Maybe those backdoors weren’t such a great idea. Several US Telecom networks have been compromised by a foreign actor, likely China’s Salt Typhoon, and it looks like one of the vectors of compromise is the Communications Assistance for Law Enforcement Act (CALEA) systems that allow for automatic wiretapping at government request.
[Jeff Greene], a government official with the Cybersecurity and Infrastructure Security Agency (CISA), has advised that end-user encryption is the way to maintain safe communications. This moment should forever be the touchstone we call upon when discussing ideas like mandated encryption backdoors and even the entire idea of automated wiretapping systems like CALEA. He went on to make a rather startling statement:
I think it would be impossible for us to predict a time frame on when we’ll have full eviction
There are obviously lots of unanswered questions, but with statements like this from CISA, this seems to be an extremely serious compromise. CALEA has been extended to Internet data, and earlier reports suggest that attackers have access to Internet traffic as a result. This leaves the US telecom infrastructure in a precarious position where any given telephone call, text message, or data packet may be intercepted by an overseas attacker. And the FCC isn’t exactly inspiring us with confidence as to its “decisive steps” to fix things.
We are taking decisive steps to address vulnerabilities in telecommunications networks following the Salt Typhoon cyberattack. pic.twitter.com/FLGCe9pS1I
— The FCC (@FCC) December 5, 2024
In a sense, nothing has really changed: We’re each ultimately responsible for our own security, and if anything is truly sensitive, it needs auditable encryption that doesn’t have any backdoors. The Salt Typhoon national breach has just serves as a painful reminder of the fact.
AI Fuzzing
There’s yet another researcher thinking about LLM guided fuzzing. This time, it’s looking for HTTP/S endpoints on a public site. The idea here is that you can crawl a domain and collect every link to build a URL map of the site — but that list is likely incomplete. There may be an administrative page, undocumented API endpoints, or even unintended .git files. Finding those endpoints is a useful step to finding vulnerabilities. Brainstorm is a new tool Open Source tool that uses AI to find non-obvious URLs.
There are a couple of interesting metrics to measure how well endpoint discovery is done. The most straightforward is how many endpoints are found for a given site. The other is the ratio of requests to discovered. And while this is just a sample size of one on a test site, brainstorm found 10 hidden endpoints with only 328 requests. Impressive!
Fuzzing Android
And while we’re talking about fuzzing, let’s cover a part of Android that is sometimes forgotten about. Lots of apps are written for Java, but Android has a Native Development Kit, the NDK, that’s very useful for using existing C/C++ code in Android apps. And as the NDK is powerful, complicated, and not as widely used, it’s a prime target for finding issues.
This first article by Conviso doesn’t actually cover any vulnerabilities, though it’s fairly strongly hinted that there were bugs found. Instead, this is a great start on how to set up a fuzzing solution with the afl++ fuzzer, looking for issues in the NDK and native code. We’re looking forward to more posts in this series.
Breaking out of the VRChat Matrix
VRChat is an interesting experience. It’s nominally a game intended for VR interactions in virtual worlds. There’s a large element of the game that’s just wandering around the virtual worlds, many of them being homages to other games or movies. That fact was not lost on the creators behind VRChat, who created the Udon scripting engine to expose lots of functionality, including access to some APIs of Unity, the underlying game engine. And that’s interesting because little quirks in Unity APIs may not be vulnerabilities in themselves, but exposing those APIs to potentially untrusted code might become a problem.
The problem here is the Unity functions for applying textures to objects. Texture sizes are 64-bit unsigned integers, but internally, those values get mapped onto a 32-bit integer for an intermediary step. The value overflows, writing to the texture writes past the end of a buffer, and suddenly, we have a read/write primitive. Then, a slight detour through the Steam overlay library gets us arbitrary shellcode execution, and we’ve escaped the VR Matrix.
Nearest WiFi Neighbor
Modern WiFi security is split roughly between PSK and Enterprise, where PSK is a Pre-Shared Key, and Enterprise is a scheme using individual usernames and individual authentication. One form that authentication can take is a simple username/password pair. An advanced threat actor believed to be APT28 out of Russia, developed and deployed an impressive attack campaign that took advantage of the username/password authentication of WiFi networks in a very unique and creative way.
This was the Nearest Neighbor attack, and to understand it, we first have to talk about credential stuffing. It’s reasonably easy to generate a list of users’ email addresses at a target business. That list can be combined with a list of potential passwords from breaches and all the most promising combinations used to attempt to log in to public services. This is the basis of credential stuffing, and it’s been used in multiple breaches over the last few years. One of the sure-fire safeguards against stiffing is multi-factor authentication. Even if a password is correct, it still doesn’t get you into the service because 2FA.
The kicker is that Enterprise WiFi doesn’t do 2FA. If a single user account is used for both accounts, then verifying the user account gets you a valid WiFi sign-on. Then, part two of Nearest Neighbor is how hackers in Russia actually used those credentials against an unnamed US organization.
