BlueBorne

Ben Seri and Gregory Vishnepolsky from the society armis recently disclosed eight vulnerabilities present in various BlueTooth stacks. Their paper “The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks” thoroughly describes these vulnerabilities and derives some interesting lessons.

Some vulnerabilities may allow taking control of the Bluetooth device. These exploits do not need the target to be in discoverable mode. They just need to know the Bluetooth MAC address (BDADDR). Contrary to common belief, it is guessable even for non-discoverable devices. If the target generates Bluetooth traffic, then it BDAADR is visible in the access code. If it is not generating traffic, the widely accepted convention to use the same MAC address for Wifi than for Bluetooth may reveal it.

Once the attacker knows the BDADDR, he can use the exploits. One powerful vulnerability is due to some lack of implementation guidelines in the specifications for the “Just Works” authentication. For Android and Windows, if the attacker claims to be “No Input No output, No Man in the middle protection required and no bonding,” the target stealthily accepts the connection with limited security capabilities for a short period of time (due to the no bonding). Of course, any service that would require MiTM protection or bonding, and verifies the requirement, will refuse to operate over such connection. For Apple, the connection requests a validation by the user.

Once the attacker is linked to the unknowing target, it can try many attacks. My preferred ones are CVE-2017-0783 and CVE-2017-8628. They use a flaw in the specification of the Personal Area Network (PAN). This service has a low-level security requirement. This means that the previous attack grants access to the PAN without any authorization! The attacker can mount a pineapple attack over Bluetooth without the target being aware. In a Wifi Pineapple, the attacker impersonates an already known WIFI public network and can act as a man in the middle. In this case, the pineapple does not need to be a known network. Redoutable.

The PAN specification dated from 2003 and was never since revised. “Just works” and the newer authentication protocols were specified more recently. They changed the trust model and trust context. The older specifications were not analyzed to identify potential impacts.

The other vulnerabilities allow either buffer overflows or data leakage by exploring more than the attributed spaces.

The disclosure was part of a coordinated disclosure with Google, Microsoft, and Linux kernel team.

Conclusion: Verify that you installed the August and September security patches for your devices. They contain patches to these vulnerabilities.

 

Law 8 – If You Watch the Internet, the Internet Is Watching You

This post is the eighth post in a series of ten posts. The previous post explored the seventh law: you are the weakest link. With our increasingly connected word, this law becomes more and more important. Most connections are bidirectional. The consequence is that information flows both ways. If you receive information from the Internet, the Internet may collect information from you. If your apparatus is going to the Internet, the Internet may come to your device. Some of these ingress connections may not be solicited.

Controlling what is exchanged, and monitoring who is using the connections is the role of network security. Fortunately, network security is a rather mature science. Thus, the first rule should be the following one.

Do not connect directly to the Internet; the access to the Internet should be carefully controlled. It should have at least a firewall and anti-malware filtering. When possible, implement a Demilitarized Military Zone (DMZ) to create an isolation buffer between the Internet and your network that may discard attackers to intrude it. Not everybody may need to install a DMZ or can install a DMZ, especially at home. However, everybody should install a firewall between his network and the Internet. In a consumer environment, the firewall should by default ban every ingress communication.     
Many specialists claim (rightly) that the notion of perimetric defense is outdated. This does not mean that local networks should not be protected against intrusions or leaks. These network security mechanisms remain mandatory but not sufficient.

Thou will be traced; the digital world increasingly keeps records of all the activities of users. Many Web enterprises build their business model on monetizing the results of this data collection. This data collection may be known and announced, but sometimes also hidden. For instance, spying techniques such as fingerprinting canvas stealthily collect information when people visit web pages. A recent study disclosed that more than 5% of the sites used fingerprinted canvas. This constant monitoring is a threat to privacy and also a potential mine of information for attackers. Some tools, such as the TOR browser, help in preserving anonymity on the Internet.

If you find this post interesting, you may also be interested in my second book “Ten Laws for Security.”  Chapter 9 explores in details this law. The book is available for instance at Springer or Amazon.

Smart Bottle

JW_Blue_Smart_Bottle_3Diageo and Thin Films have recently demonstrated a smart bottle.   The seal of the bottle contains a NFC tag.  This tag not only carries unique identity of the bottle, but it detects also whether the seal was opened or is still closed.  This smart tag allows interesting features:

  • As for traditional RFID tags, it enables the follow up of the bottle along the delivery chain.
  • As it uses NFC, the seal allows a mobile phone app to identify the bottle, and thus create a personalized experience (interesting features for privacy: it is possible to track who purchased the bottle (at the point of sale with the credit card) and see who actually drinks it (was it a gift?))
  • As it detects if the seal has been broken, it is a way to detect tampering of the bottle during the distribution chain.  This may thwart some forms of piracy and counterfeiting.
  • The tag is also a way to authenticate the origin of the product.  It may have interesting application for expensive rare bottles to verify counterfeiting.
  • It does not yet tell if you drank too much.  This will be the next application associated to the smart glass that will detect what you drink and how much 

See thinfilm brochure opensense

Does your TV set watch you?

