do something wrong?
What about Komodia?
They created a certificate that signs basically ANY certificate it encounters and makes bad ones good in the process.
This is not a bug, this is defective and deceptive by design.
At no point did they disclose everything it did to their buyers, no one would purchase a piece of software that makes you more open to being hacked but this entire piece of software does just that.
Re: Re: Re:3 Re:
Why do I imagine a lawyer grinning and nonchalantly tossing off the phrase “Read the ToS”?
Re: Re: Re:4 Re:
while rubbing his hands?
Re: Re: Re:5 Re:
This is too evil to have a lawyer merely rub his hands.
Re: Re: Re: Re:
“CFAA dude.”
The CFAA is only used against people the government doesn’t like, and I doubt they give a shit about this.
Re: Re: Re:
Intercepting and modifying secure data is against the law, unless it’s for your own computers, like a company.
Two question comes up
1) Did the end user give consent
2) Was the end user informed well enough to even be able to give consent
Re: Re: Re: Re:
1) Yes, in the clickwrap that came up on first boot.
2) No, but since when does that count? EULAs are always having the user give consent for things that they don’t really understand (by design).
Re: Re: Re:
“I cannot see what law was broken.”
I don’t think that any law was broken, especially not by Lenovo.
However, there may be a violation of the UCC “fitness for a particular purpose” clause. The machines that contained this software were certainly not fit to use for connecting to the internet.
Re: Re:
This is should be punished by the full extend of the law
Judges issue orders in court and there is a lack of followup – why should anyone expect your request will have meaning?
Re: Re:
This is should be punished by the full extend of the law
It will be…there was no law broken here.
That is actually good (in my opinion) because the backlash of customers not wanting to purchase lenovo equipment should be enough to keep this from happening again. Not every stupid, greedy, ignorant business decision needs to lead to jail time, a company out of business, some people losing investment money, and a bunch of customers going elsewhere is a really good free-market result.
Re: Re: Re:
The CFAA was broken. They did far more than they said upon installation, against the will of the user of the computer (“unauthorized”).
Re: Re: Re: Re:
Go read the TOS and End User agreements for your lenovo laptop (if you have made that unfortunate choice) and you will probably find that everything they have done was clearly authorized.
Re: Re: Re:
“That is actually good (in my opinion) because the backlash of customers not wanting to purchase lenovo equipment should be enough to keep this from happening again.”
Just like it kept it from happening in the first place, huh?
Re: Re:
“This is should be punished by the full extend of the law.”
You do realize that there are different laws for different people, don’t you? The full extent of the law is much different for some people than it might be you or I.
Re: Re:
Not to worry. I’m sure they will be punished as much as Sony was punished for Sony’s widespread rootkit distribution on CDs; which required large numbers of people to have their OSes reinstalled at their own expense back in 2005.
Huh.
If a consortium of blackhats would have pooled a lot of money in order to get best value for their buck, would the outcome have been much different from Komodia?
Commode-ia sure picked the right name. their app should have been flushed before it ever came out.
NSA behind this?
The way that Komodia is broken is so bad, it’s hard to believe that it is not deliberate.
*Puts tin foil hat on*
I suspect that the NSA is behind this, that they paid Komodia to put out a product with badly broken security. It makes hacking into companies like Gemalto so much easier.
Unfortunately, the same broken security can be used by anyone.
Re: NSA behind this?
You’ve stolen my tin foil hat there, Whoever. I made a similar comment on the earlier story.
My supposition, though, was that NSA knew about the flaw, but were using Lenovo as cover. No need for Lenovo, superfish, or Komodia to be coopted, they’d done it to themselves, a zero-day flaw just waiting for exploitation.
But it’s a bit of a stretch to posit corruption of Komodia alone for the Lenovo issue. Lenovo used Superfish used Komodia, making three separate points of contact. Too complex, to many points of failure.
Taking advantage of Komodia’s flaws, on the other hand, that’s easy.
And tinfoil hat aside, once the story broke, you can bet that the NSA added this to its armament package within the day.
Re: Re: NSA behind this?
I don’t posit that Lenovo was the NSA’s target, rather a bonus. My suggestion is that Komodia was subsidized by the NSA to the point that adoption would be fairly widespread. That’s all the NSA needed. Lenovo pre-installing it (via Superfish) was a bonus.
Attaches tinfoil really tightly
It’s possible that the NSA subsidized both Komodia and Superfish. Superfish’s logs would be very revealing about an individual. Again, all the NSA needed was widespread adoption. Enabling these companies to offer their products at a very low price would achieve this.
Re: NSA behind this?
I don’t think this would be much use to the NSA since the attacker has to be on the same Wi-Fi network as the target. They like to capture huge quantities of data from central locations.
Re: Re: NSA behind this?
Au contraire. The man-in-the-middle attacks need not be on the same WiFi network–they’re just easier.