This is where the name comes from. The approach was to first hack the nearest neighbor, move laterally until you find an Ethernet-connected machine that also has a WiFi card, and use the purloined credentials to hop the gap into the target’s network. Check the link for more details. The actual target has not been revealed, and it may be quite some time before we learn who exactly was breached by this new, creative technique.
$150,000+ Gone
Solana runs a blockchain platform, primarily doing web3 and smart contracts. To make those products work, Solana publishes solana-web3.js on npm. This week, that library was compromised, and a pair of malicious versions were uploaded. The exact timing was December 2, from 1520 and 2025 UTC.
The malicious package was a simple key stealer, obviously aimed at compromising wallets of any developers or other use cases where the code has access to those keys. The value of the stolen cryptocurrency currently sits between $150,000 and $200,000.
Bits and Bytes
Don’t trust the Webcam LED. Many webcams have a light to indicate when they are capturing images. This is your periodic reminder: that LED is just connected to a GPIO, and isn’t necessarily trustworthy. The Lights Out attack re-flashes the webcam’s firmware, giving arbitrary control over that LED.
Scareware has long been a problem, and it’s been around on mobile for quite a while now, but this was a new trick to me: a full screen image that mimics a broken screen. Now this one is really leaning into the scare element, and the prompt drawn over the “broken” screen quickly gives the trick away.
VPN appliances are built to keep unauthorized users out, but what happens when a user tries to connect to a malicious VPN? For many clients, the results aren’t pretty. And now, to better explore those potential issues, AmberWolf has released NachoVPN. (Love the pun.) The tool is open source, and available on Github.
And finally, if you want to brush up on your OAuth2 understanding, there’s a new project that may be for you: OAuth Labs. This is a series of simulated challenges where you can exploit vulnerable OAuth implementations. The challenges are self-hosted as Docker runners. Let us know if you decide to take on the challenge!
Heh, I’ve got an ancient but still working “Logitech QuickCam 3000 Pro” and at some point I added a DPST switch (double pole single throw) inside the spherical case to disconnect both USB data lines.
It works but after starting the cam’s LED stays lit until I connect the data lines at least once.
And since there’s no working driver for such an old cam anymore I had to fiddle with the QC 4000 driver to get the older variant working. Unfortunately only partially – the internal mic only works when the camera is not recording and vice versa for some reason (I guess some driver-comunication-control bits have flipped meanings between both versions or something).
“AmberWolf has released NachVPN. (Love the pun.)” … yah, didn’t get it either. NachoVPN, still don’t get it… sigh.
phonetically similar to “not your VPN”
Anyone ask Mitnick?
What for a tutorial on war dialing, or good word lists?
I feel cheated. All I get is nigerian royalty begging for me to keep their billions and the odd über-hacker who’s got nudes of me doing the nasty from gear without camera or mic.
“Maybe those backdoors weren’t such a great idea. ”
Security vs privacy. A debate as old as time.
I would be as concerned with how they got in, because until you know that they’re just going to do it again. But:
Some poor group of sods right now is going round reflashing routers and switches with known-to-be-good IOS or equivalent, because if the was a state actor, you just know they put something in the firmware and you can’t trust what it tells you unless you are plugged into the a the console port with a wire to your laptop.
AAA everywhere, people!
Are those not synonymous?
AIUI, the baddies can intercept speech and text between my wife’s iPhone and my Android, but not between my wife’s and daughter’s IPhones.
So, a VPN is needed to prevent interception between my wife’s phone and mine.
Sorry honey, I didn’t get your text about picking up milk. Must have been Chinese hackers.
Lot’s of poor infrastructure yawn and some non-competitive fuzzing yawn.. FYI cutting edge fuzzing is all happening around V8 and none of it is using neural nets..
Android NDK has no UI/UX it’s for frame-buffer and compression code. Android also has Rust so unless you’re doing 3D games why would you use NDK? Too many people who write horrid C think they are just the best C coder ever but can’t publish anything with remote data use without creating security problems.. Just use Rust or Python and assembly; at least with assembly you’ll be better at memory managment and IPC usage and you can use it for RE..
If CALEA is compromised is there a risk that not only would an attacker have “live” access to traffic but also access to the agency’s records / history etc. within the system?
This seems like a weapons-grade f*** up, totally mad. I bet China/Russia are pleased as hell with themselves.
Thankfully the HaD blurb has us thank China for the intrusion. Y’all on the shinzen media welfare program too now lol? jeebus…
At least feign some sort of ill will at this sort of attack.
man its almost like government overreach becomes dangerous to everyone. even the government at some point.
I have multiple Logitech C920 webcams and they come with official software that allows turning off the LEDs while recording, without needing to re-flash the firmware. This way I already learned not to trust the LEDs.