Security Week 27: Android encryption bypass, Conficker resurrection in medicine, IoT botnet

    Remember the vulnerability in Android Mediaserver? Those who are in the subject will first be asked to clarify exactly what kind of vulnerability is meant. Indeed, there were many vulnerabilities in Mediaserver, starting with the notorious Stagefright, a hole discovered last year that allows you to gain control of your phone after sending a single prepared MMS message. Today we’ll talk about another vulnerability discovered by Duo Labs in May. Then it was reported that the vulnerability affects only smartphones on the Qualcomm hardware platform, which, however, is equivalent to 60% of all Android devices.

    Unlike Stagefright, this hole is more difficult to exploit: you still need to download a malicious offer on the device that can gain full access to the system by using the holes in Mediaserver and the Qualcomm Secure Execution Environment module simultaneously. The latter is responsible for key aspects of system and data protection, including encryption. Initially, the possibility of obtaining system privileges was shown, but this vulnerability was not related to encryption.

    Now it concerns. The same experts found out ( news , study), that a similar set of vulnerabilities makes it possible to select a key to encrypted data using the brute force attack method. As in iOS, Android provides protection against password guessing, restrictions on the frequency of attempts and their number are set, but they managed to get around them.
    All digest editions are available by tag .

    The potential consequences of such a discovery are wide and multifaceted, especially the software and hardware essence of the new vulnerability is alarming. If we ignore the intricacies of technical implementation, it becomes possible to decrypt data on any smartphone based on Qualcomm hardware, even if the vulnerability is closed at the software level. Most likely, a brute force attack on any device just does not work out, cooperation with the manufacturer will be required, but law enforcement agencies will be able to organize such cooperation. For better or worse, this is a subject for a separate discussion, but now we are talking about the fact that the implementation of a data encryption system on a significant part of Android devices is far from ideal.

    Ancient Conficker worm used to attack outdated software medical device
    News. Research TrapX Labs.

    The IT industry, both in software and in hardware, is moving forward under the influence of carrots making money in front and the insecurity whip of rapidly aging products in the back. One of my Android devices runs on OS version 4.4, and will continue to work on it - there are no updates. Knowing in advance about the number of bugs in the system, I try not to store anything critical on the device. Who knows, maybe over time, security will become the main motivation for an upgrade, more important than new features, performance gains, and more. Once again I ask myself a question - is it not safer to use very ancient devices like Nokia smartphones on Symbian: they have long forgotten how to break them, and there’s nothing much to break. However, the “security through obscurity” approach has never saved anyone, and it’s inconvenient.



    Of all, ahem, IT-dependent sectors of the economy, medicine has long been considered one of the most vulnerable. Firstly, very sensitive information is stored and processed there . Secondly, updating IT in traditionally poorly funded hospitals is somewhere in the penultimate place on the priority list. Thirdly, computerized medical devices have characteristics similar to the equipment in production: very expensive, very long-lived and not very often updated. Well, they are critical both for the work of medical institutions and for saving lives.

    It turned out that remembering the seemingly long-forgotten methods of attacking outdated software is very simple. It is enough to take the old malicious code and retrain it to solve new problems. The TrapX study provides an example of just such a real attack. Outdated (software) medical devices were attacked purposefully, used as an “entrance gate” to the organization’s infrastructure. A key element of the attack was the 2008 Conficker worm (aka Kido), which once infected millions of vulnerable systems on Windows XP . In a modern attack, Conficker is used for initial infection. Further, nevertheless, more modern methods of distribution through the network and exfiltration of data are involved.

    And after all, one won’t even be able to recommend “updating the system” - rolling patches on some tomograph, without the approval of the vendor, but with a high probability of failure of the device, no one will. You must either take into account the presence of such outdated systems on the network (in Lab, for example, there is a modern product that can run on a system with 256 MB of memory), or isolate them from sin away from everything else. The consequences of the hacking of medical institutions can be estimated by the example of one of the resonant news of the past week - about the leak of 655 thousand records about the patients of several clinics put up for sale in darkweb.

    Discovered botnet of IoT devices, able to conduct DDoS-attack capacity of up to 400 gigabits per second
    news . Study Arbor Networks.

    In February, at the RSA conference, one of the most important industry events on the topic of information security, everyone spoke about the protection of IoT. They talked about the importance, the need for protection, and between the lines hinted that this area of ​​work of the security guards was somehow not very clearly defined. Indeed, what is meant by IoT? Kettles? Fridges? Arduino? Smart watch with wifi? Webcams? Actually, all these devices, and several dozen categories fall under the IoT criteria. I’ll try to summarize: everything that works autonomously is a black box for the user or administrator of the network, with not very clear capabilities, proprietary hardware, and often software of one of hundreds of possible modifications. That is, it is entirely possible to include industrial equipment here. We can talk not only about webcams, but also about traffic lights, smart water meters, solar panel controllers. Yes, about the same medical devices, by the way. The characteristics are the same, and new technologies for protecting critical infrastructure can be applied to a home network of a dozen smart devices.

    In general, in February I wrote that the protection of IoT is a matter, albeit not very distant, but of the future. I mean, there is still time until the moment when cybercriminals begin to use the main advantage of the Internet of things - namely, a huge number of devices - for criminal purposes.
    But no, the future has already arrived . The first bell sounded last week - when they discovered a botnet of 25 thousand cameras. The scale, however, was small, but this week, researchers from Arbor Networks showed the right size.

    The organizers of the Lizardstresser botnet seem to have been involved in this criminal business for quite some time. Last year was seenA botnet consisting mainly of home routers. This year, stand-alone webcams came under attack. Their sometimes fatal insecurity has long been known. The firmware is outdated and very rarely updated, and users forget to change the default username and password. It’s easy to break them (in order to attack most devices in a particular case, a brute force attack was used on the telnet interface that was not open from the outside), it’s more difficult to organize a bunch of small devices. This is achieved using a distributed network of dozens of command servers. The result is a structure capable of conducting DDoS attacks with a capacity of up to 400 gigabits per second. According to researchers, the victims of such attacks were several Brazilian companies and a couple of organizations from the United States.

    This is not quite a real IoT crime, just like webcams are quite controversial representatives of this new category of devices. We are waiting for a botnet of billions of water meters and light sensors. Then it will be fun. That is sad.

    Antiquities:
    "Wisconsin-815" A

    non-resident very dangerous virus, is written to the beginning of .COM files (except COMMAND.COM) of the current directory. The virus starts a counter in the infected file, each time it tries to infect this file, it increases by 1, and on the fourth attempt to infect, it displays the text “Death to Pascal” and deletes all .PAS files of the current directory. Before deleting each file, displays a dot.

    Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 95.

    Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.

    Also popular now: