Undocumented backdoor that covertly takes snapshots found in kids’ smartwatch

Undocumented backdoor that covertly takes snapshots found in kids’ smartwatch

A popular smartwatch designed exclusively for children contains an undocumented backdoor that makes it possible for someone to remotely capture camera snapshots, wiretap voice calls, and track locations in real time, a researcher said.

The X4 smartwatch is marketed by Xplora, a Norway-based seller of children’s watches. The device, which sells for about $200, runs on Android and offers a range of capabilities, including the ability to make and receive voice calls to parent-approved numbers and to send an SOS broadcast that alerts emergency contacts to the location of the watch. A separate app that runs on the smartphones of parents allows them to control how the watches are used and receive warnings when a child has strayed beyond a present geographic boundary.

But that’s not all

It turns out that the X4 contains something else: a backdoor that went undiscovered until some impressive digital sleuthing. The backdoor is activated by sending an encrypted text message. Harrison Sand, a researcher at Norwegian security company Mnemonic, said that commands exist for surreptitiously reporting the watch’s real-time location, taking a snapshot and sending it to an Xplora server, and making a phone call that transmits all sounds within earshot.

Sand also found that 19 of the apps that come pre-installed on the watch are developed by Qihoo 360, a security company and app maker located in China. A Qihoo 360 subsidiary, 360 Kids Guard, also jointly designed the X4 with Xplora and manufactures the watch hardware.

“I wouldn’t want that kind of functionality in a device produced by a company like that,” Sand said, referring to the backdoor and Qihoo 360.

In June, Qihoo 360 was placed on a US Commerce Department sanctions list. The rationale: ties to the Chinese government made the company likely to engage in “activities contrary to the national security or foreign policy interests of the United States.” Qihoo 360 declined to comment for this post.

Patch on the way

The existence of an undocumented backdoor in a watch from a country with known record for espionage hacks is concerning. At the same time, this particular backdoor has limited applicability. To make use of the functions, someone would need to know both the phone number assigned to the watch (it has a slot for a SIM card from a mobile phone carrier) and the unique encryption key hardwired into each device.

In a statement, Xplora said obtaining both the key and phone number for a given watch would be difficult. The company also said that even if the backdoor was activated, obtaining any collected data would be hard, too. The statement read:

We want to thank you for bringing a potential risk to our attention. Mnemonic is not providing any information beyond that they sent you the report. We take any potential security flaw extremely seriously.

It is important to note that the scenario the researchers created requires physical access to the X4 watch and specialized tools to secure the watch’s encryption key. It also requires the watch’s private phone number. The phone number for every Xplora watch is determined when it is activated by the parents with a carrier, so no one involved in the manufacturing process would have access to it to duplicate the scenario the researchers created.

As the researchers made clear, even if someone with physical access to the watch and the skill to send an encrypted SMS activates this potential flaw, the snapshot photo is only uploaded to Xplora’s server in Germany and is not accessible to third parties. The server is located in a highly-secure Amazon Web Services environment.

Only two Xplora employees have access to the secure database where customer information is stored and all access to that database is tracked and logged.

This issue the testers identified was based on a remote snapshot feature included in initial internal prototype watches for a potential feature that could be activated by parents after a child pushes an SOS emergency button. We removed the functionality for all commercial models due to privacy concerns. The researcher found some of the code was not completely eliminated from the firmware.

Since being alerted, we have developed a patch for the Xplora 4, which is not available for sale in the US, to address the issue and will push it out prior to 8:00 a.m. CET on October 9. We conducted an extensive audit since we were notified and have found no evidence of the security flaw being used outside of the Mnemonic testing.

The spokesman said the company has sold about 100,000 X4 smartwatches to date. The company is in the process of rolling out the X5. It’s not yet clear if it contains similar backdoor functionality.

Heroic measures

Sand discovered the backdoor through some impressive reverse engineering. He started with a modified USB cable that he soldered onto pins exposed on the back of the watch. Using an interface for updating the device firmware, he was able to download the existing firmware off the watch. This allowed him to inspect the insides of the watch, including the apps and other various code packages that were installed.

A modified USB cable attached to the back of an X4 watch.

Enlarge / A modified USB cable attached to the back of an X4 watch.
Mnemonic

One package that stood out was titled “Persistent Connection Service.” It starts as soon as the device is turned on and iterates through all the installed applications. As it queries each application, it builds a list of intents—or messaging frameworks—it can call to communicate with each app.

