This Week In Security: National Backdoors, Web3 Backdoors, And Nearest Neighbor WiFi

Maybe those backdoors weren’t such a great idea. Several US Telecom networks have been compromised by a foreign actor, likely China’s Salt Typhoon, and it looks like one of the vectors of compromise is the Communications Assistance for Law Enforcement Act (CALEA) systems that allow for automatic wiretapping at government request.

[Jeff Greene], a government official with the Cybersecurity and Infrastructure Security Agency (CISA), has advised that end-user encryption is the way to maintain safe communications. This moment should forever be the touchstone we call upon when discussing ideas like mandated encryption backdoors and even the entire idea of automated wiretapping systems like CALEA. He went on to make a rather startling statement:

I think it would be impossible for us to predict a time frame on when we’ll have full eviction

There are obviously lots of unanswered questions, but with statements like this from CISA, this seems to be an extremely serious compromise. CALEA has been extended to Internet data, and earlier reports suggest that attackers have access to Internet traffic as a result. This leaves the US telecom infrastructure in a precarious position where any given telephone call, text message, or data packet may be intercepted by an overseas attacker. And the FCC isn’t exactly inspiring us with confidence as to its “decisive steps” to fix things. Continue reading “This Week In Security: National Backdoors, Web3 Backdoors, And Nearest Neighbor WiFi”

This Week In Security: Linux VMs, Real AI CVEs, And Backscatter TOR DoS

Steve Ballmer famously called Linux “viral”, with some not-entirely coherent complaints about the OS. In a hilarious instance of life imitating art, Windows machines are now getting attacked through malicious Linux VM images distributed through phishing emails.

This approach seems to be intended to fool any anti-malware software that may be running. The VM includes the chisel tool, described as “a fast TCP/UDP tunnel, transported over HTTP, secured via SSH”. Now that’s an interesting protocol stack. It’s an obvious advantage for an attacker to have a Linux VM right on a target network. As this sort of virtualization does require hardware virtualization, it might be worth disabling the virtualization extensions in BIOS if they aren’t needed on a particular machine.

AI Finds Real CVE

We’ve talked about some rather unfortunate use of AI, where aspiring security researchers asked an LLM to find vulnerabilities in a project like curl, and then completely wasted a maintainer’s time on those bogus reports. We happened to interview Daniel Stenberg on FLOSS Weekly this week, and after he recounted this story, we mused that there might be a real opportunity to use LLMs to find vulnerabilities, when used as a way to direct fuzzing, and when combined with a good test suite.

And now, we have Google Project Zero bringing news of their Big Sleep LLM project finding a real-world vulnerability in SQLite. This tool was previously called Project Naptime, and while it’s not strictly a fuzzer, it does share some similarities. The main one being that both tools take their educated guesses and run that data through the real program code, to positively verify that there is a problem. With this proof of concept demonstrated, it’s sure to be replicated. It seems inevitable that someone will next try to get an LLM to not only find the vulnerability, but also find an appropriate fix. Continue reading “This Week In Security: Linux VMs, Real AI CVEs, And Backscatter TOR DoS”

This Week In Security: The Internet Archive, Glitching With A Lighter, And Firefox In-the-wild

The Internet Archive has been hacked. This is an ongoing story, but it looks like this started at least as early as September 28, while the site itself was showing a creative message on October 9th, telling visitors they should be watching for their email addresses to show up on Have I Been Pwnd.

There are questions still. The site defacement seems to have included either a subdomain takeover, or a long tail attack resulting from the polyfill takeover. So far my money is on something else as the initial vector, and the polyfill subdomain as essentially a red herring.

Troy Hunt has confirmed that he received 31 million records, loaded them into the HIBP database, and sent out notices to subscribers. The Internet Archive had email addresses, usernames, and bcrypt hashed passwords.

In addition, the Archive has been facing Distributed Denial of Service (DDoS) attacks off and on this week. It’s open question whether the same people are behind the breach, the message, and the DDoS. So far it looks like one group or individual is behind both the breach and vandalism, and another group, SN_BLACKMETA, is behind the DDoS.

Continue reading “This Week In Security: The Internet Archive, Glitching With A Lighter, And Firefox In-the-wild”

This Week In Security: Kaspersky Ban, Project Naptime, And More

The hot news this week is that Kaspersky is banned in the USA. More specifically, Kaspersky products will be banned from sale in the US starting on September 29. This ban will extend to blocking software updates, though it’s unclear how that will actually be accomplished. It’s reasonable to assume that payment processors will block payments to Kaspersky, but will ISPs be required to block traffic that could contain antivirus updates?

WordPress Plugin Backdoor

A Quartet of WordPress plugins have been found to have recently included backdoor code. It’s a collection of five Open Source plugins, seemingly developed by unrelated people. Malicious updates first showed up on June 21st, and it appears that all five plugins are shipping the same malicious code.

