Skip to content

Lenovo Superfish Komodia — Greed, Stupidity and Idiocy

Meanwhile you should have heard about the Lenovo hardware that had Superfish installed, an adware injecting software that uses an SSL hijacker SDK made by Komodia. If not then duck it.

I'd classify that as a Maximum Credible Accident (MCA) which was only possible due to greed, stupidity and idiocy.

  • Greed – Lenovo was greedy enough to deploy Superfish on its hardware, probably just for a few bugs revenue more per machine.
  • Stupidity – Superfish was stupid enough to use the Komodia SSL hijacker, just to be able to inject ads into https connections. Hopefully without knowing what they were doing, else it would had been double stupid stupidity. However, and of course they are greedy as well, because all ad sellers are.
  • Idiocy – Komodia was idiots enough to implement an SSL hijacker SDK and embed a root CA certificate in the software using it and super idiocy chose "komodia" as all private keys' password, making the certificate available to anyone and grandpa.

Extracting the certificate was fairly easy, see here for Superfish and here for other software developed with the SDK. The hit list is lead by parental control softwares.

Now, as if that wasn't enough, according to Forbes the loser behind founder of Komodia was once a programmer in Israel’s IDF’s Intelligence Core. Really? I'm not impressed.

Or wait, here's room for conspiracy theories! Let Superfish be a venture capital startup, financed by Israelis, which maybe is not that far fetched. What if the whole concept just serves the idea to spread an SSL hijacker to be able to intercept HTTPS connections and inject man-in-the-middle attacks? Sounds like a good plan? Yeah, well done, goal achieved, it couldn't be better ;-)

Lenovo shut down the servers that enable Superfish to function and provides a removal tool and instructions for the software and certificates. The list of affected models is quite extensive:

Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch 
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
Hopefully this incident will teach Lenovo a lesson to not fiddle around with the customer too much..

Geez, how lame is that? and they serve an invalid certificate because it has expired.
Since 2013-09-14

Update 2014-01-03T22:01+0100
Ok ok, as a comment mentioned is now located at