Sand’s suspicions were further aroused when he found intents with the following names:

  • WIRETAP_INCOMING
  • WIRETAP_BY_CALL_BACK
  • COMMAND_LOG_UPLOAD
  • REMOTE_SNAPSHOT
  • SEND_SMS_LOCATION

After more poking around, Sand figured out the intents were activated using SMS text messages that were encrypted with the hardwired key. System logs showed him that the key was stored on a flash chip, so he dumped the contents and obtained it—“#hml;Fy/sQ9z5MDI=$” (quotation marks not included). Reverse engineering also allowed the researcher to figure out the syntax required to activate the remote snapshot function.

“Sending the SMS triggered a picture to be taken on the watch, and it was immediately uploaded to Xplora’s server,” Sand wrote. “There was zero indication on the watch that a photo was taken. The screen remained off the entire time.”

Sand said he didn’t activate the functions for wiretapping or reporting locations, but with additional time, he said, he’s confident he could have.

As both Sand and Xplora note, exploiting this backdoor would be difficult, since it requires knowledge of both the unique factory-set encryption key and the phone number assigned to the watch. For that reason, there’s no reason for people who own a vulnerable device to panic.

Still, it’s not beyond the realm of possibility that the key could be obtained by someone with ties to the manufacturer. And while phone numbers aren’t usually published, they’re not exactly private, either.

The backdoor underscores the kinds of risks posed by the increasing number of everyday devices that run on firmware that can’t be independently inspected without the kinds of heroic measures employed by Sand. While the chances of this particular backdoor being used are low, people who own an X4 would do well to ensure their device installs the patch as soon as practical.

HP expands its Bug Bounty Program to focus on office-class print cartridge security vulnerabilities

HP has expanded its Bug Bounty Program to focus specifically on office-class print cartridge security vulnerabilities. The program underscores HP’s commitment to delivering defense- in-depth across all aspects of printing—including supply chain, cartridge chip, cartridge packaging, firmware and printer hardware.

HP Bug Bounty Program

As part of this program, HP has engaged with Bugcrowd to conduct a three-month program in which four professional white hat hackers have been challenged to identify vulnerabilities in HP Original print cartridges. If any of the hackers are successful, HP will award an extra $10,000 per vulnerability in addition to their base fee.

“Today, bad actors aiming to exploit printers with sophisticated malware pose an ever-present and growing threat to businesses and individuals alike,” said Shivaun Albright, HP Chief Technologist for Print Security.

“HP is committed to staying ahead of these issues by proactively hiring some of the brightest cybersecurity experts to help us uncover potential risks so they can be fixed before any harm is done.”

Over the past few years, there’s been a rise in attacks of embedded system technologies, which are often shared across connected devices and include PC firmware/BIOS as well as printer firmware.

Quocirca’s Print Security 2019 report revealed that 59 percent of businesses reported a print-related data loss in the past year. COVID-19 has only added new complexities, as many employees increased their remote printing practices, triggering even more potential vulnerabilities for their employers.

HP had engaged in Bug Bounty programs over the years to complement and extend the company’s own rigorous penetration testing. While white hat hacking is a widespread practice throughout the technology industry, HP has been a pioneer in expanding this program to printers, an oftentimes overlooked attack vector. For example, in 2018, HP launched the industry’s first print security Bug Bounty Program.

“HP has been a leader in print security for many years now, establishing new industry cybersecurity standards and garnering praise from third-party security testing labs for having some of the most secure printers,” said Mark Vena, senior analyst, Moor Insights & Strategies.

“Leadership in this area, particularly focused on secure hardware features and a firmware-based approach with imaging devices, could not come at a better time.”

In our increasingly connected world, any connected device can become an avenue of attack for hackers. Keeping up requires continuous investment and dedicated research. That’s why HP is committed to pursuing focused and rigorous testing, both internally and with third parties, to better protect its customers and partners.

Hardware security: Emerging attacks and protection mechanisms

Maggie Jauregui’s introduction to hardware security is a fun story: she figured out how to spark, smoke, and permanently disable GFCI (Ground Fault Circuit Interrupter – the two button protections on plugs/sockets that prevent you from electrocuting yourself by accident with your hair dryer) wirelessly with a walkie talkie.

hardware security challenges

“I could also do this across walls with a directional antenna, and this also worked on AFCI’s (Arc Fault Circuit Interrupts – part of the circuit breaker box in your garage), which meant you could drive by someone’s home and potentially turn off their lights,” she told Help Net Security.

This first foray into hardware security resulted in her first technical presentation ever at DEF CON and a follow up presentation at CanSecWest about the effects of radio waves on modern platforms.

Jauregui says she’s always been interested in hardware. She started out as an electrical engineering major but switched to computer science halfway through university, and ultimately applied to be an Intel intern in Mexico.

