BlueBorne, a Bluetooth Vulnerability

Armis has identified a new threat to almost every device we own. There are eight vulnerabilities that have been identified, four of which are critical. These vulnerabilities affect over 5 billion Android, Windows, iOS, and Linux devices. This vulnerability is known as BlueBorne.

What makes this vulnerability different than most cyber attacks is that there is no link that a user has to click on or a malicious file that the user has to download to become a victim. The user doesn’t even have to be connected to the internet. Instead, BlueBorne is spread through a devices Bluetooth connection. The attack doesn’t require the targeted device to be paired to the attackers device or even for the targeted device to be set to discoverable mode.

Image result for BlueBorne

This all contributes to BlueBorne being easily spread to devices at a possible unprecedented rate. Bluetooth processes have high privileges on all operating systems which allows this exploit to completely take over the device. Android devices are vulnerable to remote code execution, information leaks, and Man-in-The-Middle attacks. Windows devices are vulnerable to the Man-in-The-Middle attack. Linux devices running BlueZ are affected by the information leak vulnerability, and Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (This includes many smart watches, smart tvs, and smart refrigerators). iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability, but this vulnerability was already patched for users running iOS 10. Even networks that are “air gapped” are at risk of this attack, and includes industrial systems, government agencies, and critical infrastructure.

Examples of attacks:

  • Taking a picture on a phone and sending it to the hacker
  • Listening to a conversation through a wearable device
  • Redirecting a user to a fake login page to steal their login information
  • Cyber espionage
  • Data theft
  • Ransomware
  • Creating large botnets out of IoT devices

Many companies are pushing out updates for their users, but for many it is too late, and for others they have older devices that will not receive the updates.

As of 9/13/17:

  • Apple users with iOS 10 are safe
  • Google has released a patch for this vulnerability for Android Marshmallow and Nougat, but it might be weeks before the patch is available to some Android users
  • Microsoft patched the vulnerabilities in July
  • A patch for Linux is expected to be released soon

The problem is that even with these patches, there are many users who are unaware of this exploitation and/or do not update their devices regularly. For users that haven’t updated their devices or do not have an update for their device, the safest thing to do is to turn Bluetooth off on your phone and leave it off until there is a patch for your device

 

Source: https://www.armis.com/blueborne/

 

-Matthew Smith

Advertisements

Canadian Point of Sale company data breech

     The point of sale company Lightspeed has suffered a data breech, the email above was posted on twitter by Australian security expert Troy Hunt which was sent by Lightspeed to its customers. The hackers had gained access to systems related to its retail offering. Lightspeed confirmed the attackers accessed a central database containing information on sales, products, and customers. The database included encrypted passwords, electronic signatures, and API keys. Eventhough the database was accessed by hackers Lightspeed said there was no evidence that information was stolen.

      The company said that passwords created after January of 2015 where the safest having been stored with advanced encryption technology. They also said that the system that the hackers had accessed did not hold any private information such as credit card numbers. The company has informed customers that a third party security firm had been hired to investigate and that it’s systems should be only accessible by authorized users.

http://www.securityweek.com/pos-vendor-lightspeed-suffers-data-breach

  • Gavin Millikan

Proxyham and its Disappearance

There are many different technologies to provide anonymous internet access.  While having a private access to the internet is good for many people, it can be critical for journalists and activists.  Tor, using onion routing, and VPNs providing encrypted tunnels for data, just to name a few.  But all these solutions have weaknesses.  With Tor you never know who is running the exit node you use.  There may also be defects in how legitimate exit nodes handle data.  VPN providers may keep logs that they must provide to the government under a court order.  The issue with all these technologies it that they are fully virtual.  There is still a direct network link, however well obfuscated, that leads directly to you.

