This Week In Security: Simjacker, Microsoft Updates, Apple Vs Google, Audio DeepFakes, And NetCAT

We often think of SIM cards as simple data storage devices, but in reality a SIM card is a miniature Universal integrated circuit card, or smart card. Subscriber data isn’t a simple text string, but a program running on the smart cards tiny processor, acting as a hardware cryptographic token. The presence of this tiny processor in everyone’s cell phone was eventually put to use in the form of the Sim application ToolKit (STK), which allowed cell phone networks to add services to very basic cell phones, such as mobile banking and account management.

Legacy software running in a place most of us have forgotten about? Sounds like it’s ripe for exploitation. The researchers at Adaptive Mobile Security discovered that exploitation of SMS messages has been happening for quite some time. In an era of complicated and sophisticated attacks, Simjacker seems almost refreshingly simple. An execution environment included on many sim cards, the S@T Browser, can request data from the cell phone’s OS, and even send SMS messages. The attacker simply sends an SMS to this environment containing instructions to request the phones unique identifier and current GPS location, and send that information back in another SMS message.

It’s questionable whether there is actually an exploit here, as it seems the S@T Browser is just insecure by design. Either way, the fact that essentially anyone can track a cell phone simply by sending a special SMS message to that phone is quite a severe problem.

Windows Update Woes

It seems like Microsoft can’t catch a break. In the past month, Windows 10 updates have broken VB6 programs, broken RDP (the black screen bug), caused abnormally high CPU usage by Cortana, and now slowly turn screens red. If I didn’t know how easy buggy code is to write, I’d suspect the good folks at Redmond were toying with us. I’ve been the cause of bizarre bugs myself, so no judgement on that front.

Windows 10 does have an unfortunate feature — cumulative updates. It’s not that I miss the old days of installing hundreds of updates after re-installing Windows, I just miss being able to uninstall the one update causing problems, rather than uninstalling the entire month’s worth of updates.

This month’s Patch Tuesday update includes 80 security fixes, two of which being zero-day privilege elevation vulnerabilities. Go forth and update, and hope nothing else is broken.

Apple Vs Google

Last week we reported on the iOS attack chains reported by Google’s Project Zero. Apple took notice of the Project Zero blog and press coverage, and released their own statement. Apple’s response notably disputes the claim that this was an “en masse” attack, emphasizing that fewer than 12 niche websites were serving the malware. Apple also disputes the timeline, claiming that the websites in question were actively serving malware for only 2 months. Many have called Apple out for their response, disappointed in the defensive stance they chose to take.

Audio Deepfakes

Or neural-network powered text to speech engines. Whatever you prefer to call them, computer generated audio and video has come a long way since Tron and Wargames. While video deepfakes are still not perfect, triggering the uncanny valley reaction for many, the audio only variety are apparently much more convincing. It seems that a new criminal enterprise has been born — using audio deepfakes to perfect the old “boss scam”. In this case, €200,000 was lost before the scam was discovered.

It’s only a matter of time before this technology impacts other arenas. Just recently a certain Canadian psychologist made quite a stir when he discovered a website that allowed anyone to put words into his mouth. At this point it’s a toss-up as to which will happen first, a public figure being disgraced by a faked recording, or claiming “Deepfake!” to cover up a legitimate one.

NetCAT

Look, don’t name your vulnerabilities after Unix command line utilities. We get the joke, but it’s just confusing. NetCAT is a cache timing attack that takes advantage of hardware vulnerabilities. It’s a bit different from the speculative execution attacks, though. This attack specifically targets Intel’s Direct Data I/O (DDIO) technology.

You may be familiar with Direct Memory Access. What could be faster than a network card writing directly to RAM? Writing directly to cache, of course. DDIO allows a connected PCIe device to access level 3 cache directly, rather than pass data through the system RAM first. As that cache fills, data is sent off to RAM, and the researchers at VU Amsterdam realized there was a detectable latency cost when accessing data that had been flushed out of the cache. In short, the timing of data reads leaks information about the state of the system’s L3 cache.

How in the world is that useful? Their PoC used Infiniband PCIe cards and Remote Direct Memory Access (RDMA). RDMA is a protocol managed by the network card itself, where one machine on the network can bypass the CPU and write directly to the RAM of a connected machine. In their demo, they sent multiple packets of RDMA data, enough to fill the DDIO cache, and then probed to see if any of that data had fallen off the cache. This information leak revealed the timing of other incoming packets, specifically an SSH connection. Since SSH sends a packet per keystroke, this gave detailed timing information on the SSH connection. From there, existing timing attack techniques are enough to discern the keystrokes of the SSH session. While it’s a novel attack, the real world ramifications seem quite limited so far. Because it’s all hardware based, however, the only mitigation is to disable DDIO altogether.

20 thoughts on “This Week In Security: Simjacker, Microsoft Updates, Apple Vs Google, Audio DeepFakes, And NetCAT

  1. Microsoft pushing updates down people’s throats with little eror checking like normal. One major reason I don’t use Windows 10 for anything.

    Text to speech becoming better over the years to mimic actual people. Well, this is indeed a problem. Though, mainly due to people being abhorrent at fact checking their sources of information.