“After attending my first hackathon — where I actually met my husband — I’ve continued to explore my love for all things hardware, firmware, and security to this day, and have been a part of various research teams at Intel ever since,” she added. (She’s currently a member of the corporation’s Platform Armoring and Resilience team.)

What do we talk about when we talk about hardware security?

Computer systems – a category that these days includes everything from phones and laptops to wireless thermostats and other “smart” home appliances – are a combination of many hardware components (a processor, memory, i/o peripherals, etc.) that together with firmware and software are capable of delivering services and enabling the connected data centric world we live in.

Hardware-based security typically refers to the defenses that help protect against vulnerabilities targeting these devices, and it’s main focus it to make sure that the different hardware components working together are architected, implemented, and configured correctly.

“Hardware can sometimes be considered its own level of security because it often requires physical presence in order to access or modify specific fuses, jumpers, locks, etc,” Jauregui explained. This is why hardware is also used as a root of trust.

Hardware security challenges

But every hardware device has firmware – a tempting attack vector for many hackers. And though the industry has been making advancements in firmware security solutions, many organizations are still challenged by it and don’t know how to adequately protect their systems and data, she says.

She advises IT security specialists to be aware of firmware’s importance as an asset to their organization’s threat model, to make sure that the firmware on company devices is consistently updated, and to set up automated security validation tools that can scan for configuration anomalies within their platform and evaluate security-sensitive bits within their firmware.

“Additionally, Confidential Computing has emerged as a key strategy for helping to secure data in use,” she noted. “It uses hardware memory protections to better isolate sensitive data payloads. This represents a fundamental shift in how computation is done at the hardware level and will change how vendors can structure their application programs.”

Finally, the COVID-19 pandemic has somewhat disrupted the hardware supply chain and has brought to the fore another challenge.

“Because a computing system is typically composed of multiple components from different manufacturers, each with its own level of scrutiny in relation to potential supply chain attacks, it’s challenging to verify the integrity across all stages of its lifecycle,” Jauregui explained.

“This is why it is critical for companies to work together on a validation and attestation solution for hardware and firmware that can be conducted prior to integration into a larger system. If the industry as a whole comes together, we can create more measures to help protect a product through its entire lifecycle.”

Achieving security in low-end systems on chips

The proliferation of Internet of Things devices and embedded systems and our reliance on them should make the security of these systems extremely important.

As they commonly rely on systems on chips (SoCs) – integrated circuits that consolidate the components of a computer or other electronic system on a single microchip – securing these devices is a different proposition than securing “classic” computer systems, especially if they rely on low-end SoCs.

Jauregui says that there is no single blanket solution approach to implement security of embedded systems, and that while some of the general hardware security recommendations apply, many do not.

“I highly recommend readers to check out the book Demystifying Internet of Things Security written by Intel scientists and Principal Engineers. It’s an in depth look at the threat model, secure boot, chain of trust, and the SW stack leading up to defense-in-depth for embedded systems. It also examines the different security building blocks available in Intel Architecture (IA) based IoT platforms and breaks down some the misconceptions of the Internet of Things,” she added.

“This book explores the challenges to secure these devices and provides suggestions to make them more immune to different threats originating from within and outside the network.”

For those security professionals who are interested in specializing in hardware security, she advises being curious about how things work and doing research, following folks doing interesting things on Twitter and asking them things, and watching hardware security conference talks and trying to reproduce the issues.

“Learn by doing. And if you want someone to lead you through it, go take a class! I recommend hardware security classes by Joe FitzPatrick and Joe Grand, as they are brilliant hardware researchers and excellent teachers,” she concluded.

BadPower: Fast chargers can be modified to damage mobile devices

If you needed another reason not to use a charger made available at a coffeeshop or airport or by an acquaintance, here it is: maliciously modified fast chargers may damage your phone, tablet or laptop and set it on fire.

fast chargers damage

Researchers from Tencent‘s Xuanwu Lab have demonstrated how some fast chargers may be easily and quickly modified to deliver too much power at once and effectively “overwhelm” digital devices:

[embedded content]

How is this possible?

As out use of digital mobile devices increased, so did the need to be able to charge them quickly. Fast chargers and power banks are not a rarity anymore, and most digital devices now support fast charging.

The charging operation is performed after the power supply terminal and the power receiving device negotiate and agree on the amount of power both parties can support.

The set of programs that complete the power negotiation and control the charging process is usually stored in the firmware of the fast charge management chip at the power supply terminal and the power receiver terminal, the researchers explained.

Unfortunately, that code can be rewritten by malicious actors because “some manufacturers have designed interfaces that can read and write built-in firmware in the data channel, but they have not performed effective security verification of the read and write behavior, or there are problems in the verification process, or the implementation of the fast charge protocol has some memory corruption problems.”

