This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs

There is vulnerability in many Hyundai and Kia vehicles, where the ignition switch can be bypassed with a USB cable. And it’s getting a patch rollout right now, but it’s not a USB vulnerability, in quite the way you might think. In most cars, the steering column is easily disassembled, but these vehicles have an extra-bad design problem. The ignition cylinder can be disassembled while locked, just by depressing a pin.

Physical security has some parallels to computer security, and one such parallel is that good security can often be bypassed by a simple mistake. When it comes to lock design, one such potential bypass is the ability to disassemble a lock while it’s still locked. And somehow, Kias after 2010, and Hyundais after 2015 were made with exactly this flaw. The lock could be disassembled, and the interface between the lock and the ignition switch just happens to be the right shape and size for USB A. Oh, and these cars don’t have an engine immobilizer — there isn’t a chip built into the keys for extra security.

The problem became widespread late last year when the flaw went viral on TikTok, and thousands of copycat crimes were inspired. Beyond the obvious problem, that teenagers were getting an early start on a life of crime with grand theft auto, there were at least 8 deaths directly attributed to the inane stunt. And this brings us back to this week’s news, that a software update is rolling out to address the issue.

Honestly, I have questions. A software update doesn’t add in-key security chips. At best, it could attempt to detect the key position, and sabotage the engine management control, in an ad-hoc immobilizer. That’s likely a paper clip-turned-jumper away from being bypassed. The other new feature, doubling the alarm time from 30 second to a minute, doesn’t inspire much confidence. Hopefully the changes are enough to kill the trend.

Reddit Gets Phished

On February 5th, a Reddit employee fell for a phishing attack, handing both credentials and a 2FA token over to an attacker. This exposed internal documentation, code, and dashboards. While falling for the initial phish, the unfortunate employee was sharp enough to realize what had happened, and inform Reddit security shortly after.

(Phishing happens. If it happens to you, call the right person as soon as you realize it. It’s not hard for security to backtrack the breach, and figure out who’s credentials were used. It’s far better for everyone to deal with the problem head on as soon as possible.)

It seems like the breach and lockdown were all pulled off within a day, and it doesn’t look like any private user data was accessed. While a breach is never a good thing, this looks to be a textbook good response to such a problem, including an Ask Me Anything by the CTO after the announcement. How very Reddit.

Word and PEAP

Microsoft just lifted the lid on a pair of high-severity vulnerabilities, CVE-2023-21689 and CVE-2023-21716. The first one is a Remote Code Execution (RCE) in PEAP, the Protected Extensible Authentication Protocol. That’s a WiFi technology, so each user can be authenticated upon connection to the wireless network. That’s both good news and bad news. The good news is that this isn’t a service generally exposed to the internet. The bad news is that it’s part of the authentication process for enterprise WiFi. It appears that an attacker with a working exploit would simply need to get close enough to attempt a wireless connection. Send the exploit as part of the authentication process, and it’s code execution on the authentication server.

The other problem is in Microsoft Word, in handling Rich Text Format documents. This also leads to code execution, and Microsoft’s guidance warns that the preview pane is enough to trigger the vulnerability. The real danger is an email containing RTF, with that code potentially getting auto-run when viewing the email. There are SharePoint patches available as well. Both of these vulnerabilities have the potential to be quite serious, particularly for enterprise networks.

GoAnywhere, TakeEverything

CVE-2023-0669 is a serious pre-auth vulnerability in the Fortra GoAnywhere Managed File Transfer solution. Version 7.1.2 has been released to fix the issue, but there are reports of active exploitation, with the Clop ransomware gang claiming to have compromised about 130 such endpoints.

The problem is deserialization. The GoAnywhere appliance is written in Java, and it’s the licensing endpoint with the vulnerability. Making this issue worse is that the endpoint is vulnerable to Cross-Site Request Forgery. So it doesn’t take an administrative panel exposed to the internet, just a browser redirect or link in a phishing email — given the attacker knows enough about the target network to craft the payload.

PLCs and Lateral Movement

Forescout has published yet another set of vulnerabilities in Programmable Logic Controllers. This is part of their earlier OT:ICEFALL research.

The new vulnerabilities are in Schneider Electric Modicon devices. CVE-2022-45788 is an arbitrary code execution, triggered by an undocumented Modbus command. And CVE-2022-45789 is a way to bypass authorization and run those Modbus commands. This allows for a really sneaky trick, what Forescout calls “deep lateral movement”, using the PLC devices themselves as a pivot point, and compromising devices that aren’t connected to the outside network. They use a new term I find quite clever, “network crawl space”, to describe the unexpected connection pathways used in the example attack. Tip of the hat to [Herr Brain] for pointing this story out on our Discord.