Rabbit AI API

The Rabbit R1 was released to less than thunderous applause. The idea is a personal AI device, but the execution has been disappointing, to the point of reviewers suggesting some of the earlier claims were fabricated. Now it seems there’s a serious security issue, in the form of exposed API keys that have *way* too many privileges.

The research seems to be done by the rabbitude group, who found the keys back in May. Of the things allowed by access to the API keys, the most worrying for user privacy was access to every text-to-speech call. Rabbitude states in their June 25 post, that “rabbit inc has known that we have had their elevenlabs (tts) api key for a month, but they have taken no action to rotate the api keys.” On the other hand, rabbit pushed a statement on the 26th, claiming they were just then made aware of the issue, and made the needed key rotations right away.

Continue reading “This Week In Security: Kaspersky Ban, Project Naptime, And More”

the Logitech receiver in question next to the mouse it's paired to

Uncovering Secrets Of Logitech M185’s Dongle

[endes0] has been hacking with USB HID recently, and a Logitech M185 mouse’s USB receiver has fallen into their hands. Unlike many Logitech mice, this one doesn’t include a Unifying receiver, though it’s capable of pairing to one. Instead, it comes with a pre-paired CU0019 receiver that, it turns out, is based on a fairly obscure TC32 chipset by Telink, the kind we’ve seen in cheap smart wristbands. If you’re dealing with a similarly obscure MCU, how do you even proceed?

In this case, GitHub had a good few tools developed by other hackers earlier — a Ghidra integration, and a tool for working with the MCU using a USB-UART and a single resistor. Unfortunately, dumping memory through the MCU’s interface was unreliable and frustrating. So it was time to celebrate when fuzzing the HID endpoints uncovered a memory dump exploit, with the memory dumper code helpfully shared in the blog post.

From a memory dump, the exploration truly began — [endes0] uncovers a fair bit of dongle’s inner workings, including a guess on which project it was based on, and even a command putting the dongle into a debug mode where a TC32-compatible debugger puts this dongle fully under your control.

Yet another hands-on course on Ghidra, and a wonderful primer on mouse dongle hacking – after all, if you treat your mouse’s dongle as a development platform, you can easily do things like controlling a small quadcopter, or pair the dongle with a SNES gamepad, or build a nifty wearable.

We thank [adistuder] for sharing this with us!

Displays We Like Hacking: HDMI

I don’t like HDMI. Despite it being a pretty popular interface, I find crucial parts of it to be alien to what hackers stand for. The way I see it, it manages to be proprietary while bringing a lot of the old cruft in. It doesn’t have a native alternative like DisplayPort, so portable implementations tend to suffer power-wise; the connector situation is interesting, and the HDMI Foundation has been doing some weird stuff; in particular, they are pretty hostile to open-source technology.

This article is not the place for such feelings, however, especially since I’ve expressed them enough in the DisplayPort article. We the hackers deserve to be able to handle the interfaces we stumble upon, and I firmly believe in that way more than in my right to animosity towards HDMI.

The HDMI interface is seriously prominent wherever you look, in part because it’s the interface created by the multimedia-involved companies for the multimedia-involved companies. Over the years we’ve had it, it’s been more than sufficient for basically everything we do video-wise, save for the highest resolutions.

It’s also reasonably simple to wire up, hack on, and even bitbang. Let’s go through what makes it tick.

The Core

HDMI is, at its core, three differential pairs for data, plus one pair to clock them and in the darkness bind them. It’s a digital interface, though it is a fun one. This makes it way more suitable for higher-distance video transmissions than interfaces like VGA, and as long as you stick to relatively low resolutions, HDMI won’t have as many asks in terms of PCB layout as DisplayPort might, thanks to HDMI link speeds scaling proportionally with the display resolution.

Continue reading “Displays We Like Hacking: HDMI”

This Week In Security: Default Passwords, Lock Slapping, And Mastodown

The UK has the answer to all our IoT problems: banning bad default passwords. Additionally, the new UK law requires device makers to provide contact info for vulnerability disclosures, as well as a requirement to advertise vulnerability fix schedules. Is this going to help the security of routers, cameras, and other devices? Maybe a bit.

I would argue that default passwords are in themselves the problem, and complexity requirements only nominally help security. Why? Because a good default password becomes worthless once the password, or algorithm leaks. Let’s lay out some scenarios here. First is the static default password. Manufacturer X makes device Y, and sets the devices to username/password admin/new_Complex_P@ssword1!. Those credentials make it onto a default password list, and any extra security is lost.

What about those devices that have a different, random-looking password for each device? Those use an algorithm to derive that password from the MAC address and/or serial number. That may help the situation, but the algorithm can be retrieved from the firmware, and most serial numbers are predictable in one way or another. This approach is better, but not a silver bullet.

So what would a real solution to the password problem look like? How about no default password at all, but no device functionality until the new password passes a cracklib complexity and uniqueness check. I have seen a few devices that do exactly this. The requirement for a disclosure address is a great idea, which we’ve talked about before regarding the similar EU legislation.

Continue reading “This Week In Security: Default Passwords, Lock Slapping, And Mastodown”