Even worse: the attack (dubbed BadPower) can be performed in a way that will not raise any suspicion: the attacker may rewrite the firmware by simply connecting a mobile device loaded with attack code to the charger.

Users’ mobile devices can also be implanted with malware with BadPower attack capabilities and be the infection agent for every fast charger that is connected to it.

Possible solutions

Tencent’s researchers tested 35 of the 234 fast charging devices currently available on the market, and found that at least 18 of them (by 8 different brands) are susceptible to BadPower attacks.

They also discovered that at least 18 fast-charging chip manufacturers produce chips with the ability to update firmware after the product is built.

End users are advised to keep their devices safe by not giving their own fast charger and power bank to others and by not using those belonging to other people or establishments.

Ultimately, though, this is a problem that has to be solved by the manufacturers.

They should make sure that fast chargers’ firmware is without common software vulnerabilities and make sure that firmware can’t be modified without authorization.

“At the same time, we also suggest adding technical requirements for safety verification during firmware update to the relevant national standards for fast charging technology,” the researchers added.

“It is recommended to add components such as chip fuses to non-fast charging and receiving equipment powered by the USB interface, or an overvoltage protection circuit that can withstand at least 20V. It is recommended that powered devices that support fast charging continue to check the input voltage and current after power negotiation to confirm that they meet the negotiated range.”

Microsoft is adding Linux, Android, and firmware protections to Windows

Screenshot of antivirus protection.

Microsoft is moving forward with its promise to extend enterprise security protections to non-Windows platforms with the general release of a Linux version and a preview of one for Android. The software maker is also beefing up Windows security protections to scan for malicious firmware.

The Linux and Android moves—detailed in posts published on Tuesday here, here, and here—follow a move last year to ship antivirus protections to macOS. Microsoft disclosed the firmware feature last week.

Premium pricing

All the new protections are available to users of Microsoft Advanced Threat Protection and require Windows 10 Enterprise Edition. Public pricing from Microsoft is either non-existent or difficult to find, but according to this site, costs range from $30 to $72 per machine per year to enterprise customers.

In February, when the Linux preview became available, Microsoft said it included antivirus alerts and “preventive capabilities.” Using a command line, admins can manage user machines, initiate and configure antivirus scans, monitor network events, and manage various threats.

“We are just at the beginning of our Linux journey and we are not stopping here!” Tuesday’s post announcing the Linux general availability said. “We are committed to continuous expansion of our capabilities for Linux and will be bringing you enhancements in the coming months.”

The Android preview, meanwhile, provides several protections, including:

  • The blocking of phishing sites and other high-risk domains and URLs accessed through SMS/text, WhatsApp, email, browsers, and other apps. The features use the same Microsoft Defender SmartScreen services that are already available for Windows so that decisions to block suspicious sites will apply across all devices on a network.
  • Proactive scanning for malicious or potentially unwanted applications and files that may be downloaded to a mobile device.
  • Measures to block access to network resources when devices show signs of being compromised with malicious apps or malware.
  • Integration to the same Microsoft Defender Security Center that’s already available for Windows, macOS, and Linux.

Last week, Microsoft said it had added firmware protection to the premium Microsoft Defender. The new offering scans Unified Extensible Firmware Interface, which is the successor to the traditional BIOS that most computers used during the boot process to locate and enumerate hardware installed.

The firmware scanner uses a new component added to virus protection already built into Defender. Hacks that infect firmware are particularly pernicious because they survive reinstallations of the operating system and other security measures. And because firmware runs before Windows starts, it has the ability to burrow deep into an infected system. Until now, there have been only limited ways to detect such attacks on large fleets of machines.

It makes sense that the extensions to non-Windows platforms are available only to enterprises and cost extra. I was surprised, however, that Microsoft is charging a premium for the firmware protection and only offering it to enterprises. Plenty of journalists, attorneys, and activists are equally if not more threatened by so-called evil maid attacks, in which a housekeeper or other stranger has the ability to tamper with firmware during brief physical access to a computer.

Microsoft has a strong financial incentive to make Windows secure for all users. Company representatives didn’t respond to an email asking if the firmware scanner will become more widely available.

Three firmware blind spots impacting security

Built into virtually every hardware device, firmware is lower-level software that is programmed to ensure that hardware functions properly.

firmware blind spots

As software security has been significantly hardened over the past two decades, hackers have responded by moving down the stack to focus on firmware entry points. Firmware offers a target that basic security controls can’t access or scan as easily as software, while allowing them to persist and continue leveraging many of their tried and true attack techniques.

