St. Jude Medical heart devices come under attack in security lawsuit

St. Jude Medical is currently being targeted due to security vulnerabilities in implanted heart devices. Back in August, MedSec and Muddy Waters released a report about how St. Jude’s pacemakers and defibrillators were vulnerable to cyberattacks that could result in battery drain or manipulation of pacemaker beat rates. This could in turn put a patient’s life at risk.

Bishop Fox, an independent security firm, recently provided a testimony stating that the St. Jude cardiac devices ecosystem does not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients. In addition, the wireless protocol used by the devices to communicate also have vulnerabilities that allow attackers to take control of the device and deliver shocks to patients at a range up to 10 feet and possibly more with additional components.

-AJ Agena

http://www.zdnet.com/article/st-jude-heart-devices-come-under-attack-in-security-lawsuit/

Proxyham and its Disappearance

There are many different technologies to provide anonymous internet access.  While having a private access to the internet is good for many people, it can be critical for journalists and activists.  Tor, using onion routing, and VPNs providing encrypted tunnels for data, just to name a few.  But all these solutions have weaknesses.  With Tor you never know who is running the exit node you use.  There may also be defects in how legitimate exit nodes handle data.  VPN providers may keep logs that they must provide to the government under a court order.  The issue with all these technologies it that they are fully virtual.  There is still a direct network link, however well obfuscated, that leads directly to you.

DSCN0363

Photo Courtesy of Ben Caudill and Wired

Benjamin Caudill, the founder of Rhino Security Labs, came up with a solution.  It is called Proxyham.  He calls it a physical proxy, to be used as a compliment to traditional tools such as Tor.  Proxyham is a small device based on a raspberry pi, that contains a tradition 2.4Ghz or 5Ghz wifi radio, as well as a long range 900 Mhz transmitter.  The device can be left near a public hotspot.  It will then forward the wifi connection over 900Mhz, up to 2.5 miles to the real user.  The genius of this solution, is that even if a trace does manage to get through whatever other obfuscation methods you use, investigators will only find the ip address and location of the Proxyham.    “You can have it all the way across town, and worst case scenario the police go barge into the library across town,” Caudill said.  … The internet signal travelling back to the user is at such low frequency, Caudill added, that it’s really hard for anyone to track it down. At that frequency, “the spectrum is crowded with other devices,” such as baby monitors, walkie talkies, and cordless phones. – Wired

Caudill had planned to present at this year’s DefCon next month.  But last Friday, the Twitter feed of Rhino Security Labs posted that the presentation was no longer taking place.  DefCon has also confirmed that Caudill informed them that he was not going to present. Not only is he not presenting at DefCon, the entire project has been canceled, all prototypes destroyed, and research halted.  In a call from Wired, Caudill said he couldn’t say why he canceled the project. He is CEO of his own company, so it wasn’t his employer.  There was speculation that the FCC found fault with how the device used 900 MHz radio, but Caudill refuted this claim, stating that the device transmitted at under the 1 Watt limit.  So far the only explanation that makes any sense is that he is under a gag order by… somebody.  When asked if he had a run in with law enforcement he replied,”No comment.”

As stated by Wired,”Online anonymity tools certainly aren’t illegal. Tools like VPNs have allowed users to obscure their IP addresses for years. The anonymity software Tor is even funded by the U.S. government. But it’s possible that secretly planting a ProxyHam on someone else’s network might be interpreted as unauthorized access under America’s draconian and vague Computer Fraud and Abuse Act.”

So is the government now cracking down on the development of security technology they can’t crack?  Look at what is happening to Apple in relation to iMessage and full device encryption.  They are being punished for using this kind of security.  If it was simply a matter of conforming to the Computer Fraud and Abuse Act, why all the secrecy?

This blog was based on two articles, one by Wired, detailing the disappearance of the project: http://www.wired.com/2015/07/online-anonymity-project-proxyham-mysteriously-vanishes/

And another by Motherboard cited in the Wired post with a more detailed explanation of the initial proposal by Rhino Security Labs:

http://motherboard.vice.com/read/with-this-device-you-can-connect-anonymously-to-wi-fi-25-miles-away

Edit:  Interesting speculation by hackaday:

Let’s Speculate Why The ProxyHam Talk Was Cancelled

It’s July. In a few weeks, the BlackHat security conference will commence in Las Vegas. A week after that, DEFCON will begin. This is the prime time for ‘security experts’ to sell themselves, tip off some tech reporters, exploit the Arab Spring, and make a name for themselves. It happens every single year.

The idea the ProxyHam was cancelled because of a National Security Letter is beyond absurd. This build uses off the shelf components in the manner they were designed. It is a violation of the Computer Fraud & Abuse Act, and using encryption over radio violates FCC regulations. That’s illegal, it will get you a few federal charges, but so will blowing up a mailbox with some firecrackers.

If you believe the FBI and other malevolent government forces are incompetent enough to take action against [Ben Caudill] and the ProxyHam, you need not worry about government surveillance. What you’re seeing is just the annual network security circus and it’s nothing but a show.

The ProxyHam is this year’s BlackHat and DEFCON pre-game. A marginally interesting security exploit is served up to the tech media and devoured. This becomes a bullet point on the researcher’s CV, and if the cards land right, they’re able to charge more per hour. There is an incentive for researchers to have the most newsworthy talk at DEFCON, which means some speakers aren’t playing the security game, they’re playing the PR game.

In all likelihood, [Ben Caudill] only figured out a way to guarantee he has the most talked-about researcher at DEFCON. All you need to do is cancel the talk and allow tech journos to speculate about National Security Letters and objections to the publication of ProxyHam from the highest echelons of government.

