Intercepting proxies reveal IoT defects
When I’m having trouble finding a topic for a blog post, I often look for articles about recent security failures in IoT (Internet of Things) products. I’m rarely disappointed. For example,
- A moderately complicated vulnerability in a digital signage product that consumers typically connect to the Internet without changing the default password. This is a privilege escalation vulnerability that gives the attacker full administrative access to the device. The vendor is apparently in the process of addressing the vulnerability, but it’s almost certainly up to the consumer to apply a firmware update. Many of the people who bought this device probably won’t apply, or even be aware of, the update.
- INTERNET-CONNECTED HOT TUBS. Yes, a company made what was probably a last-minute decision to add a remote control feature to their hot tubs. But, predictably, they didn’t secure the feature, so it’s possible for your neighbor to operate your hot tub via Wi-Fi. They could run it at full blast and leave you with an unwelcome electric bill, or they could make the temperature so low that you won’t want to use it. There’s even a way to do those things remotely through the tub’s internet connection to a cloud service (although the attacker wouldn’t know whose hot tub they’re controlling).
The one that was most interesting to me was about some GPS-enabled smartwatches for children, products that are supposed to give parents a sense of security. The researcher found a serious vulnerability by using software called an intercepting proxy. An intercepting proxy is software that you run on your computer, and if you configure your web browser to send its traffic through the proxy, you can use the proxy to alter any part of the web traffic. This is very useful for identifying vulnerabilities in web applications. ZAP and Burp Suite are great examples of intercepting proxies. I use both of them in my own work.
In the case of the smartwatches, the researcher used a proxy (looks like he was using burp) to inspect the requests to the web application a parent might use to control their child’s smartwatch. The researcher found that a parameter of a web request corresponded to the user’s access level. When he used the proxy to change that parameter from a 1 to a 0, the web application gave him administrative access, as though he were a high-ranking employee of the company that produces and markets the smartwatch. The researcher found that he could view and alter the data of tens of thousands of other consumers of the product. This vulnerability was especially troubling, because children were the potential victims. The vendor has since addressed this problem.
Exploiting this particular vulnerability wasn’t quite as easy as changing something in the URL visible in the address bar of the user’s browser, but it was close. The web application gave too much trust to the request coming from the browser without verifying that the user was authorized for that level of access. This kind of programming error is easy to make, and it is potentially devastating.
If you’re looking for a believable bit of jargon for a story you’re writing about a security researcher, you could say that she used an intercepting proxy to discover an authentication control defect in a web application.
Naked Security has a great story about a couple whose real estate fraud was revealed by some document forensics. The couple produced documents as evidence of real estate deals in 1995 and 2004, but the documents used fonts that only became available in 2007.
This reminds me of the story of the NSA contractor who got caught leaking classified information, because invisible dots on pages she printed identified her printer.
Both stories are fascinating to me, because they show how much extra information shows up in our documents, and we don’t even realize it. These would make great twists in a story if a character needed to disprove a document or identify its owner.
Here are a few interesting items that have come through my news reader recently.
Universal Plug-and-Play (uPNP) is a feature that is enabled by default in most home routers. uPNP allows a network-enabled device on your home network to tell your router to allow external connections back to the device, like a gaming console or a media server.
While this feature might be useful in some cases, it has a history of security-related problems. A recent example involves tricking chromecast and other google-friendly devices into playing a video promoting someone’s youtube channel. You might enjoy reading that article if you want an idea of how a character in your story could get a victim’s TV to show a video of your character’s choice. Imagine getting someone’s TV to show a forged emergency broadcast system alert, for example.
You might also want to consider disabling uPNP on your home router.
Gizmodo has an article reminding us that sometimes you don’t need mad skills to crack a network. The FBI was able to acquire evidence against drug kingpin El Chapo by persuading his sysadmin to give them the keys to decrypt encrypted voice-over-IP conversations. If your story’s character needs to compromise an otherwise secure computer network, bribing or blackmailing an insider might be a good alternative.
