Incident Response Readiness – Gerard Johansen – PSW #794

A team of security researchers from Berlin were able to use voltage fault injection attacks against the AMD CPU in Tesla vehicles allowing them to "Jailbreak" the device and access the underlying Linux operating system. This allows attackers to recover the RSA key unique to the vehicle (and used to authenticate to the Tesla backend network), enable paid features (such as heated seats) without paying for them. Telsa is still working on a fix. More background information below:

• Blackhat Briefings Summary: Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater
• I believe this to be the previous research mentioned in the article: One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization
• Blackhat UE 2021 Presentation: One Glitch to Rule Them All: Fault Injection Attacks against AMD’s Secure Processor (Video Version)
• A Software Vulnerability in AMD's Chip Compromises Tesla's Paid Features

• Downfall and Zenbleed: Googlers helping secure the ecosystem
• Chips & Salsa Episode 56: Interview with Daniel Moghimi about Downfall
• New Downfall attacks on Intel CPUs steal encryption keys, data
• ‘Downfall’ vulnerability leaves billions of Intel CPUs at risk

• Inception: how a simple XOR can cause a Microarchitectural Stack Overflow
• Inception PoC (Github)
• New 'Inception' attack leaks secrets from all AMD Zen CPUs

This research used the leaked Intel BIOS source code to discover a vulnerability: "A remote attacker that is positioned within Bluetooth proximity to the victim device can corrupt BIOS memory by sending malformed HID Report structures." - However, exploitation is currently difficult: " Although I haven’t ruled out exploitation, I admit that it may be difficult to translate this out-of-bounds write into arbitrary code execution". However, I would still apply these patches (Ref: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00813.html)

"The most serious of the flaws, based on their CVSS score, are 18 high-severity issues allowing privilege escalation or, in a few cases, denial-of-service (DoS) attacks." - Please note these cover Downfall and the USB HID vulnerabilities from NCC Group.

Bram Moolenaar, the author of Vim, passed away last week. He released the first version of Vim in 1991 and was actively maintaining and developing it ever since. I thought it was important to remember Bram and his hard work and dedication. This article is a nice little how-to guide for Vim one-liners.

Pretty nice breakdown of the threats posed by malicious USB devices. I've not performed some of these attacks in a while, and the available options have increased dramatically. This is also still a valid attack once you have physical access to a system. As a test, I created a "Rubber Ducky" from a Raspberry PI Pico W. The "Rubber Ducky" and the "Bash Bunny" are Hak5 creations, and both support their script format called "Ducky Scripts." For the Pico (which you can pick up for just $8), I loaded Circuit Python (version 7.3.3) and Pico-ducky. Pico-ducky is a set of Python scripts that will interpret and run ducky scripts. I modified a ducky script to open a Terminal in Linux and then added an SSH key to the authorized_keys file. It works. However, if a Terminal was already open, the script failed (I have more research to do). You can find ducky scripts on GitHub by the hundreds, and creating/modifying your own is pretty easy. Resources for this example:

• https://circuitpython.org/board/raspberrypipico_w/
• https://github.com/dbisu/pico-ducky/tree/main
• https://python.plainenglish.io/upgrade-the-cheapest-usb-rubber-ducky-with-raspberry-pi-pico-circuitpython-22cb36b2344a
• https://github.com/cvbenur/ducky-scripts-and-payloads

Really great history and details of these attacks, break out the tweezers.

But its so much fun and entertaining! "You should not do this. I should not do this. This was a terrible idea. Any situation where you're binary patching your package manager to get it to let you do something is obviously a bad situation."

"The nearly $300 million fine was levied after the FCC found the enterprise executed a scheme to make more than five billion robocalls to more than 500 million phone numbers during a three-month span in 2021." - Multiple federal laws were violated. And this is funny: "In 2022, the FCC directed all U.S.-based voice service providers to cease carrying traffic associated with the enterprise. As a result, these illegal auto warranty robocalls dropped by 99%."

I found this to be really neat as many hackers are messing around with LoRa: "Next-gen USB LoRa debug tool. Runs mainline Linux on itself. Versatile JavaScript ES2015 interface allows access to every SX126x chip register easily. Up to 4GB flash storage allows long-time data collection. Works with any modern PC."

