As you probably heard, last week PC maker Lenovo was at the center of a firestorm for pre-installing a piece of software called Superfish on its laptops that acted a lot like malware.
Superfish basically broke the security on a computer in a way that allowed it to read any encrypted messages sent by the PC, like passwords or banking details. It did this by doing what experts call a man-in-the middle attack, where the software can intercept the messages.
Websites are supposed to present what’s known as a security certificate that verifies the website you are visiting is who it says it is. Think of it as the website’s equivalent of using your driver’s licence as i.d.
Superfish got around this by presenting a fake security certificate, to trick the computer into thinking it was the actual website.
That fake certificate came from a company called Komodia, Komodia confirmed to Ars Technica.
Here’s a screengrab from Twitter of Superfish allegedly impersonating Bank Of America:
And the more some computer security professionals looked at what Komodia did with this certificate, and what it was doing in general, the more it worried them.
Komodia was in the business of selling software that created such fake certificates and claimed it had more than 100 clients, including Fortune 500 companies.
As Ars reported, the company boasted:
“With a simple-to-control interface, you can intercept website traffic and network applications from any program language,” a promotional video boasts. The company’s website brazenly refers to one of its software development kits as an “SSL hijacker.”
It advertised some legit uses for this kind of software, like parental control apps or apps that let you surf the ‘net anonymously.
The problem is, Komodia took an awful shortcut when it created this technology, Errata Security CEO Rob Graham discovered.
The safe way to do such a thing is to have every individual PC install a special password used with the fake certificate. That way it wouldn’t lure hackers. If they wanted to use the fake certificate to gather data from millions of PCs, they would have to hack the password of each individual PC. Not practical.
What Komodia did was use a single password for its certificate software and an easily guessable one at that: “komodia.” It took Graham all of three hours to crack the password.
And shortly after, Marc Rogers, a principal security researcher at CloudFlare, published his report noting that Komodia used “the same framework for many, many products.” He wrote:
This means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.
This problem is MUCH bigger than we thought it was.
No one knows how many hackers have been snooping on PCs through Komodia’s software but if the security good guys could figure it out in a matter of hours, the hacker bad guys could, too.
After Komodia’s involvement came to light, it’s website was taken down by some sort of denial-of-service attack, the company says, and it’s still down as we wrote this.
The company isn’t commenting on whether this was a hacker attack or if too many people are visiting the site thanks to all the media attention focused on the company.
Naturally, some people have speculated that Komodia has voluntarily taken its site down and is in hiding.
We reached out to Komodia founder Barak Weichselbaum who politely declined comment. He told Forbes that the attack on his website was for real, “We had to decide if we focus on it, or on other things, we are busy as you can imagine. I saw on forums people say we’re hiding, the site can be seen from the internet archive, so no point trying to hide anything.”
And now for some good news: Cloudflare security engineer Filippo Valsorda has created a webpage where you can check to see if any Komodia is intercepting stuff on your computer.
Microsoft and McAfee are working with Lenovo to help Lenovo owners identify and remove Superfish from infected PCs and Lenovo has posted an automatic removal tool, to help weed PC users weed it out as well.