The industry has reacted to this shift in attackers’ focus by making advancements in firmware security solutions and best practices over the past decade. That said, many organizations are still suffering from firmware security blind spots that prevent them from adequately protecting systems and data.

This can be caused by a variety of factors, from simple platform misconfigurations or reluctance about installing new updates to a general lack of awareness about the imperative need for firmware security.

In short, many don’t know what firmware security hazards exist today. To help readers stay more informed, here are three firmware security blind spots every organization should consider addressing to improve its overall security stance:

1. Firmware security awareness

The security of firmware running on the devices we use every day has been a novel focus point for researchers across the security community. With multiple components running a variety of different firmware, it might be overwhelming to know where to start. A good first step is recognizing firmware as an asset in your organization’s threat model and establishing the security objectives towards confidentiality, integrity, and availability (CIA). Here are some examples of how CIA applies to firmware security:

  • Confidentiality: There may be secrets in firmware that require protection. The BIOS password, for instance, might grant attackers authentication bypass if they were able to access firmware contents.
  • Integrity: This means ensuring the firmware running on a system is the firmware intended to be running and hasn’t been corrupted or modified. Features such as secure boot and hardware roots of trust support the measurement and verification of the firmware you’re running.
  • Availability: In most cases, ensuring devices have access to their firmware in order to operate normally is the top priority for an organization as far as firmware is concerned. A potential breach of this security objective would come in the form of a permanent denial of service (PDoS) attack, which would require manual re-flashing of system components (a sometimes costly and cumbersome solution).

The first step toward firmware security is awareness of its importance as an asset to an organization’s threat model, along with the definition of CIA objectives.

2. Firmware updates

The increase in low-level security research has led to an equivalent increase in findings and fixes provided by vendors, contributing to the gradual improvement of platform resilience. Vendors often work with researchers through their bug bounty programs, their in-house research teams, and with researchers presenting their work in conferences around the world, in order to conduct coordinated disclosure of firmware security vulnerabilities. The industry has come a long way enabling collaboration, enabling processes and accelerating response times towards a common goal: improving the overall health and resilience of computer systems.

The firmware update process can be complex and time consuming, and involves a variety of parties: researchers, device manufacturers, OEM’s, etc. For example, once UEFI’s EDK II source code has been updated with a new fix, vendors must adopt it and push the changes out to end customers. Vendors issue firmware updates for a variety of reasons, but some of the most important patches are designed explicitly to address newly discovered security vulnerabilities.

Regular firmware updates are vital to a strong security posture, but many organizations are hesitant to introduce new patches due to a range of factors. Whether it’s concerns over the potential time or cost involved, or fear of platform bricking potential, there are a variety of reasons why updates are left uninstalled. Delaying or forgoing available fixes, however, increases the amount of time your organization may be at risk.

A good example of this is WannaCry. Although Microsoft had previously released updates to address the exploit, the WannaCry ransomware wreaked havoc on hundreds of thousands of unpatched computers throughout the spring of 2017, affecting hundreds of countries and causing billions of dollars in damages. While this outbreak wasn’t the result of a firmware vulnerability specifically, it offers a stark illustration of what can happen when organizations choose not to apply patches for known threats.

Installing firmware updates regularly is arguably one of the most simple and powerful steps you can take toward better security today. Without them, your organization will be at greater risk of sustaining a security incident, unaware of fixes for known vulnerabilities.

If you’re concerned that installing firmware updates might inadvertently break your organization’s systems, consider conducting field tests on a small batch of systems before rolling them out company-wide and remember to always have a backup of the current image of your platform to revert back to as a precautionary measure. Be sure to establish a firmware update cadence that works for your organization in order to keep your systems up to date with current firmware protections at minimal risk.

3. Platform misconfigurations

Another issue that can cause firmware security risks is platform misconfigurations. Once powered on, a platform follows a complex set of steps to properly configure the computer for runtime operations. There are many time- and sequence-based elements and expectations for how firmware and hardware interact during this process, and security assumptions can be broken if the platform isn’t set up properly.

Disabled security features such as secure boot, VT-d, port protections (like Thunderbolt), execution prevention, and more are examples of potentially costly platform misconfigurations. All sorts of firmware security risks can arise if an engineer forgets a key configuration step or fails to properly configure one of the hundreds of bits involved.

Most platform misconfigurations are difficult to detect without automated security validation tools because different generations of platforms may have registers defined differently, there are a long list of things to check for, and there might be dependencies between the settings. It can quickly become cumbersome to keep track of proper platform configurations in a cumulative way.