Coolest Raspberry PI hack!

Oh, just like the printers: "In at least eight of the 13 devices used in the study, WiFi PSK access credentials were discovered, offering attackers potential access to health organization networks."

"Police departments in major cities have been put on alert over the Flipper Zero hacking tool and expressed concern over its potential use by racially motivated extremists" - There will be a rant. I'm ranting. So silly that they make it about the "Weapon" and not the actual crime.

"BeyondTrust has apparently found and is fixing a CVSS 10.0 flaw that allows an unauthenticated attacker to inject commands that run as the site user. The notice about this is hidden behind a customer portal" - I hate this

"BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer."

So, we should all complain loudly and publically to Microsoft?

A team of researchers from British universities has trained a deep learning model that can steal data from keyboard keystrokes recorded using a microphone with an accuracy of 95%. When Zoom was used for training the sound classification algorithm, the prediction accuracy dropped to 93%, which is still dangerously high, and a record for that medium.

This article first describes how autistic people are often incorrectly regarded as lacking intelligence simply because they cannot speak, but revealed to have high intelligence when they use a computer tablet with specialized software (called AAC, for ‘Augmentative/Alternative Communication’). Then it describes the reverse situation with Large Language Models, which can use language, but are in fact utterly unintelligent, with no comprehension of the meaning of their statements.

In this paper, we propose a novel compilation scheme called “GPU First” that automatically compiles legacy CPU applications directly for GPUs without any modification of the application source. Apps can run 14 times faster this way.

Going forward, any organization selling software to the US government will be required to self-attest that it conforms with the secure software development practices outlined by the government in the NIST Secure Software Development Framework.

Organizations must not simply attest that they follow these practices, but also that the open source components they pull into their applications follow these practices as well. This seems to forbid most or all open-source code.

It uses as its knowledge base the entirety of the Dark Web itself.

Nationwide, only one in five people with opioid use disorder receive the medications considered the gold standard for opioid treatment, such as methadone, buprenorphine or extended-release naltrexone. Experts say stigma about addiction and lack of training among physicians and other medical workers often limits use of these drugs. This latest study points to one possible solution: It found people with opioid addiction who receive medical support via telehealth – through on-line or telephone consultations – were roughly 38 times more likely to be prescribed proper medications.

Large Language Models (LLMs) operate on fragments of words called tokens, and express each token as a list of 300 numbers called a "word vector." Each word vector represents a point in an imaginary “word space,” and words with more similar meanings are placed closer together. Google’s word vectors had another intriguing property: You could “reason” about words using vector arithmetic. For example, Google researchers took the vector for "biggest," subtracted "big," and added "small." The word closest to the resulting vector was "smallest." The layers of neurons transform the word sequences, finding verbs and nouns, context, and the larger-scale structure of sentences and paragraphs. For example, the most powerful version of GPT-3 uses word vectors with 12,288 dimensions—that is, each word is represented by a list of 12,288 numbers. That’s 20 times larger than Google’s 2013 word2vec scheme.

In two incidents, a CLEAR employee escorted passengers through TSA security checkpoints who had not displayed any ID, and who were not enrolled in CLEAR’s identity-vetting service. Lawmakers have called for TSA to begin requiring all CLEAR passengers to present their IDs to a TSA agent.

Cruise is expanding its self-driving taxi operation to Los Angeles amid a year of huge growth for autonomous driving. It’s increasing its autonomous rides by 49 percent per month and already doing more than 10,000 rides per week. In L.A., Cruise will begin testing soon and then expand to self-driving ride-hailing. It will be the company’s eighth city of operation, up from one at the start of this year. And it won’t be the last.

Poland-based spyware LetMeSpy is no longer operational and said it will shut down after a June data breach wiped out its servers, including its huge trove of data stolen from thousands of victims’ phones. LetMeSpy was an Android phone monitoring app that was purposefully designed to stay hidden on a victim’s phone home screen, making the app difficult to detect and remove. When planted on a person’s phone — often by someone with knowledge of their phone passcode — apps like LetMeSpy continually steal that person’s messages, call logs and real-time location data