I’m pretty sure, though, this would require compromising one or more routers in the network–which is well within the capability of semicompetent black hats, not to mention NSA or Israel’s Unit 8200.
Oh, come now, this isn't so bad
It’s not like they did something really bad, something so destructive and damaging to the privacy and security of millions of people that it required immediate attention from federal law enforcement agencies combined with the threat of aggressive prosecution that could result in decades in prison…something like, oh, I don’t know, downloading scientific research papers?
Of course it's all deliberate.
It required some level of effort to implement this, so it was definitely done with malice and forethought.
It gets even better/worse: Now that everyone knows about this, lots of other companies will start implementing this. After all, they’ll only get sued if they get caught, and no one ever expects to be caught.
By now, it ought to be obvious from all the evidence that everyone wants to spy on you without limit and restraint.
Re: Of course it's all deliberate.
It required some level of effort to implement this, so it was definitely done with malice and forethought.
As always, never attribute to malice that which is adequately explained by stupidity.
This is most likely the work of someone that did not make the connection that this security hole they were creating would ever get exploited by someone with intent other than their own.
Re: Re: Of course it's all deliberate.
“never attribute to malice that which is adequately explained by stupidity.”
Why not? In the end, it doesn’t matter if it was malice or stupidity, and in this case malice (on the part of Komodia and Superfish) seems MUCH more likely than stupidity.
Re: Re: Of course it's all deliberate.
You don’t get to compromise all SSL traffic by mere stupidity.
This is clearly malice at work here. It may be leveraging itself over some pivoting points of stupidity, but the driving force is cunning, reckless and premeditated malice.
I have to question this is just about ads. That’s too convenient and pat excuse. Myself, I think they just put a hole in one of the backdoors for the spy agencies.
Root Certificates
This whole thing is possible largely because they can insert a root certificate in the trust store, and you and I have very little idea what certificates are in the trust store.
This isn’t too different from the various CA hacks (think DigiNotar). You’re trusting everyone everyone with a certificate in your trust store and you don’t even know who they are….
Don’t confuse malice and avarice.
If they intended to take over your machine, they wouldn’t have taken this approach. They would do what virus makers do — exploit the hole, and then harden security so that they retain control of the machine.
Instead they were sociopaths. They solely cared about the advertising money, not the negative effects of their actions.
It’s not that they didn’t understand the vulnerabilities they were creating. The implementation indicates they fully understood the architecture of certificate based authentication, and where they would need to insert the man-in-the-middle attack to substitute advertisements.
Normal people don’t think this way. Even if you hate someone enough to murder them, normal people don’t bring down a plane full of people or poison a whole town. Or create a public panic so that they can profit from shorting a drug company stock. Sociopaths can’t see the difference, they don’t empathize with the innocent victims or see the systemic damage. They don’t care about the results beyond their own benefit.
Re: Re:
Normal people don’t think this way.
Precisely so. We only see this behavior in sociopaths, as in this case or with mass murderers/serial killers, serial rapists, spammers, and other similarly evil people. They don’t stop because they can’t stop — and it’s rarely, if ever, possible to cure them.
Mark my words: they’ll do this again. It’ll be subtler and hidden behind layers of misdirection, but they’ll do it again.
Re: Re:
“Don’t confuse malice and avarice.”
Avarice always has malice standing by its side. Always.
Re: Re:
Why not? Machine wide open, and slightly plausible deniability. “Your honor! We did it for advertising! Free market! Thwart communism!”
Who wants to play a game of Spot the Differences?
Who wants to play a game of Spot the Differences?
http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html
It’s more appropriate to this story than it looks at first.
@43
ummm they dont need ot you forget the nsa is building a large lab in israel
Oh ffs, there is only so many things they can fuck up before it becomes suspicious.
They obviously are being paid by the NSA.
Just In Case
I didn’t have time to read every response but here’s a website to detect if you possibly have problems with SuperFish or Komodia.
https://filippo.io/Badfish/
The list of "programs" at Ars Technica
Actually only seems to be a list of companies involved, and doesn’t actually name the packages/programs. I’m a bit worried about what *actually* uses this library, and if there are other libraries that do the same thing.
This is what a "golden key" looks like.
Maybe those needing an example of what backdoor-enabled (Golden Key, Pixie Dust, whatever) encryption looks like, it looks like this.
And it looks like a whole lot of people being super vulnerable in the inevitable moment that the backdoor is revealed.
Never attribute to incompetence, that which can be attributed to double profits.
Yep. Sounds to me like they’re NSA Crew Companies – doing the NSA’s legitimate dirty-tricks work and getting paid twice for the effort.
If they suffer absolutely not one iota of consequence for any of their actions, I’d say their federal affiliation is obvious.
—
Another reason to use GNU/Linux.