Benjamin Michele and Andrew Karpow presented a scary Proof of Concept  using two Samsung Smart TVs.  They used the integrated media player of these Smart TV set.  For the most recent one, they discovered that the TV set used a 2011 version of the open source FFMPEG’s libavformat library. This library identifies the type of content to be played and demux it before the content is transmitted to Samsung’s proprietary media player.  The libavformat library supports many containers.  It is a complex piece of software, and as such as many new discovered bugs. By scanning the bug-tracking database of this open source library, the researchers selected one vulnerability that was not patched in the version used by the TV set.  This vulnerability allowed them to execute arbitrary code when playing a forged content.  As the player executes in root shell, the forged payload also executes in root shell.  This means that the payload has full access to the platform.  As the Smart TV had an integrated camera and microphone, they wrote an exploit that captured the video of the camera and the sound from the microphone.  The captured information can then be sent to a remote server.  As the payload is encapsulated in a real movie, the consumer is not aware that his TV set is being infected and that he is spied.  The researchers found a way to flash the Smart TV set and thus make the infection permanent.

Of course, the payload could do other things.  The researchers could perform a thorough analysis of the TV set because they succeeded to get root access, and thus could explore the system and easily work on the exploit. The target were Samsung TV sets.  Most probably, any other smart TV of any brand could be attacked in a similar way but using another vulnerability.

This POC highlights several interesting points:

  • This exploit highlights an important issue of IoT.  Will devices in the field be upgraded and securely patched?  There are two issues that are not yet solved:
    • Will manufacturers do the security maintenance for the lifetime of the product?   Currently, the business model is to sell one device and not maintain it (unless there is a very serious bug that impact the behaviour).  How could the manufacturer finance this maintenance?  In the software world, maintenance is financed by either new version or maintenance contract for professional expensive applications.  This is not the case in the consumer domain.
    • Will consumers apply the patch?  The likelihood is low if we extrapolate from the computer world. Too many consumers’ computers are not patched.
  • The wide use of open source libraries has brought some benefits.  It is less expensive for companies and it is claimed to be more secure.  Unfortunately, it also has its downside.
    • This last claim is only true if all systems would be patched.  If it is not the case, then the use of widely deployed open source libraries may be an advantage for the attackers.  The attacker can experiment on his own system before trying on the targeted device.
    • Furthermore, the more a ‘common’ library is deployed, the more targets will be hit whenever a vulnerability is found in this library.  Heartbleed is a good illustration.
  • The more features a device has, the higher the risk to have vulnerabilities.

Reference:

Michele, Benjamin, and Andrew Karpow. “Watch and Be Watched:  Compromising All Smart TV Generations.” In Proc. of the 11th Consumer Communications and Networking Conference (CCNC). Las Vegas, NV, USA: IEEE, 2014.

IoT, Security and energy

Trappe, Howard and Moore, three researchers from the University of Rutgers, have published an interesting paper in the latest issue of IEEE Security & Privacy.   The title is ‘Low-Energy Security: Limits and Opportunities in the Internet of Things’

IoT will not only be connected phones, TVs, or fridges, it will also be myriads of tiny sensors (the famous concept of smart dust).   Whereas the big devices have reasonable access to energy and calculation, these sensors  do not have access to energy and calculation.  They will have two issues:

  • A very low energy consumption;  You do not expect to charge every day a thermal sensor.  You will rather install it and forget about it for many years.
  • As they are low cost and low energy consumption, the calculation capabilities will be drastically reduced.

Unfortunately, the collected data will serve to major decisions by applications or may leak private information. They will need to be protected in integrity, and confidentiality.  With the hardware constraints, conventional cryptography is out of reach.   Moreover, poor security is not an option (it is useless), there is a major challenge for the security of IoT.

They present some of the potential new methods to secure the communication.  For instance, the receiver that has serious calculation power could authenticate the sensor by fingerprinting the analog characteristics of the transmission.  This would not put any burden on the sensor.   To reduce the encrypted data which burns energy, they propose to encrypt only major variations.  This may open interesting side channel attacks.  For confidentiality, they propose to revisit the concept of ‘wire-tap channel’ disclosed by Wyner in 1975.

The paper is worthy to read as it clearly states the problems and highlights some potential research topics.

 

Who is monitoring your baby?

Data Watchdog announced that a Russian website featured a database listing of about 73,000  streaming IP webcams or CCTV whose owners are not aware that their webcam is broadcasting the video. The webcams are located all over the world. They are used for offices, baby monitoring, shop’s monitoring, pubs, etc.  All major manufacturers were present amongst the breached webcams.  The webcams were discovered by Internet scanning and trying the default password.  This is a good illustration of Law 8: If you watch Internet, Internet is watching you.  The UK Information Commissioner’s Office recommends changing the default password of the camera and when not needed disable remote access.

The site claims to do that for educational purpose.   This is what the site claims when accessing it.  It seems that it is efficient, as there are less and less listed feeds.

Sometimes administrator (possible you too) forgets to set the default password on security surveillance system, online camera or DVR. This site now contains access only to cameras without a password and it is fully legal. Such online cameras are available for all internet users. To browse cameras just select the country or camera type.

This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera default password.

Several interesting lessons:

  • As usual, default password are incriminated.  Users, and even professionals as it seems that CCTV are also listed, do not change the default password.  Manufacturers may not want to enforce the change of the default password, as it creates issues when users forget their password, but they should at least propose it the first time the user boots the device.
  • People are not good with security.  With the Internet of Things (IoT), there will be more and more connected devices.  This means that there will be more and more vulnerable devices on the Net.  IoT may make the Internet more brittle.
  • Who will inform the owners of these spied webcams that they are spied?  The remedy is simple, but the victims should at least be aware that they should apply this remedy.

By the way, did you change the default password of all your devices?  If not, I plead you to do so.