This Week In Security: License Plates, TP-Link, And Attacking Devs

We’re covering two weeks of news today, which is handy, because the week between Christmas and New Years is always a bit slow.

And up first is the inevitable problem with digital license plates. Unless very carefully designed to be bulletproof, they can be jailbroken, and the displayed number can be changed. And the Reviver plates were definitely not bulletproof, exposing a physical programming port on the back of the plate. While it’s not explicitly stated, we’re guessing that’s a JTAG port, given that the issue is considered unpatchable, and the port allows overwriting the firmware. That sort of attack can be hardened against with signed firmware, and using an MCU that enforces it.

This does invite comparisons to the James Bond revolving license plate — and that comparison does put the issue into context. It’s always been possible to swap license plates. If someone really wants to cause mischief, traditional plates can be stolen, or even faked. What a digital plate adds to the equation is the ability to switch plate numbers on the fly, without stopping or turning a screwdriver. Regardless, this seems like it will be an ongoing problem, as so many manufacturers struggle to create secure hardware.

Malicious RDP

There’s a clever attack, that uses Microsoft’s Remote Desktop Protocol (RDP), to give away way too much control over a desktop. That’s accomplished by sending the target a .rdp file that shares local resources like the clipboard, filesystem, and more. What’s new is that it seems this theoretical attack has now shown up in the wild.

The attack campaign has been attributed to APT29, CozyBear, a threat actor believed to be associated with Russia’s Foreign Intelligence Service. This attribution tracks with the victims of choice, like government, research, and Ukrainian targets in particular. To escape detection, the malicious RDP endpoints are set up behind RDP proxies, running on services like AWS. The proxies and endpoints are accessed through TOR and other anonymous proxies. The .rdp files were spread via spear-phishing emails sent through compromised mail servers. The big push, with about 200 targets, was triggered on October 22nd. Researchers at TrendMicro believe this was the end of a targeted campaign. The idea being that at the end of the campaign, it no longer matters if the infrastructure and methods get discovered, so aim for maximum impact.

Free* Mcdonalds?

Here we learn that while McDonald’s USA dosn’t have a bug bounty program, McDonald’s India does — and that’s why researcher [Eaton Zveare] looked there. And found a series of Broken Object Level Authorization (BOLA) bugs. That’s a new term to this column, but a concept we’ve talked about before. BOLA vulnerabilities happen when a service validates a user’s authentication token, but doesn’t properly check that the user is authorized to access the specific resources requested.

In the McDonald’s case, any user of the web app is issued a guest JWT token, and that token is then valid to access any Order ID in the system. That allows some interesting fun, like leaving reviews on other users’ orders, accessing delivery maps, and getting copies of receipts. But things got really interesting when creating an account, and then ordering food. A hidden, incomplete password login page allowed breaking the normal user verification flow, and creating an account. Then after food is added to the cart, the cart can be updated to have a total price of a single rupee, about the value of a penny.

This research earned [Eaton] a $240 Amazon gift card, which seems a little stingy, but the intent behind the gesture is appreciated. The fixes landed just over 2 months after reported, and while [Eaton] notes that this is slower than some companies, it’s significantly faster than some of the less responsive vendors that we’ve seen.

Banning TP-Link

The US Government has recently begun discussing a plan to ban TP-Link device purchases in the United States. The reported reason is that TP-Link devices have shipped with security problems. One notable example is a botnet that Microsoft has been tracking, that primarily consists of TP-Link devices.

This explanation rings rather hollow, particularly given the consistent security failings from multiple vendors that we’ve covered on this very column over the years. Where it begins to make more sense is when considered in light of the Chinese policy that all new vulnerabilities must first be reported to the Chinese government, and only then can fixes be rolled out. It suggests that the US Commerce Department suspects that TP-Link is still following this policy, even though it’s technically now a US company.

I’m no stranger to hacking TP-Link devices. Many years ago I wrote a simple attack to put the HTTPD daemon on TP-Link routers into debug mode, by setting the wifi network name. Because the name was used to build a command run with bash, it was possible to do command injection, build a script in the device’s /tmp space, and then execute that script. Getting to debug mode allowed upgrading to OpenWRT on the device. And that just happens to be my advice for anyone still using TP-Link hardware: install OpenWRT on it.

Developers Beware

We have two separate instances of malware campaigns directly targeting developers. The first is malicious VSCode extensions being uploaded to the marketplace. These fakes are really compelling, too, with lots of installs, reviews, and links back to the real pages. These packages seem to be droppers for malware payloads, and seem to be targeting cryptocurrency users.

If malware in your VSCode extensions isn’t bad enough, OtterCookie is a campaign believed to come from North Korea, spreading via fake job interviews. The interview asks a candidate to run a Node.js project, or install an npm package as part of prep. Those are malicious packages, and data stealers are deployed upon launch. Stay frosty, even on the job hunt.

Bits and Bytes

PHP has evolved over the years, but there are still a few quirks that might trip you up. One of the dangerous ones is tied up in $_SERVER['argv'], a quick way to test if PHP is being run from the command line, or on a server. Except, that relies on register_argc_argv set to off, otherwise query strings are enough to fool a naive application into thinking it’s running on the command line. And that’s exactly the footgun that caught Craft CMS with CVE-2024-56145.

Australia may know something we don’t, setting 2030 as the target for retiring cryptography primitives that aren’t quantum resistant. That’s RSA, Elliptic-curve, and even SHA-256. It’s a bit impractical to think that those algorithms will be completely phased out by then, but it’s an interesting development to watch.