DSCN0363

Photo Courtesy of Ben Caudill and Wired

Benjamin Caudill, the founder of Rhino Security Labs, came up with a solution.  It is called Proxyham.  He calls it a physical proxy, to be used as a compliment to traditional tools such as Tor.  Proxyham is a small device based on a raspberry pi, that contains a tradition 2.4Ghz or 5Ghz wifi radio, as well as a long range 900 Mhz transmitter.  The device can be left near a public hotspot.  It will then forward the wifi connection over 900Mhz, up to 2.5 miles to the real user.  The genius of this solution, is that even if a trace does manage to get through whatever other obfuscation methods you use, investigators will only find the ip address and location of the Proxyham.    “You can have it all the way across town, and worst case scenario the police go barge into the library across town,” Caudill said.  … The internet signal travelling back to the user is at such low frequency, Caudill added, that it’s really hard for anyone to track it down. At that frequency, “the spectrum is crowded with other devices,” such as baby monitors, walkie talkies, and cordless phones. – Wired

Caudill had planned to present at this year’s DefCon next month.  But last Friday, the Twitter feed of Rhino Security Labs posted that the presentation was no longer taking place.  DefCon has also confirmed that Caudill informed them that he was not going to present. Not only is he not presenting at DefCon, the entire project has been canceled, all prototypes destroyed, and research halted.  In a call from Wired, Caudill said he couldn’t say why he canceled the project. He is CEO of his own company, so it wasn’t his employer.  There was speculation that the FCC found fault with how the device used 900 MHz radio, but Caudill refuted this claim, stating that the device transmitted at under the 1 Watt limit.  So far the only explanation that makes any sense is that he is under a gag order by… somebody.  When asked if he had a run in with law enforcement he replied,”No comment.”

As stated by Wired,”Online anonymity tools certainly aren’t illegal. Tools like VPNs have allowed users to obscure their IP addresses for years. The anonymity software Tor is even funded by the U.S. government. But it’s possible that secretly planting a ProxyHam on someone else’s network might be interpreted as unauthorized access under America’s draconian and vague Computer Fraud and Abuse Act.”

So is the government now cracking down on the development of security technology they can’t crack?  Look at what is happening to Apple in relation to iMessage and full device encryption.  They are being punished for using this kind of security.  If it was simply a matter of conforming to the Computer Fraud and Abuse Act, why all the secrecy?

This blog was based on two articles, one by Wired, detailing the disappearance of the project: http://www.wired.com/2015/07/online-anonymity-project-proxyham-mysteriously-vanishes/

And another by Motherboard cited in the Wired post with a more detailed explanation of the initial proposal by Rhino Security Labs:

http://motherboard.vice.com/read/with-this-device-you-can-connect-anonymously-to-wi-fi-25-miles-away

Edit:  Interesting speculation by hackaday:

Let’s Speculate Why The ProxyHam Talk Was Cancelled

It’s July. In a few weeks, the BlackHat security conference will commence in Las Vegas. A week after that, DEFCON will begin. This is the prime time for ‘security experts’ to sell themselves, tip off some tech reporters, exploit the Arab Spring, and make a name for themselves. It happens every single year.

The idea the ProxyHam was cancelled because of a National Security Letter is beyond absurd. This build uses off the shelf components in the manner they were designed. It is a violation of the Computer Fraud & Abuse Act, and using encryption over radio violates FCC regulations. That’s illegal, it will get you a few federal charges, but so will blowing up a mailbox with some firecrackers.

If you believe the FBI and other malevolent government forces are incompetent enough to take action against [Ben Caudill] and the ProxyHam, you need not worry about government surveillance. What you’re seeing is just the annual network security circus and it’s nothing but a show.

The ProxyHam is this year’s BlackHat and DEFCON pre-game. A marginally interesting security exploit is served up to the tech media and devoured. This becomes a bullet point on the researcher’s CV, and if the cards land right, they’re able to charge more per hour. There is an incentive for researchers to have the most newsworthy talk at DEFCON, which means some speakers aren’t playing the security game, they’re playing the PR game.

In all likelihood, [Ben Caudill] only figured out a way to guarantee he has the most talked-about researcher at DEFCON. All you need to do is cancel the talk and allow tech journos to speculate about National Security Letters and objections to the publication of ProxyHam from the highest echelons of government.

