Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future — shouldn’t your house be smart enough to know when you’re home?
Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.
Continue reading “Samy Kamkar: Reverse Engineering for a Secure Future”
The title reads like the name of a lecture in cryptography 101 or the first rule of Crypto Club. ‘DUHK‘ is in fact neither of those but the name of a recently disclosed vulnerability in a pseudorandom number generating algorithm (PNRG) that was until recently part of the federal standard X9.31.
Random numbers are essential to viable cryptography. They are also hard to obtain leading to solutions like using the physical properties of semiconductors or decaying matter, that are governed by quantum effects. The next best solution is to log events that are hard to predict like the timing of strokes on a keyboard. The weakest source of randomness is math, which makes sense, because one of maths most popular features is its predictability. Mathematical solutions have the one redeeming quality of being able to produce a lot of numbers that look random to a human in a short time.
PNRGs require a starting point from which they begin to produce their output. Once this seed is known the produced sequence becomes predictable.
The X9.31 PNRG is an algorithm that is used in various cryptographic algorithms and has been certified in the Federal Information Processing Standards for decades until it was dropped from the list of approved standards in 2016. The researchers behind DUHK found out that the standard allowed the seed to be stored in the source code of its implementation. The next step was to look for software that did this and they found X9.31 in an older version of FortiOS running on VPN gateways.
Should I be Worried?
Probably, maybe not. The analysis (PDF) published by the team behind DUHK notes that the vulnerability is limited to legacy implementations and doesn’t allow to takeover the device running them, only to eavesdrop on ‘secure’ connections. The scope of this is much more limited than exploits like remote code execution via bluetooth. It is on the other hand providing a strong case for handling standards and technical certifications with extreme scrutiny. The teams conduct also gives insight into the best practises for white-hat hacking which are frequently discussed around here. And they have a great theme song.
According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine
BitCoins some form of cryptocurrency. The other trojan sets up a proxy server.
According to the site:
Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.
It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”.
In addition, the malware searches for network machines with open port 22 and tries to log in using the default Raspberry Pi credentials to spread itself.
Embedded systems are a particularly inviting target for hackers. Sometimes it is for the value of the physical system they monitor or control. In others, it is just the compute power which can be used for denial of service attacks on others, spam, or — in the case —
BitCoin mining. We wonder how large does your Raspberry Pi botnet needs to be to compete in the mining realm?
We hope you haven’t kept the default passwords on your Pi. In fact, we hope you’ve taken our previous advice and set up two factor authentication. You can do other things too, like change the ssh port, run fail2ban, or implement port knocking. Of course, if you use Samba to share Windows files and printers, you ought to read about that vulnerability, as well.
We all know that what we mean by hacker around here and what the world at large thinks of as a hacker are often two different things. But as our systems get more and more connected to each other and the public Internet, you can’t afford to ignore the other hackers — the black-hats and the criminals. Even if you think your data isn’t valuable, sometimes your computing resources are, as evidenced by the recent attack launched from unprotected cameras connected to the Internet.
As [Elliot Williams] reported earlier, Trustwave (a cybersecurity company) recently announced they had found a backdoor in some Chinese voice over IP gateways. Apparently, they left themselves an undocumented root password on the device and — to make things worse — they use a proprietary challenge/response system for passwords that is insufficiently secure. Our point isn’t really about this particular device, but if you are interested in the details of the algorithm, there is a tool on GitHub, created by [JacobMisirian] using the Trustwave data. Our interest is in the practice of leaving intentional backdoors in products. A backdoor like this — once discovered — could be used by anyone else, not just the company that put it there.
Continue reading “Shut the Backdoor! More IoT Cybersecurity Problems”
Cyber security is on everyone’s minds these days. Embedded devices like cameras have been used by bad guys to launch attacks on the Internet. People worry about data leaking from voice command devices or home automation systems. And this goes for the roll-your-own systems we build and deploy.
Many network-aware systems use Linux somewhere — one big example is pretty much every Raspberry Pi based project. How much do you think about security when you deploy a Pi? There is a superior security system available for Linux (including most versions you’d use on the Pi) called SELinux. The added letters on the front are for “Security-Enhanced” and this project was originally started by the NSA and RedHat. RedHat actually has — no kidding — a coloring book that helps explain some of the basic concepts.
We aren’t so sure the coloring book format is really the right approach here, but it is a light and informative read (we didn’t stay in the lines very well, though). Our one complaint is that it doesn’t really show you anything in practice, it just explains the ideas behind the different kind of protections available in SELinux. If you want to actually set it up on Pi, there’s a page on the Pi site that will help. If you have an hour, you can get a good overview of using SELinux in the video below.
Continue reading “Better Linux Through Coloring”
Researchers in the past have exfiltrated information through air gaps by blinking all sorts of lights from LEDs in keyboards to the main display itself. However, all of these methods all have one problem in common: they are extremely noticeable. If you worked in a high-security lab and your computer screen started to blink at a rapid pace, you might be a little concerned. But fret not, a group of researchers has found a new light to blink (PDF warning). Conveniently, this light blinks “randomly” even without the help of a virus: it’s the hard drive activity indication light.
All jokes aside, this is a massive improvement over previous methods in more ways than one. Since the hard drive light can be activated without kernel access, this exploit can be enacted without root access. Moreover, the group’s experiments show that “sensitive data can be successfully leaked from air-gapped computers via the HDD LED at a maximum bit rate of 4000 bit/s (bits per second), depending on the type of receiver and its distance from the transmitter.” Notably, this speed is “10 times faster than the existing optical covert channels for air-gapped computers.”
We weren’t born last night, and this is not the first time we’ve seen information transmission over air gaps. From cooling fans to practical uses, we’ve seen air gaps overcome. However, there are also plenty of “air gaps” that contain more copper than air, and require correspondingly less effort.
Continue reading “Do you trust your hard drive indication light?”
[Gerardo Iglesias Galván] decided he wanted to try his hand at bug-bounty hunting — where companies offer to pay hackers for finding vulnerabilities. Usually, this involves getting a device or accessing a device on the network, attacking it as a black box, and finding a way in. [Gerrado] realized that some vendors now supply virtual images of their appliances for testing, so instead of attacking a device on the network, he put the software in a virtual machine and attempted to gain access to the device. Understanding the steps he took can help you shore up your defenses against criminals, who might be after more than just a manufacturer’s debugging bounty.
Continue reading “Hacking a Device That Lives Inside the Matrix”