If you recall, we talked about Superfish recently and the fact Lenovo was pre-installing spyware on low-end consumer computers they sold. Apparently, Komodia, the company behind Superfish, has other software that is just as bad if not worse. Several antivirus and parental protection software also uses Komodia’s engine. Products like Qustodio, Kurupira, Infoweise and KeepMyFamilySecure are some of the ones that may cause problems. CERT and the U.S. Department of Homeland Security released a list of affected software late last month that you’ll want to check out.
Is Komodia Secure?
Marc Rogers, who is a security researcher at CloudFlare, had a great blog post about what he was able to discover while researching Superfish. Basically, the problem is a lot more widespread than at first thought. Believe it or not, the password to unlock the private key for the SSL root certificate installed by Komodia was… wait for it… “komodia.” Read the rest of his blog post for more discoveries. Rogers isn’t the only writing about the problem.
Dan Goodin at Ars Technica wrote:
In fairness to Komodia and Superfish, many applications—some provided by Microsoft or trusted security companies—install custom root certificates on end user machines. In most cases, the programs do this because they have a legitimate need to monitor encrypted data passing between an end user and a website or mail server.
Antivirus software, for instance, requires this capability so that it can detect malicious code being pushed through HTTPS-protected connections. Most of the time, this process is safe since the software installs a unique digital root certificate on each end-user computer. That makes it impractical for attackers to use the certificate maliciously.
The Komodia keys used in the Lenovo Superfish debacle and the three cases analyzed by Rogers are altogether different. They use the same key for each group of customers. That is, the key for Lenovo Superfish is the same for each user, the key for the Komodia parental control software is the same for each user, etc. In all four cases, the private keys are protected by the password “komodia”.
What’s Up With the Komodia Website?
According to their website, “Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF’s Intelligence Core. A custom solution provider to customers worldwide, Komodia first released its open source TCP/IP library in 2001.”
If you browse to the Komodia website, you’ll find this message today, which is really telling.
If you look really closely, it’s a notice that they ran out of bandwidth for displaying their video. We’re pretty sure it says “tuckered” out, but that T looks a lot like an F to us. Regardless, looking at the company’s homepage, it’s easy to see why so many people are worried.
Vulnerable to Superfish, Komodia, or PrivDog?
Luckily, you can check out this page, which is a Superfish, Komodia, and PrivDog vulnerability test set-up by Cloudflare researcher Filippo Valsorda. It only takes a few seconds to check your web browser. You’ll want to do this test on all browsers that you use on your computer, obviously. The good news is that a lot of smart security people are staying vigilant when it comes to keeping us safe.
The SSL Takeaway
Just when you thought it was safe to go back online with your computer, someone announces another exploit or vulnerability that can cause you trouble. This is why it’s crucial to stay on top of updating your software and operating system as well as keeping an eye open for potential security problems by watching the news.