Fortunately, tools like the Intel-led, open-source Chipsec project can scan for configuration anomalies within your platform and evaluate security-sensitive bits within your firmware to identify misconfigurations automatically. As a truly cumulative, open-source tool, Chipsec is updated regularly with the most recent threat insights so organizations everywhere can benefit from an ever-growing body of industry research. Chipsec also has the ability to automatically detect the platform being run in order to set register definitions. On top of scanning, it also offers several firmware security tools including fuzzing, manual testing, and forensic analysis.

Although there are a few solutions with the capability to inspect a systems’ configuration, running a Chipsec scan is a free and quick way to ensure a particular system’s settings are set to recommended values.

Your organization runs on numerous hardware devices, each with its own collection of firmware. As attackers continue to set their sights further down the stack in 2020 and beyond, firmware security will be an important focus for every organization. Ensure your organization properly prioritizes defenses for this growing threat vector, install firmware updates regularly, commit to continuously detect potential platform misconfigurations, and enable available security features and their respective policies in order to harden firmware resiliency towards confidentiality, integrity and availability.

Honware: IoT honeypot for detecting zero-day exploits

Two researchers have created a solution that could help security researchers and IoT manufacturers with detecting zero-day exploits targeting internet-connected devices more speedily than ever before.

detecting zero-day IoT exploits

It’s called honware, and it’s a virtual honeypot framework that can emulate Linux-based Customer Premise Equipment (CPE) and IoT devices by using devices’ firmware image.

“Honware automatically processes a standard firmware image (as is commonly provided for updates), customises the filesystem and runs the system with a special pre-built Linux kernel. It then logs attacker traffic and records which of their actions led to a compromise,” Alexander Vetterl and Richard Clayton, with the University of Cambridge’s Computer Laboratory, explained.

Solving a long-standing problem

There are several IoT honeypot systems available for researchers out there, but they all have one or more crucial limitations: they are based on physical devices (meaning: the researchers need to buy them), cannot monitor a large number of attackers, or are just a generic representation of a vulnerable platform and, thus, generally fail to detect and capture new attack patterns.

Honware, on the other hand:

  • Does not require physical devices to work
  • Can easily be made to emulate hundreds and thousands of different devices with different firmware versions
  • Allows attackers full control of a machine (i.e., it’s high-interaction), meaning the operators can see and understand how the exploit works.
  • Is more fingerprint resistant. It prevents fingerprinting attacks based on protocol deviations or those that identify configurations specific to honeypots and is not susceptible to trivial fingerprinting based on timing attacks.

Vetterl and Clayton have tested honware by rapidly deploying multiple honeypots on the Internet including four brands of ADSL modems, TP-Link, D-Link, Eminent and ipTIME, and detected both known and previously unknown attacks.

“In particular, whilst emulating a router from ipTIME, we observed an unknown attack in which the default DNS setting in the router is changed to a rogue IP address – which we subsequently found to affect not only ipTIME, but also other brands,” they noted.

What’s next?

“The current problem is that attackers exploit a growing number of vulnerable devices and we see that in the growth of IoT-based botnets. However, we often do not know how these devices are actually exploited,” Vetterl told Help Net Security.

“At the moment, we run generic honeypots for various protocols, but they do often not return the appropriate payloads to learn the later parts of an attack. This is not only a problem for us, but it also became apparent in 2018 when Netlab360 was tracking UPnPHunter. They said that they had ‘to tweak and customize our honeypot quite a few times’. This obviously puts us on the backfoot and as we now have fast-stateless scanning (and Shodan, Censys.io, Thingful, etc.) and so vulnerable devices are swept up into a botnet really fast. The only substantive cost for the attackers is detecting the vulnerability itself, but finding vulnerable devices is now trivial and fast.”

Honware has the potential to make life easier for defenders and harder for attackers: a faster discovery of exact attack vectors and procurement of copies of malware means that manufacturers can deploy countermeasures faster and with more precision.

One downside of the framework is that it can’t work without firmware images, and manufacturers often do not make it easy for third parties to get hold of their firmware or get access to the files/binaries inside the devices.

Honware is currently limited to Linux-based devices for ARM and MIPS architectures and, according to Vetterl, they don’t have any plans to add additional architectures for the moment. Still, as other architectures become more prevalent, recompiling the Linux kernel should not be difficult.

“We definitely need to look into further fingerprinting issues, i.e., how would attackers detect our honeypots if we would deploy them at scale,” he noted.

They also won’t be open-sourcing honware (for now), as that would make it substantially easier for the bad guys to detect honeypots that are using the solution and potentially avoid them all together.

“We are, however, definitely interested to work with manufacturers and other researchers to get a better understanding how devices are attacked and running them at scale. It would also be interesting to see if there are areas in which we could improve honware so it works better for certain devices/manufacturers (something the manufacturers should also be interested in). Working with manufacturers would have the additional benefit to get access to firmware images and manufacturers resources (e.g., monitor potential abuses and help to better understand the observed attacks),” he added.