If you think about it, it’s actually somewhat impressive. [Ben Caudill] used some routers and a Raspberry Pi to hack the media. If that doesn’t deserve respect, nothing does.

Author- Mark White

http://hackaday.com/2015/07/14/how-to-build-a-proxyham-despite-a-cancelled-defcon-talk/

An Upcoming Threat To Encryption

The weakness to all encryption, to all security, is time.  What if the time that it took to crack an encryption was drastically cut down.  Quantum computers may be more than a decade away, but they not just may, but will, exponentially cut down the time it takes to crack an encryption.  This week there is going to be a computer security convention at Schloss Dagstuhl–Leibniz Center for Informatics in Wadern, Germany concentrating on quantum-resistant replacements the currently used encryption.  This convention is only one of the many convention that have recently been held or are about to be held.  Examples of other conventions include the workshop NIST, the US National Institute of Standards and Technology, in April, and the IQC team up with the European Telecommunications Standards Institute in October.  The NSA also revealed that it has plans to upgrade to quantum resistant protocols.  The Dutch Intelligence services also pointed out the threat of people/corporations/governments intercepting and storing information now to decrypt when the quantum computers are complete.

One of the most used encryptions as of now is called RSA encryption.  This is one of the encryptions that will be rendered obsolete when quantum computers are used.  “PQCRYPTO, a European consortium of quantum-cryptography researchers in academia and industry, released a preliminary report on 7 September recommending cryptographic techniques that are resistant to quantum computers.”  PQCRYPTO gave recommendations for four different types of encryption, symmetric encryption, symmetric authentication, public-key encryption, and public-key signatures.  A symmetric encryption is “the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.”1  For symmetric encryption, PQCRYPTO recommends AES-256, and Salsa20 with a 256-bit key.3  Symmetric authentication is when “the user shares a unique, secret key (usually embedded in a hard token) with an authentication server. The user is authenticated by sending to the authentication server his/her username together with a randomly generated message (the challenge) encrypted by the secret key. If the server can match the received encrypted message (the response) using its share secret key, the user is authenticated.”2  For Symmetric authentication, PQCRYPTO recommends GCM using a 96- bit nonce and a 128-bit authenticator, and Poly1305.3  Public-key encryption, also known as asymmetric-key encryption, is when “there are two related keys–a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.   Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.”1  For public-key encryption, PQCRYPTO recommends McEliece with binary Goppa codes using length n = 6960, dimension k = 5413 and adding t = 119 errors.  For public-key signatures, PQCRYPTO recommends XMSS, and SPHINCS-256.3

Sources:

http://www.nature.com/news/online-security-braces-for-quantum-revolution-1.18332

1: https://support.microsoft.com/en-us/kb/246071

2: http://www.e-authentication.gov.hk/en/professional/skey.htm

3: http://pqcrypto.eu.org/docs/initial-recommendations.pdf

By Eric Weitzman

Are baby monitors the new targets for hackers?

Rapid 7 released reports the beginning of this month describing newfound vulnerabilities in baby monitors. Theses faulty monitors, from several different manufactures, were found to leak predictable information, backdoor credentials and privilege escalation. Hackers have the ability to tap into these baby monitors since little security measures are taken to protect the content stored or tied to them.

According to this article by Richard Adhikari “Backdoor credentials — the vulnerability most frequently found — showed up in five products from different manufacturers.” This finding tells me that manufactures do not have proper restrictions on encrypting information on these monitors.

So what’s the big deal if hackers have access to the baby monitors in your house, it’s not like a great deal of financial or personal information is tied to it right? No, it’s not like they are accessing that type of information but what can be leaked by hacking into these monitors include: video and audio from the device; from a live stream or previously recorded clips, according to Mark Stanislav, senior security consultant for global services at Rapid7. No parent aware of these capability cyber intruders have would allow for a device in their home in which a stranger could watch their child.

“In the race to market and bring products to consumers, inattention to security is likely to be an issue”, said Craig Spiezle, executive director of the Online Trust Alliance. It is morally wrong for companies to make production of their product more important that the security of the device. Manufacturers “need to look at the risk and vulnerability and areas for abuse…. they need to design in the ability to patch or remediate once the product leaves their factory”, alleged Craig Spiezle. The problem only gets worse if you consider other uses of these defective products in the business sphere, compromised devices could be used to spy on people in their offices.

Source: http://www.technewsworld.com/story/82449.html

Author: Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it’s all leading.

By: Lisa Hornak

Anti-iPhone WiFi

A new zero day vulnerability in iOS gives anyone with a router the ability to shutdown any iOS powered device.  Security researchers have just recently discovered this bug in Apple’s SSL library which can apparently crash all applications on the device and even trigger an endless reboot cycle to render the device inoperable.  This bug could also be coupled with another bug uncovered two years ago that forces iOS devices to connect to WiFi hotspots as soon as they get into range.  In this way, an iOS user would be unable to use their device when within the radius of any WiFi hotspot configured in this manner.

The good news about this – if there is any – is that the researchers at Skycure that discovered this vulnerability haven’t released the details on exactly how to do it in the hopes that Apple will solve the issues before anyone takes advantage of this issue in the wild.

– Keegan Parrotte

Sources

http://appleinsider.com/articles/15/04/22/researchers-leverage-ssl-bug-to-crash-apple-devices-over-wi-fi-in-no-ios-zone-attack

http://arstechnica.com/security/2015/04/22/ios-bug-sends-iphones-into-endless-crash-cycle-when-exposed-to-rogue-wi-fi/

http://www.theregister.co.uk/2015/04/22/apple_no_ios_zone_bug/