A member of the Facebook security team has recently uncovered an extra ten sub-species of Superfish. It now seems that the Komodia library, which is cert-jacking, is far more widespread than was initially believed. This is presenting significant security concerns.
The security problem was initially discovered in Lenovo machines, which had software installed for advertising. It now seems, however, that it is not only found in Lenovo. Between September and December 2014, dozens of laptops that had been sent to customers had been exposed to the problem, meaning their machines could easily be hijacked.
Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively. Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. The application can be uninstalled; however, the current uninstaller does not remove the Superfish root certificate.
It now seems, however, that Superfish also affects other machines, adware programs and parental controls. Very simply put, it allows people to be attacked by the “man in the middle” even if they were on encrypted connections. This is because Superfish uses a self-signed security certificate that allows adverts to be shown on secure websites and search results.
Through what is known as “SSL hijacking,” a company known as Komodia was able to get into other people’s machines. Matt Richard, from Facebook, and Marc Rogers, independent researcher, have uncovered that the SSL Decoder offered by Komodia is also found in a variety of other products. These include IP cloaking technology and parental control software. Additionally, it was found that various adware vendors often present as search or games assistants and also issue the certificates. This is a significant issue and Marc Rogers has issued an official warning.
If you are a parent that has installed parental control software… I would check to see if your computer has been affected by this, as a matter of urgency.
Filippo Valsorda has created a free online check in order to find out whether or not your machine is at risk. The test can be accessed through the https://filippo.io/Badfish/ website.
Facebook’s Matt Richard has also made an official statement in relation to the issue.
What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove.
He added that it is unlikely that the SSL proxies will be able to remain up-to-date with the various HTTPS features that are found in browsers. As a result, private data could potentially be made available to network attackers. Various anti-virus products are able to detect these issues, but research has shown that only very few can actually do so.
The vulnerability itself was discovered by Facebook, which started work on a wide security project in 2012. Their goal was to identify the prevalence of man in the middle attacks. To do this, the social media giant worked together with Carnegie Mellon University and they have so far uncovered that 0.2% of all SSL certificates have been tampered with. This means that 6,000 people in the sample used by Facebook believed they were surfing the web securely but were actually vulnerable to attack.
Komodia is now experiencing outages on their website. They claim that this is because a concerted DDoS (Distributed Denial of Service) campaign has been launched against them by various online hacking communities. They have not made any comments with regards to the allegations made by Richard or Rogers.