Finally, for those who end up using honware, close monitoring of outgoing traffic and connections is a must.

“Honware emulates the devices as is, meaning that any vulnerability present in the firmware version will also be present in the emulation. Without close monitoring, it could be used as a proxy, serving malware, mining cryptocurrency or ‘attacking’ other systems.”

Touch panels deployed in critical infrastructure vulnerable to remote attacks

Manufacturing facilities and processing centers using AutomationDirect C-more Touch Panels are advised to upgrade their firmware ASAP, as older versions contain a high-risk vulnerability (CVE-2020-6969) that may allow attackers to get account information such as usernames and passwords, obscure or manipulate process data, and lock out access to the device.

CVE-2020-6969

What are AutomationDirect C-more Touch Panels?

Manufactured by US-based AutomationDirect, the vulnerable C-more Touch Panels EA9 series are human-machine interfaces (HMIs) capable of communicating with a wide variety of programmable logic controllers (PLCs).

According to the recently published ICS-CERT advisory, they are deployed by commercial, critical manufacturing, energy, water and wastewater facilities around the world.

About the vulnerability (CVE-2020-6969)

CVE-2020-6969, reported by Joel Langill of Amentum Mission Engineering & Resilience, is a vulnerability that could allow attackers “to unmask credentials and other sensitive information on ‘unprotected’ project files, which may allow them to remotely access the system and manipulate system configurations.”

The vulnerability can be exploited remotely without authentication or user interaction, may affect confidentiality, integrity and availability of the system, and requires a low skill level to exploit.

The good news is that there are no known public exploits specifically target this vulnerability and that it has been fixed.

AutomationDirect advises users to upgrade to firmware version 6.53. Prior versions (v5.x and 6.x) are all vulnerable.

Control system devices and/or systems should, in general, not be accessible from the internet, CISA recommends, and control system networks and remote devices should be located behind firewalls and isolated from the business network.

Make your own security key with Google’s OpenSK

Google has open-sourced OpenSK, firmware that, combined with an affordable chip dongle, allows you to make your own security key to use for authentication purposes.

make security key

About OpenSK

OpenSK isan open-source implementation for security keys that supports both FIDO U2F and FIDO2 standards.

“Under the hood, OpenSK is written in Rust and runs on TockOS to provide better isolation and cleaner OS abstractions in support of security,” Elie Bursztein, Google’s Security & Anti-abuse Research Lead, and Jean-Michel Picod, Software Engineer, Google, explained.

“Rust’s strong memory safety and zero-cost abstractions makes the code less vulnerable to logical attacks. TockOS, with its sandboxed architecture, offers the isolation between the security key applet, the drivers, and kernel that is needed to build defense-in-depth. Our TockOS contributions, including our flash-friendly storage system and patches, have all been upstreamed to the TockOS repository. We’ve done this to encourage everyone to build upon the work.”

Google successfully tested OpenSK on a board and USB dongle by Nordic Semiconductor, chosen because they support all major transport protocols mentioned by the FIDO2 specification. Still, they made sure to note that their implementation was not officially tested and isn’t FIDO Certified.

“By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption,” they said.

make security key

More information and instructions on how to make a personal security key with OpenSK are available on the project’s GitHub repository.

Google has also worked with a designer to provide a custom enclosure for this security key, which is made to fit a Nordic nRF52840 dongle.

All the necessary files for printing it with a 3D printer are available here, and they can be additionally customized.

Cable Haunt: Unknown millions of Broadcom-based cable modems open to hijacking

A vulnerability (CVE-2019-19494) in Broadcom‘s cable modem firmware can open unknown millions of broadband modems by various manufacturers to attackers, a group of Danish researchers has warned.

CVE-2019-19494

About CVE-2019-19494

CVE-2019-19494, also dubbed Cable Haunt, is present in the spectrum analyzer, a standard component of Broadcom chips that identifies potential problems with the connection through the modem’s coaxial cable.

“The cable modems are vulnerable to remote code execution through a web-socket connection, bypassing normal CORS and SOC rules, and then subsequently by overflowing the registers and executing malicious functionality. The exploit is possible due to lack of protection proper authorization of the web-socket client, default credentials and a programming error in the spectrum analyzer,” the researchers explained.

“These vulnerabilities can give an attacker full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP and able to ignore remote system updates.”

The attacker must trick the victim into opening a web page containing malicious JavaScript that establishes a connection directly to the modem’s web server and overwrites the CPU registers to execute the malicious payload delivered through the request.

