Lenovo has made this week the headlines with the alleged malware: superfish. Lenovo delivered some PCx loaded with “bloatware” Superfish. Superfish provides solution that performs visual search. Seemingly, Superfish designed a software that allowed to place contextual ads on the web browsing experience. To perform this highjacking, superfish uses a software stack from Komodia: SSL Digestor. According to the site of Komodia:
Our advanced SSL hijacker SDK is a brand new technology that allows you to access data that was encrypted using SSL and perform on the fly SSL decryption. The hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.
How does Komodia do the decryption without triggering the certificate validation of the browser? The CERT has disclosed on Thursday the trick with its vulnerability note VU#529496.
Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing
Komodia install stealthily its own root certificate within the browsers’ CA repository. The stack holds its private key. This allows to ‘self-sign’ certificate to forge SSL connection. The software then generates a typical Man In The Middle. Despite the private key was encrypted, it was possible to extract some corresponding private keys (easy to guess the password; komodia). This means that as long as the root key is not erased from browsers’ repository, an attacker may use the corresponding private key. The attacker may sign malware that would be accepted by the machine, and generate phony certificates for phishing. In other words, other principals than Superfish may use the hack for infecting Lenovo computers.
Lenovo provided a patch that removed the Superfish application. Unfortunately, the patch does not erase the malicious certificate. Microsoft provided such patch, and Mozilla should soon revoke it.
This is a perfect example of supply chain attack. The main difference is that the supplier voluntarily infected its product. Do never forget law 4: Trust No One.
PS: at the time of writing, the Komodia site was down, allegedly for a DOS. It may also be because too many people try to visit the site.