    Apple trying to downplay security issues isn’t unsurprising. Though, regardless, a security issue is an issue in need of fixing. Pointing fingers at people exploiting it doesn’t really do much towards fixing the issue.

    PCIe’s obsession with DMA is fairly interesting, pushing the data into L3 cache has some logical advantages, downside is that cache is an open playing field for everyone to “enjoy” and “share”. From a security standpoint, that is abhorrently stupid.

    If one could lock off a portion of L3 and dedicate it to PCIe only, or for other applications. (Ie, reserve allocations of cache) Then this could fix a fair few cache related side channel attacks. Since one isn’t sharing cache anymore, downside, it will mean that you need to have a rough idea of how much cache a given application would need. So the system would become less dynamic. But for security centered applications, being dynamic can be a fairly uninteresting advantage if it means lower security. And for applications where security isn’t important, then feel free to share cache between them.

    1. A simple trick that MS can’t take away from you is telling them you’re on a metered connection. They got burned pretty badly over Red Cross employees in Africa being force-fed gigabytes of updates over a satellite link that cost them a bunch.

      As long as you say you’re metered, the updates don’t come.

      1. And this is f::ing annoying. I have found myself way too often in a situation where I’m forced to find a public wifi or use a free 2mbit connection when I would have a perfectly well working unlimited 100mbit connection through 4g. You Americans should understand that the rest of the world isn’t a 3rd world shithole like USA without unlimited mobile data.

  2. My old PC went through various OS upgrades from win2K to Win7 and finally to Win 10 without a clean install. Yet it is the most stable win 10 system I have.

    My new machine on the other hand had a few major issues since the Aug update. It wouldn’t even accept the update without a refresh from 1903. USB and a few things went offline every few days right after logon screen. I had screens turning green on switching my KVM. It was a mess. I had to reinstall win10 from scratch a couple of days ago. It seems to be stable now. I wonder how many updates it would last.

    State of windows updates reminds me of an old Amiga jokes about “bug fixes and enhancements”. Wow they enhance the bugs too!?

  3. “t this point it’s a toss-up as to which will happen first, a public figure being disgraced by a faked recording, or claiming “Deepfake!” to cover up a legitimate one.”

    We live in interesting times…

    1. There’s already people who can mimic voices convincingly – for a profession. All you have to do is hire an actor – which is why some random record of someone saying something doesn’t really count for anything.

      A video of the person with their face and their voice inserted would be something else, but deepfake videos are relatively easy to spot – there’s noise and compression artifacts in every video, and if you do noise analysis on the frames you can see where it was altered because the probability distribution changes. Likewise, you can point out that the video -wasn’t- faked by the same fact.

      The whole thing is a lot of noise over nothing.

      1. My understanding is that the voice fakes work best with hours of training data. Where did they get this for the boss?

        I’m waiting to see if the employee transferring the money gets suddenly rich, and the whole thing was a clever alibi. It’s a little too much like drone sightings. (Or UFOs in the 1950s…)

    1. This feature is not used for anything nowadays. A SIM with it disabled will work like any other. Normally the source of the sms needs to be whitelisted, but I assume they spoofed the sender address?

  4. The simjacker writeup talks about this as if the attack was novel and took a lot of sophistication to figure out. What is so novel about it?

    I recently was viewing a bunch of Defcon talks on Youtube, one of them from Defcon 21
    was
    Defcon 21 – The Secret Life of SIM Cards (from 2013)

    My thought on it was – hey, another computer outdated running inside of people’s phones,
    which most people don’t think much about, I wonder what sort of attacks this would enable.
    Admittedly I don’t think they talked about the details of the S@T browser, but what is so novel/sophisticated about this attack? (vs. just being obvious follow-up to something like the Defcon talk.)

  5. I’m waiting for Apple to open up their own security dept that looks for holes in other firms’ software and publicizes them widely.

    Ever notice how few of Google’s Project Zero bugs are their own? Either they’re writing perfect software, or they’re handling the bugs in-house before they get any publicity.

    Don’t get me wrong. Finding/fixing bugs is universally good.

    But finding the bugs of your corporate enemies is surely even better.

    1. Google’s hands aren’t completely clean WRT the Apple bugs they announced.

      The Google team reported the bugs to Apple in February, and Apple rolled out an update that closed the holes six days later. The announcement several months later, right before an Apple iPhone event, smells like PR spin more than security consciousness.

      Google’s initial press release also failed to mention that the same websites were exploiting vulnerabilities in Android. AFAIK, Google has made no statement about whether those security holes in Android have been closed, or how effectively those patches have been deployed.

      Security holes are bad, and any company that has them should fix them. Public disclosure is generally a good thing, and pushes vendors to fix problems instead of hoping no one will notice them. But let’s grade everyone on the same curve.

  6. I’m with Apple on this one. Google definitely tried to fling mud and give the impressing that governments were listening to us all on our iPhones, which is very ironic given google’s own privacy practices.
    Yes, it was certainly serious and needed fixing, but let’s not overplay security issues in competitor’s products. Something about people who live in glass houses…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.