This Week In Security: Pwn2own, Zoom Zero Day, Clubhouse Data, And An FBI Hacking Spree

Our first story this week comes courtesy of the Pwn2own contest. For anyone not familiar with it, this event is held twice a year, and features live demonstrations of exploits against up-to-date software. The one exception to this is when a researcher does a coordinated release with the vendor, and the update containing the fix drops just before the event. This time, the event was held virtually, and the attempts are all available on Youtube. There were 23 attacks attempted, and only two were outright failures. There were 5 partial successes and 16 full successes.

One of the interesting demonstrations was a zero-click RCE against Zoom. This was a trio of vulnerabilities chained into a single attack. The only caveat is that the attack must come from an accepted contact. Pwn2Own gives each exploit attempt twenty minutes total, and up to three attempts, each of which can last up to five minutes. Most complex exploits have an element of randomness, and exploits known to work sometimes don’t work every time. The Zoom demonstration didn’t work the first time, and the demonstration team took enough time to reset, they only had enough time for one more try.

BleedingTooth

We first covered BleedingTooth almost exactly six months ago. The details were sparse then, but enough time has gone by to get the full report. BleedingTooth is actually a trio of vulnerabilities, discovered by [Andy Nguyen]. The first is BadVibes, CVE-2020-24490. It’s a lack of a length check in the handling of incoming Bluetooth advertisement packets. This leads to a buffer overflow. The catch here is that the vulnerability is only possible over Bluetooth 5. Continue reading “This Week In Security: Pwn2own, Zoom Zero Day, Clubhouse Data, And An FBI Hacking Spree”

This Week In Security: Google Photos, Whatsapp, And Doom On Deskphones

Google Photos is handy. You take pictures and videos on your cell phone, and they automatically upload to the cloud. If you’re anything like me, however, every snap comes with a self-reminder that “the cloud” is a fancy name for someone else’s server. What could possibly go wrong? How about some of your videos randomly included in another user’s downloads?

Confirmed by Google themselves, this bug hit those using Google Takeout, the service that allows you to download all your data from a Google application, as a single archive. Google Photos archives downloaded between November 21 and November 25 may contain videos from other users, according to a notice sent to the users who downloaded said archives. It’s notable that those notices haven’t been sent to users who’s videos were exposed.
Continue reading “This Week In Security: Google Photos, Whatsapp, And Doom On Deskphones”

This Week In Security: Windows 10 Apocalypse, Paypal Problems, And Cablehaunt

Nicely timed to drop on the final day of Windows 7 support, Windows 10 received a fix to an extremely serious flaw in crypt32.dll. This flaw was reported by the good guys at the NSA. (We know it was the good guys, because they reported it rather than used it to spy on us.) It’s really bad. If you’re running Windows 10, go grab the update now. OK, you’re updated? Good, let’s talk about it now.

The flaw applies to X.509 keys that use elliptic curve cryptography. We’ve discussed ECC in the past, but let’s review. Public key encryption is based on the idea that some calculations are very easy to perform and verify, but extremely difficult to calculate the reverse operation.

The historic calculation is multiplying large primes, as it’s unreasonably difficult to factorize that result by a conventional computer. A true quantum computer with enough qubits will theoretically be able to factorize those numbers much quicker than a classical computer, so the crypto community has been searching for a replacement for years. The elliptic curve is the solution that has become the most popular. An agreed-upon curve and initial vector are all that is needed to perform the ECC calculation.

There are potential weaknesses in ECC. One such weakness is that not all curves are created equal. A well constructed curve results in good cryptography, but there are weak curves that result in breakable encryption.

With that foundation laid, the flaw itself is relatively easy to understand. An X.509 certificate can define its own curve. The Windows 10 implementation doesn’t properly check the curve that is specified. A malicious curve is specified that is similar to the expected curve — similar enough that the checks in crypt32 don’t catch it. Continue reading “This Week In Security: Windows 10 Apocalypse, Paypal Problems, And Cablehaunt”

Old Cisco WAN Card Turned FPGA Playground

Many of us think of FPGAs as some new cutting edge technology, but the fact of the matter is that they’ve been around for quite some time. They’ve just traditionally been used in hardware that’s too expensive for us lowly hackers. A case in point is the Cisco HWIC-3G-CDMA WAN card. A decade ago these would have been part of a router valued in the tens of thousands of dollars, but today they can be had for less than $10 USD on eBay. At that price, [Tom Verbeure] thought it would be worth finding out if they could be repurposed as generic FPGA experimentation devices.

So as not to keep you in suspense, the short answer is a resounding yes. In the end, all [Tom] had to do was figure out what voltages the HWIC-3G-CDMA was expecting on the edge connector, and solder a 2×5 connector onto the helpfully labeled JTAG header. Once powered up and connected to the computer, Intel’s Quartus Programmer software immediately picked up the board’s Cyclone II EP2C35F484C8 chip. The blinking LEDs seen in the video after the break serve as proof that these bargain bin gadgets are ripe for hacking.

