Security has always been an issue with IoT devices. Off the shelf devices often have terrible security while DIY solutions can be complicated, needing recompilation every time a website’s fingerprint changes. [Johannes] wrote in to let us know he’s been working on a way to make HTTPS requests easier to do on ESP devices.
The normal ways to do HTTPS with an ESP8266 is to either use Fingerprints, or to use client.setInsecure(). Fingerprints require the user to know exactly which pages the ESP will connect to and extract the Fingerprints from each of those websites. Since the fingerprints change yearly, this means the fingerprint will have to be re-extracted and the code recompiled each time a fingerprint changes. The use of client.setInsecure() is, obviously, insecure. This may not be an issue for your project, but it might be for others.
[Johannes’] solution is to extract the trusted root certificates and store them in PROGMEM. This allows access to any web page, but the root certificates do expire as well. As opposed to the fingerprints, though, they expire after 20 years, rather than every year, so the program can run for a long time before needing recompilation. This solution also doesn’t require any manual steps – the build process runs a script that grabs the certificates and stores them as files that can be uploaded to the SPIFFS to be used during HTTPS requests.
He’s come up with a fairly straightforward way to have your IoT device connect to whichever web page you want, without having to recompile every once in a while. Hopefully, this will lead to better security for your IoT devices. Take a look at his previous work in this area.
Many in the community are skeptical about the security of commercial smart home devices, and for good reason. It’s not like you have to look far to find examples of poorly implemented systems, or products that are abandoned by their manufacturers and left without critical security updates. But the design flaw in this video doorbell really drives home how little thought some companies give to their customer’s security.
As explained by [Savvas], and demonstrated in the video after the break, all you need to do if you want to get into a home equipped with one of these vulnerable door bells is pop the unit off the wall and hit it with 12 volts DC.
Incredibly, the terminals that connect to the electronic lock inside the house are completely accessible on the back of the unit. They even labeled them, on the off-chance the robber forgets which wire is which. It’s not even as though the thing is held on with some kind of weird security screws, it’s just a garden variety Phillips.
In the video, [Savvas] even shows he used a little gadget attached to a QuickCharge USB battery bank to get a portable 12 VDC source suitable for tripping these locks. Which, interestingly enough, is based on a trick he read about in the Hackaday comments. Something to consider while penning your next comment on these storied pages.
[Savvas] says he’s reached out to the company to get their side of the story, but so far, hasn’t received a response. We aren’t surprised, this is a fundamental flaw in the product’s execution. Clearly they wanted to make an easy to install device that doesn’t require any additional electronics in the house, and this is the inevitable end result of that oversimplification. All the more reason to roll your own smart doorbell.
[Wladimir Palant] seems to be on a one man crusade against security problems in security software. The name may not be immediately recognizable, but among his other infamies is originating Adblock Plus, which we have a love-hate relationship with. (Look, surf the net with an adblocker, but disable it for sites you trust and want to support, like HaD).
This week, he announced a rather serious flaw in the Bitdefender. The disclosure starts off with high praise for the Bitdefender: “security-wise Bitdefender Antivirus is one of the best antivirus products I’ve seen so far….” Even with that said, the vulnerability he found is a serious one. A malicious website can trigger the execution of arbitrary applications. The problem was fixed in an update released on the 22nd.
The vulnerability is interesting. First, Bitdefender uses an API that was added to web browsers specifically to enable security software to work without performing man-in-the-middle decryption of HTTPS connections. When a problem is detected, Bitdefender replaces the potentially malicious page with it’s own error message.
Because of the way this is implemented, the browser sees this error message as being the legitimate contents of the requested site. Were this a static page, it wouldn’t be a problem. However, Bitdefender provides an option to load the requested page anyway, and does this by embedding tokens in that error page. When a user pushes the button to load the page, Bitdefender sees the matching tokens in the outgoing request, and allows the page. Continue reading “This Week In Security: Bitdefender, Ripple20, Starbucks, And Pwned Passwords”→
In the connected age, every day it appears privacy is becoming more and more of an idealistic fantasy as opposed to a basic human right. In our latest privacy debate per [TechCrunch], apparently the FBI is taking some shots at Apple.
You may find it somewhat interesting that the author of the news piece appears to be more upset with the FBI for cracking the phone than at Apple (and by extension other tech companies) for making phones that are crackable to begin with.
We’re fans of haveibeenpwned.com around here, but a weird story came across my proverbial desk this week — [Troy Hunt] wrote a malicious SQL injection into one of their emails! That attack string was a simple ';--
Wait, doesn’t that look familiar? You remember the header on the haveibeenpwned web page? Yeah, it’s ';--have i been pwned?. It’s a clever in-joke about SQL injection that’s part of the company’s brand. An automated announcement was sent out to a company that happened to use the GLPI service desk software. That company, which shall not be named for reasons that are about to become obvious, was running a slightly out-of-date install of GLPI. That email generated an automated support ticket, which started out with the magic collection of symbols. When a tech self-assigned the ticket, the SQL injection bug was triggered, and their entire ticket database was wiped out. The story ends happily, thanks to a good backup, and the company learned a valuable lesson. Continue reading “This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers”→
Back when Windows NT was king, Microsoft was able to claim that it met the strict “Orange Book” C2 security certification. The catch? Don’t install networking and remove the floppy drives. Turns out most of the things you want to do with your computer are the very things that are a security risk. Even copy and paste.
[Michal Benkowki] has a good summary of his research which boils down to the following attack scenario:
Visit a malicious site.
Copy something to the clipboard which allows the site to put in a dangerous payload.
Visit another site with a browser-based visual editor (e.g., Gmail or WordPress)
First, a brief refresher: The ME is completely removable on some computers built before 2008, and can be partially disabled or deactivated on some computers built before around 2013. This doesn’t allow for many options for those of us who want modern hardware, but thanks to a small “exploit” of sorts, some modern chipsets are capable of turning the ME off. This is due to the US Government’s requirement that the ME be disabled for computers in sensitive applications, so Intel allows a certain undocumented bit, called the HAP bit, to be set which disables the ME. Researchers have been able to locate and manipulate this bit on this specific motherboard to disable the ME.
While this doesn’t completely remove the firmware, it does halt all execution of code in a way that is acceptable for a large governmental organization, so if you require both security and modern hardware this is one of the few ways to achieve that goal. There are other very limited options as well, but if you want to completely remove the ME even on old hardware the process itself is not as straightforward as you might imagine.