Biometrics v. photography
Have you ever seen a movie where someone is only able to enter a lab or operations center after putting their palm on a handprint scanner? Apparently that’s a real thing: the scanner looks at how the user’s veins are arranged. It turns out that a photograph FROM SEVERAL METERS AWAY reveals enough detail to create a wax hand that will fool some of these scanners.
I recently watched Die Another Day (2002), and I think they used a severed hand to get through one of these things. So, that kind of messy unpleasantness isn’t even necessary any more!
And if you’re a Bond villain with a lair under a volcano that you access with a handprint scanner, think about wearing gloves in public.
I knew it had been a while since I’ve posted here, but I hadn’t realized that it’s been over ten months. Lately it’s been hard to prioritize this blog when the world seems like a burning clown car hurtling toward a sinkhole filled with angry, ravenous bears. I’ll try to do better in 2019. In the meantime, Naked Security is running a series of blog posts about securing social media accounts. So if, like me, you haven’t quite managed to lop off these gangrenous appendages, these might be worth your time:
If you use a Netgear router for your home network, please log on to your router and use the upgrade feature to apply an important security update. That feature is probably located under the Advanced and/or Administration sections of the router’s web-based menus.
This update addresses several vulnerabilities, some of which are remotely exploitable. The linked page indicates which vulnerabilities affect which routers, and I found that my router was affected by one of the vulnerabilities.
If a character in a story you’re writing needed to exploit this kind of thing against a target, it’s not a great stretch of the imagination. If your character emailed her target an email with a link to a web page she controls, and if the target clicked the link while on a computer at home, she’d have the target’s IP address (she could get that from looking at server logs). Once she knew the target’s IP address, she could interrogate the address herself with readily-available network tools, or she could use something like shodan to try to identify the kind of router her target uses. If the target has remote administration enabled (which may be a default settings in some router models), she could use publicized vulnerabilities like the ones linked above to break into her target’s home network.
You should probably run updates on your home router even if it isn’t made by Netgear.
A zero-day vulnerability is a software defect that doesn’t yet have a patch from the vendor. One of these currently exists for Adobe Flash Player, and it is being actively targeted by a working exploit. This particular defect (CVE-2018-4878) is a use-after-free vulnerability which allows remote code execution. This means that Flash Player tries to read instructions from a memory address that is no longer valid, and that the exploit is able to put malicious code at that memory address, causing Flash Player to execute the malicious code introduced by the exploit.
South Korean security researchers say that North Korea developed this exploit and have embedded it in Microsoft Word documents in an effort to attack South Koreans doing security research on North Korea, and that this has been going on for two or three months.
This zero-day started making news on 1 February, and Adobe says it’ll release a patch the week of 5 February. As in this case, it can take the vendor a while to address a defect like this. So if your character needs to compromise someone’s computer, she might search Dark Web forums for a recent zero-day like this and send it to her target in a phishing email, especially if she knows that her target is not diligent about keeping their computer up-to-date.
And if you use Flash Player, make sure you apply the patch when Adobe releases it. Version 18.104.22.168 is the affected version.
This is a summary of three articles from the Sophos Naked Security blog that might be of interest to writers of stories involving cybercrime.
Break into a car in seconds
Many new cars come with an electronic fob on the keychain. The fob uses radio signals to tell the car to unlock. In a development which should surprise absolutely no one, criminals have found a way to abuse this feature. Looks like it takes two devices: one to record the fob’s signal and send it to the second device which opens the car door. This appears to work even if the fob is inside the owner’s house.
Your story’s character may not want to steal a car, but she might want the laptop the owner left sitting in the trunk.
Smartwatches are dumb
Does your story have a villain who’s not above kidnapping? He might use an insecure smartwatch to locate his target.
Smart pumps are also dumb
Does your story’s villain need to deliver a lethal does of morphine to a hospital patient? He could potentially do so from a safe distance if the patient is being treated with a device that regulates the IV drip. The vulnerabilities in the linked article are admittedly very difficult to exploit, but they’re indicative of the sloppy development of devices like this. The vendor says they’ll release an update this month to address the problem. It’s probably a firmware update. How many overworked hospital IT workers do you think will go around applying that update to every affected device?