Once control has been achieved by an attacker, the researchers say, he or she can do things like change the device’s default DNS server, conduct remote man-in-the-middle attacks, swap the firmware, disable firmware upgrade by the ISP, and more.

Which devices are vulnerable?

“There are an estimated 200 million cable modems in Europe alone. With almost no cable modem tested being secure without a firmware update, the number of modems initially vulnerable in Europe is estimated to be close to this number,” the researchers shared.

“However, it is tough to give a precise estimate of the reach of Cable Haunt. The reason for this is that the vulnerability originated in reference software, which has seemingly been copied by different cable modems manufacturers when creating their cable modem firmware. This means that we have not been able to track the exact spread of the vulnerability and that it might present itself in slightly different ways for different manufacturers.”

They have provided a list of (confirmed) vulnerable modems by Sagemcom, Technicolor, NetGear, Compal, and Arris, and are asking the broader research community to help by checking other devices for the flaw.

What to do about it?

They have been trying to contact ISPs and modem manufacturers for a while now to share their findings, but they have had limited success. Some Scandinavian ISPs have already deployed patches to their customers.

They went public with CVE-2019-19494 to spread awareness and hopefully push modem manufacturers and other ISPs to do the same. They urged users to contact their ISP and ask if their modem is or ever was vulnerable to Cable Haunt.

“Check with the manufacturer of your modem if the latest firmware prevents Cable Haunt, and if the modem were ever vulnerable. If you suspect that your modem has been compromised, update the firmware to a version not vulnerable to Cable Haunt. Then you should consider if your past non-encrypted internet traffic contains sensitive information, such as passwords or personal emails, and take precautions accordingly,” they added.

ISPs should contact their modem manufacturer and ask them to create a new firmware that is not vulnerable, so they can roll it out as quickly as possible, they advised. They also urged them to get in touch for mitigation strategies they can employ in the meantime.

But while the vulnerability is widespread, exploitation is not simple.

“Even though the vulnerability allows arbitrary code to be executed, it requires a lot of work from the attacker to find the needed commands and craft the package, for exploiting full control. For your average Joe, as long as ‘easy-to-use’ exploit packages for specific modems have not been crafted, they are not the target,” the researchers noted.

They did, however, publish a proof of concept exploit for the sagemcom [email protected] 3890 modem.

Intel releases updates to plug TPM-FAIL flaws, foil ZombieLoad v2 attacks

Intel’s Patch Tuesday releases are rarely so salient as those pushed out this month: the semiconductor chip manufacturer has patched a slew of high-profile vulnerabilities in their chips and drivers. TPM-FAIL TPM-FAIL is a name given to vulnerabilities found in some Intel’s firmware-based TPM (fTPM) and STMicroelectronics’ TPM chipsets, discovered by Ahmad “Daniel” Moghimi and Berk Sunar from Worcester Polytechnic Institute, Thomas Eisenbarth from University of Lübeck and Nadia Heninger from University of California at … More

The post Intel releases updates to plug TPM-FAIL flaws, foil ZombieLoad v2 attacks appeared first on Help Net Security.

Self-driving car service open sources new tool for securing firmware

Self-driving car service open sources new tool for securing firmware

Collin Mulliner

Developing and maintaining secure firmware for tablets, cars, and IoT devices is hard. Often, the firmware is initially developed by a third party rather than in-house. And it can be tough as projects move from inception and prototyping to full-force engineering and finally to deployment and production.

Now, an engineer at self-driving car service Cruise is easing the pain with the release of FwAnalyzer, a tool he and his Cruise colleagues developed themselves. Collin Mulliner spent more than a decade scouring firmware found in phones and other devices before becoming Cruise’s principal security engineer. He helped write FWAnalyzer to provide continuous automated firmware analysis that could aid engineers at any phase of the code’s lifecycle.

“It’s peace of mind that there’s constant analysis,” Mulliner said of the tool, which he’ll be discussing at a panel on Wednesday at the Black Hat security conference in Las Vegas. “At any step in development… it runs checks.”

The tool has a menu of configuration rules engineers can select to tailor the analysis. The options include rules that are applied to file metadata such as permissions, type and ownership, rules that target the content of a file, and rules that analyze file system metadata. They can be used to detect SETUID files to help identify potentially dangerous executables. They can also be used to identify any debugging code that was mistakenly left behind. That can help prevent hackers from later misusing that code. The full capabilities go well beyond that.

“Armed with these capabilities, you now have the ability to detect and prevent a wide variety of security issues,” Mulliner wrote in a post accompanying Wednesday’s talk. “Using an external script that we provide, you can detect any non-stripped binaries, preventing leaking potentially valuable debug information.”