Fuzzing is a deep subject, and the discovery of 29 new vulnerabilities found in GStreamer is evidence that there’s still plenty to discover. This wasn’t coverage-guided fuzzing, where the fuzzer mutates the fuzzing input to maximize. Instead, this work uses a custom corpus generator, where the generator is aware of how valid MP4 files are structured.

22 thoughts on “This Week In Security: License Plates, TP-Link, And Attacking Devs

  1. “The US Government has recently begun discussing a plan to ban TP-Link device purchases in the United States” And yet CISCO which has more CVE’s than anything else. are OK?

    1. I don’t think raw numbers of CVEs are useful to compare.

      Cisco probably makes more stuff and supports it for longer? We’d therefore expect them to have more CVEs, everything else equal.

      Also, given Cisco is historically at least preferred for enterprise type stuff, and TP-Link for consumer, we might expect more scrutiny of Cisco kit.

  2. The TPLink thing is rank protectionism. If companies like Fortinet, Cisco, and Netgear can continue to be allowed. TPLink produces great switches and AP’s for far cheaper than a lot of the alternatives.

    1. Protectionism? They aren’t even targeting the same buyers, except maybe Netgear. Your comment is naive as this is a national security issue. The US knows because they’ve done this kind of thing to other countries.

    2. Protection against companies in receipt of state funds purposely to disrupt a market segment by the method of dumping product on it at below reasonable cost?

      Seems like a good idea to combat such activity.

      1. come to think of, i remember using Turbo Pascal in… the late 1980’s, it would have been. maybe the very early 90’s. was how high school-aged me learned procedural coding, as i recall.

        it was plenty usable, for its time, but not nearly a patch on VS Code. in fact, one could probably make something vastly better using VS Code and a language server for GNU Pascal, if one wanted. if Python didn’t exist as a far, far better teaching language, i’d be tempted to recommend it.

  3. I really can’t see what problem digital licence plates solve, seems like throwing tech somewhere for no good (at least if you stick to good must be legal) reason. Are you going to have to start worrying that instead of doing minor damage popping a light to get at the CAN bus and steal the car they can just unscrew the licence plate for the same level of access? Seriously what possible benefit them exists when you are not actively trying to push your bad driving off on others!?!?!

    On the TPlink stuff I’m far less bothered – there must be other layers to it beyond just one bad botnet and some security flaws, as that does seem to be the rule not the exception. But whatever those reasons are if it puts just a little bit of fear into the company producing these things, then just maybe they stick to and even actively support open source firmware over trying to lock down their stuff as then the security problem isn’t something they actually have to fix… That would be a good think for us all!

  4. If, and it is a big if, quantum reduces SHA-256 to effectively SHA-128 (as most of the papers say) it is still going to be very difficult to ‘break’. You can’t brute force the other 128bits in any meaningful time..

    And digital license plates are just silly…

  5. I cannot think of a single reason to have a digital license plate. I am not keen to break the law by changing my number, nor am I keen to have electronica placed on my vehicle while I foot the bill.

    The only upsides are I can link my license plate to an app, and then pay my registration. Well I can always pay my registration online, and wait for stickers. On the off chance I am hassled about that I can explain my case and show my receipt.

    I guess it would prevent my plate being stolen, because if it’s stolen it deactivates? But it hasn’t happened in 30 years, so 🤷🏼‍♂️.

    Am I allowed to put an E-Ink tabled in place of my plate? And if not why not? How do law enforcement officers know it is legit? Can I make my own and would they know? So many questions. I feel like I would react similarly to hearing of banana peel tire technology. Even if it ‘works’, why?

    1. I came up with a reason to jailbreak it: Hook it up to a push-button to display a message to the guy behind you (“back off!”) for a couple seconds before going back to legit license plate display… very grey area that I feel like you’d never get in trouble for.

      But yeah, not something I’ll ever do.

    2. Here in the UK a licence plate usually just stays on the car for its entire life, the car is registered to a keeper (usually the owner), and road tax is paid online – we used to get a physical paper tax disc that had to be displayed in the windscreen* but these days they just look it up online, police cars, cities, and many other places have ANPR cameras that can spot un-taxed and uninsured cars/drivers as well as stolen vehicles.

      I can’t imagine why you’d need anything as complex as a digital licence plate, that feels like answering the wrong question.

      Unless you’re driving a yellow Reliant Regal van around Peckham

  6. In a world where digital license plates are legal, jailbreaking is not the problem. Anyone can simply rig up any appropriately sized screen to say anything they want it to. Buy an official one and replace the brains. No doubt Chinese variants will also be released that do not attempt to lock down the screens at all. The whole idea of a digital plate invites abuse. Of course physical plates are counterfeitable, but there is hard evidence and they can’t be swapped back and forth in milliseconds with no real evidence.

  7. Regarding TP-Link story: Something isn’t being told..

    Name a TP-Link CVE that NetGear, ASUS, and Linksys haven’t got in recent years.. It gets even worse with WIFI cameras and IoT and no bans there..

    US Gov. is playing fast and loose with their broad scale lying..

    1. UPDATE: I’ve never seen a post stay on the main-page slider this long.. We get it.. US Gov., and evidently HaD, doesn’t like TP-Link..

      P.S. I’m buying more TP-Link now until some disproportion in CVE backs this narrative..

      1. You have to ask yourself why these devices cost less then it cost to make/market them. And that is before they are imported so add the landed costs. It seems like China is trying to flood our market with cheap exploitable routers. You cant really say that about the other manufacturers.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.