Bits and Bytes

Ever wish there was a single tool to search for security presentations? That’s exactly what we have this week with Hack Dojo. Doing research on PLC hacks? There are six presentations on file on that topic. Trying to remember who ran doom on a tractor? There’s one presentation that comes up when searching for “tractor”. There are over 1500 presentations with video available to peruse.

Researchers at Phylum have discovered yet another malware campaign pushing malicious packages onto the PyPI repository. It’s typosquatting on more than 450 packages, many mimicking cryptocurrency and finance-related packages. The malware payload is obscured with an interesting technique, which installs a browser extension on any machine where it runs. That extension watches for cryptocurrency wallet addresses in the clipboard, and replaces the address with one controlled by the malware authors.

The TerraMaster NAS platform had a pair of vulnerabilities that together allowed remote code execution over the network. The first is an information leak — the mobile/webNasIPS endpoint doesn’t require any authentication, and returns way too much information. One of those information fields is actually a hash of the system’s admin password. Guess what some of the other endpoints use to authorize requests? Yep, that exact hashed password, along with some other discoverable bits of information. Patches are available.

While the researchers at Trail of Bits were auditing curl, somebody jokingly asked if they had tried curl AAAAAAAAA... yet. They say that the best humor has some truth to it, and it turns out that applies to security research, too. Fuzzing the curl command line interface turned up a handful of vulnerabilities, many of which had their root in the libcurl library itself. The writeup is a good overview of fuzzing techniques, and the full audit report is linked there as well. Enjoy!

14 thoughts on “This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs

    1. This is easily mitigated, install a locking mechanism to prevent removal of the lock cylinder, and/or an immobilizer.

      They are cheap, really really cheap. Engines failing, plastic falling apart at a prodigious rate.

      I liked the 2001 Hyundai we had with the licensed mitsubishi motor. But they are getting old even on a fairly robust drivetrain.

      If you are considering KIA, just get a Yaris or Daiwoo/Chevy I hear the build quality is pretty good. (Always makes me laugh when I think of how the ‘starter’ Chevy has better reliability, ergonomics, price and fuel economy than any of the products Chevy actually designs, KIS principle in action.)

      If you are near California and don’t mind replacing a Catalytic converter you can get cheap cars all day long. Converters here start at $800, go to 2,000, or are No longer available.

  1. The Kia “USB cable” subject needs better terminology.
    To wit: the mechanical slot can be turned with the end of a USB cable.

    Many folks are led to believe it’s some kind of “high tech hack” using
    a USB cable connected to some sort of hollywood’ish device. When
    in fact, you can just as easily use pliers to turn the mechanical slot and
    there’s nothing ‘high tech’ about it at all (as reported by some “journalists”
    who fail to investigate – which seems to be the norm nowadays).

    1. Yeah, we were going to run a post about “Kias getting hotwired with USB cables” back when it first started becoming a trend, but then when we looked into it, it was not nearly as interesting a story as the headlines made it seem so we passed on it. Suppose in hindsight, might not have been a bad idea to run a piece explaining the poor mechanical design though…

      At any rate, a supposed software update that can fix a serious mechanical deficiency sounds pretty interesting, so we’re looking forward to hearing more.

        1. And if it does actually work how much it drains the battery on either the Car or Keyfob being an unintended kludgey patch…

          I’m with you though, I can’t see how the fix can really work. At best it seems like a shift the goalpost a tiny bit without actually changing the difficulty to take it, and probably make the owners life more annoying in the process.

      1. My guess is they will only allow engine start if the doors have been unlocked by remote recently. It was a common way to increase security before real rfid immobilizers were introduced.
        For example the old Smart fortwo used this method.

  2. I can’t believe these vehicles don’t have immobilizers, meaning they can still be hotwired easily. My neighbor’s Kia was stolen and I thought they must have towed it or left the fob in the car because how could a vehicle from 2020 not have an immobilizer, and also, who would steal a Kia. Now we know why.

    1. I follow the William Shatner school of dramatic pause. Lol, no, I actually write in complex sentences, and I try to use commas correctly. There may be one or two that aren’t strictly necessary, but I think all my commas are at least acceptable. Introductory propositional phrases get set aside with commas, lists of three or members are separated with commas, and a complex sentence is separated into clauses with commas.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.