It's always a busy month in the field of security. This month has seen its share of ugly stories, including the growing amount of state tax fraud, massive bank heists, and another depressing breach of our personal privacy by a major business. Those stories are all big, but the one that really captivated the attention of our community has been the one about Lenovo and Superfish.
That story has all the requisite narrative pieces to be a big tale that riles the enthusiast: a large PC maker pushing crapware onto untold numbers of users, that crapware being adware afflicted with a major security flaw, and the players involved doubling down on a large dose of stupid. Add the spicy dash of conspiracy that this is covert government espionage to the mix, and I think we're well on way to a Tom Clancy novel.
It's not hard to lay some of the blame for this mess on the general decline of the broader PC industry. The PC market has long been one of low margins and low costs, and that's still the case today. The need to find additional revenue sources has undoubtedly helped foster the rise of crapware. Of the major PC makers navigating the changing seas of this market, Lenovo has arguably done well for itself.
We saw some bang-up coverage of the Lenovo-Superfish story last week. Ars Technica has been solidly on top of it, and Geoff and Cyril here at TR have done a phenomenal job of detailing the saga, too. The passing of time has helped flesh out more of the details, and I figured now was a good time to sum everything up.
Superfish is an advertising company that developed a product called Visual Discovery. Visual Discovery takes a different approach to serving targeted ads. The software isn't interested in keywords; instead, it processes the images of pages you visit in order to learn your interests. That capability can be implemented through something like a browser extension, but browser support would potentially limit the software's reach. Another approach is to use a Layered Service Provider (LSP) or Windows Filtering Platform (WFP) injected into the stack of the OS. Such an approach enables support across any browser, but it does have one tiny downside: because SSL/TLS encryption is implemented within the browser, encrypted traffic passing through the filter would be obfuscated from Visual Discovery. What Superfish needed was not only a filter in the stack, but also a proxy that could negotiate the SSL/TLS encryption with the outside resource and the local browser.
Superfish apparently lacked either the skillset or the desire to build the necessary software to carry out a man-in-the-middle attack. So they went looking for an all-in-one solution to their problem. Komodia sells a development kit called an "SSL hijacker," which implements the needed proxy functionality to enable the attack. To be fair, this sort of interception is a tool—and like all tools, it can be used for good or for ill. Many anti-virus solutions and host-intrusion-detection prevention systems use these filter drivers and proxy capabilities to identify malicious traffic before your system can process a malicious application's payload. Of course, Superfish isn't an anti-malware program. It's an adware program, and it has no business being integrated into the TCP/IP stack.
As terrible as what I've already described is, the situation is only going to get worse. Over the course of a few days, security researchers have plumbed the depths of the Komodia engine and found numerous implementation problems. More concerning is the fact that this flawed engine is integrated into not just Superfish Visual Discovery, but also numerous other products. Komodia claims to have more than 100 clients using their product. The names of additional programs found to use the Komodia engine keeps growing. In short, Lenovo is just the tip of iceberg.
The Komodia engine's poor security design includes blunders like:
- The root private key is identical on all machines.
- The root private key is password protected by a trivial word: komodia.
- The installed Komodia proxy is the one that negotiates with outside resources (like TR). It is willing to accept any symmetric encryption, including RC4 and DES. Those ciphers are far too old and weak to be used today.
- The Komodia proxy will also accept any certificate that has the domain name in the alternates field, and it will digitally sign that certificate with the private root certificate it has installed on the machine.
Jumping onto a public Wi-Fi hotspot and using a tool like PwnStar against a machine sporting one of these certificates would be devastating to the victim.
In other words, the entire Komodia engine is a hopelessly broken implementation of public key infrastructure.
So, what can you do about it?
- You can check if you're impacted by one of the many Komodia engine products here.
- You can manually uninstall and check for Superfish Visual Discovery here.
- You can take off and nuke it from orbit. It's the only way to be sure.
- Windows Defender has started cleaning up the Superfish Visual Discovery mess. We may see the other anti-malware vendors follow suit.
- Make sure to check and watch this CERT listing for known software beyond Visual Discovery that uses the Komodia engine.
Perhaps in some backhanded way, Lenovo has done us a favor. One wonders how much longer Komodia's poorly built product would have escaped notice without their pursuit of profits at the expense of the end user. Thanks, Lenovo!