Komodia Certificate Compromise affects Superfish and other software

March 5, 2015

The private key used by Komodia SDK that ships pre-installed with some Lenovo laptops has been compromised, and presents a breakdown of trust between web browsers and secure websites. Komodia SDK-based software establishes, what is essentially a Man-in-the-Middle (MitM) between your browser and the HTTPS/SSL sites you visit, for example, like your bank. It creates a public-private key pair and inserts the public key as a Root Certificate Authority (CA) certificate on your machine. This means that an attacker can use this cracked private key to create spoofed SSL Certificate for a spoofed site. The Komodia SDK-based software will trust the certificate that has been installed into your Root CA store and you will not notice a thing. The only thing you will notice if you click on the lock icon in your browser address bar is that the certificate from your bank has an "Issued by: Superfish, Inc.". Other software that uses the Komodia SDK includes PrivDog and others. PrivDog, for example, is advertised as a privacy and secure browsing program. Like Superfish it creates a MitM between your browser and secure websites.

The following image shows a browser with PrivDog installed:

This image shows the view from your browser:

This image shows the PrivDog Root Certificate Authority installed on your machine:

Dell SonicWALL UTM protects our customers with the following:

  • IPS:10756 Komodia SSL Certificate Superfish
  • IPS:10758 Komodia SSL Certificate PrivDog
  • IPS:10770 Komodia SSL Certificate ArcadeGiant
  • IPS:10769 Komodia SSL Certificate Cart Crunch
  • IPS:10790 Komodia SSL Certificate UtilTool Ltd
  • IPS:10789 Komodia SSL Certificate Kurupira Webfilter
  • IPS:10788 Komodia SSL Certificate Keep My Family Secure
  • IPS:10787 Komodia SSL Certificate Atom Security Staff-cop
  • IPS:10786 Komodia SSL Certificate Qustodio Technologies
  • IPS:10777 Komodia SSL Certificate Lavasoft WebCompanion
  • SPY:10758 Superfish
  • GAV:991 Superfish.LN
  • GAV:15018 SuperFish.AG
  • GAV:15017 SuperFish.OB
  • GAV:15016 SuperFish.CC
  • GAV:15013 SuperFish.WT
  • GAV:15012 SuperFish.CT
  • GAV:15011 SuperFish.CM
  • GAV:15010 SuperFish.OPT
  • GAV:15009 SuperFish.SM
  • GAV:18465 Superfish.JS
  • GAV:37070 Superfish.LN_3
  • GAV:37069 SuperFish.LN_2
  • GAV:739182 Superfish.JS_2

This vulernability was not assigned a CVE.