If you think about it, it’s actually somewhat impressive. [Ben Caudill] used some routers and a Raspberry Pi to hack the media. If that doesn’t deserve respect, nothing does.

Author- Mark White

http://hackaday.com/2015/07/14/how-to-build-a-proxyham-despite-a-cancelled-defcon-talk/

Pineapples Are Yummy

The WiFi Pineapple is a unique rogue access point. It has the capacity to use a variety of tools to trick users into connecting to it instead of other access points. It can then piggy bag its connection off of any other network connection and effectively make it self the man in the middle.

One such system is Karma. Karma listens for prob requests from your computer asking if any of its know networks are near by it and conveniently lies and says yes. The computer then connects to the pineapple by mistake and it effectively becomes the man in the middle.

Some operating system manufactures have discovered that sending open probes looking for access points is not a good idea and wont get tricked by karma anymore. To combat this the Pineapple imitates all access points in the area and those that have been probed by by other devices. It then aggressively sends out beacons saying that it is those access points which can trick some devices into connecting to it.

Along side these become requests it can also scan the network and death clients that aren’t connected to it from there current networks forcing them to connect to it instead. This can be done manually though a web interface or automatically by righting a start up script.

More info at https://www.wifipineapple.com/

Want one? https://hakshop.myshopify.com/collections/wifi-pineapple-kits/products/wifi-pineapple?variant=81044992

Dylan Vuz

Car Manufacturers need to beef up their security

Cars have been improved drastically in a short period of time to assist drivers in dozens of areas as well as add conveniences. As more functions were added electronic systems were developed to control these systems as well as run diagnostics. The system adopted by most manufactures is called CAN (Controller Area Network). Just about every car post 2008 has this installed, some cars having upward of 30+ controllers controlling everything from anti-lock braking systems to windows. The reason it was developed is that is very cheap, but has features of more advanced protocols such as ethernet. Of course with new technology comes new dangers. This network created in cars is a trusted network, meaning if you can get connected to it, you have complete access to all the CAN traffic.

CAN is operated on packets like any other network protocol, the packet is setup as such: 11 or 29 bit identifier, 4 bit data length info, max 8 bytes of data. This simple format can be decoded using CAN databases to intercept and decipher packets information, which can be helpful as it is used to diagnose car’s systems, but can also be used to send messages of your own. This is where the problem arises, being able to send your own message could be extremely dangerous. In the video above the annoyances are demonstrated, such as making the car believe it is in a crash and tightening seatbelts, honking the horn, making the fuel seem empty/full, changing the odometer speed, or making the “service soon” light turn on. It could also be used more dangerously such as making the car believe it is still, and turning on automatic parallel parking which will suddenly jerk the car at high speeds, or disabling the breaks.

The video with the speaker above was published in 2014, but just recently he has developed an open source 60$ piece of equipment that can be plugged into the CAN network and send messages.

As of right now, the risk is low as the network is strictly wired, meaning the attacker would have to be inside your car, but we should take caution with security now as the future may hold more open networks. Insurance companies currently want to implement dongles on cars to see how safe or unsafe their customers are driving, and adjusting their rates accordingly. This dongle could possibly communicate via satellite or other wireless means to tell the insurance companies of the driver’s driving style.

Another note is autonomous cars are in the near future as tesla is about to release a new car on the market capable of driving on inner state highways by itself. This raises a huge concern in security, will these cars talk to other cars? Will the CAN systems now have wireless components, if so will they be secured? The speaker has worked for Tesla and mentioned all Tesla’s firmware was created in house under surveillance by a security team, but will that be enough.

-Steven Masley

Sources: Includes a presentation on CAN, a demo of the attacks, as well as the cheap device created by the speaker.

http://www.forbes.com/sites/thomasbrewster/2015/03/25/hack-a-car-for-60-dollars/

Presentation: https://www.youtube.com/watch?v=qPIscmaIt8U

Demo: https://www.youtube.com/watch?v=oqe6S6m73Zw

http://www.huffingtonpost.com/2015/03/28/tesla-self-driving-cars_n_6961922.html