Unfortunately, there’s a catch. After studying the rest of the components on the board, [Tom] eventually came to the conclusion that the HWIC-3G-CDMA has no means of actually storing the FPGA’s bitstream. Presumably it was provided by the router itself during startup. If you just want to keep the board tethered to your computer for experimenting, that’s not really a big deal. But if you want to use it in some kind of project, you’ll need to include a microcontroller capable of pushing the roughly 1 MB bitstream into the FPGA to kick things off.

It might not be as easy to get up and running as the 2019 Hackaday Superconference badge, but it’s certainly a lot easier to get your hands on.

Continue reading “Old Cisco WAN Card Turned FPGA Playground”

Introducing The First Cisco Certified Mixologist

You’d be hard pressed to find an IT back office that doesn’t have a few Cisco routers or switches laying around and collecting dust. We’d even bet there are a decent number of people reading this post right now that have a stack of them within arm’s reach. They’re the kind of thing most of us have no practical application for, but we still can’t bear to throw away. But it looks like [Sven Tantau] has found an ideal middle ground: rather than junk his Cisco Catalyst switches, he turned them into automatic bartenders.

Inspired by all those perfect little square openings on the front, [Sven] loaded each switch with a whopping 24 peristaltic pumps, one for each Ethernet port. To fit all his plumbing inside, the switches were naturally gutted to the point of being hollow shells of their former selves, although he does mention that their original power supplies proved useful for keeping two dozen power-hungry motors well fed.

The motors are connected to banks of relays, which in turn are thrown by an ESP32 and an Arduino Nano. [Sven] explains that he wasn’t sure if the ESP32 could fire off the relays with its 3 V output, so he decided to just use an Arduino which he already knew could handle the task. The two microcontrollers work in conjunction, with a web interface on the ESP32 ultimately sending I2C commands to the Arduino when it’s time to get the pumps spinning.

[Sven] mentions his robotic bartenders were a hit at the 2019 Chaos Communication Camp, where we know for a fact the computer-controlled alcohol was flowing freely. Of course, if you don’t intend on carrying your barbot around to hacker camps, you can afford to make it look a bit swankier.

Continue reading “Introducing The First Cisco Certified Mixologist”

BSD Breathes New Life Into Obsolete Equipment

An old laptop or desktop computer that’s seen better days might still have a little bit of use left in it for a dedicated task. Grabbing a lightweight flavor of Linux and running a web server, firewall, or Super Nintendo emulator might get a few more years out of it. You can also get pretty creative repurposing obsolete single purpose  machines, as [Kristjan] did with some old Cisco server equipment.

The computer in question isn’t something commonly found, either. It’s an intrusion detection system meant to mount in a server rack and protect the server itself from malicious activity. While [Kristjan] mentions that Cisco equipment seems to be the definition of planned obsolescence, we think that this Intel Celeron machine with an IDE hard drive may have gone around the bend quite some time ago. Regardless, it’s modern enough to put back to work in some other capacity.

To that end, a general purpose operating system was installed, and rather than use Linux he reached for BSD to get the system up and running. There’s one other catch, though, besides some cooling issues. Since the machine was meant to be used in a server, there’s no ACPI which means no software shutdown capability. Despite all the quirks, you can still use it to re-implement a network security system if you wanted to bring it full-circle.

Becoming Your Own ISP, Just For Fun

When moving into a new house, it’s important to arrange for the connection of basic utilities. Electricity, water, and gas are simple enough, and then it’s generally fairly easy to set up a connection to an ISP for your internet connection. A router plugs into a phone line, or maybe a fiber connection and lovely packets start flowing out of the wall. But if you’re connected to the internet through an ISP, how is the ISP connected? [Kenneth] answers this in the form of an amusing tale.

It was during the purchase of data centre rack space that [Kenneth]’s challenge was laid down by a friend. Rather then simply rely on the connection provided by the data centre, they would instead rely on forging their own connection to the ‘net, essentially becoming their own Internet Service Provider.

This is known as creating an Autonomous System. To do this involves several challenges, the first of which is understanding just how things work at this level of networking. [Kenneth] explains the vagaries of the Border Gateway Protocol, and why its neccessary to secure your own address space. There’s also an amusing discussion on the routing hardware required for such a feat and why [Kenneth]’s setup may fall over within the next two years or so.

It’s not for the faint hearted, and takes a fair bit of paperwork, but [Kenneth] has provided an excellent guide to the process if you really, really just need to own your own corner of the internet. That said, there are other networking tricks to cut your teeth on if you’d like a simpler challenge, like tunneling IP over ICMP.