Flipper Zeroes, The “Kia Boys”, RFID Tags for Amazon, & PCI Wizardry – PSW #792
In the Security News: Cisco hates patching stuff, they hacked a Peleton, so what?, Zenbleeding, stopping Kia Boys, Your BMC is showing, Hacking your toothbrush, Flipper Zero Smoking a Smart Meter was a fake, RFID Tags Inside Amazon Products, Backdoors in Encrypted Police Radios, The Death of Infosec Twitter, and just stop people from accessing the Internet! All that and more on this episode of Paul’s Security Weekly!
Hosts
- 1. MobileIrony backdoor allows complete takeover of mobile security product and endpoints.
"Because the entire API surface is opened without credential validation, it allows any of the MobileIron API to be used remotely. All you have to do is change the API path by a few characters. The API is publicly documented, the different endpoint path is all you need for exploitation. For example, this allows you run LDAP queries, list user information including potential PII, add administrative users, replace system configuration and change the config of managed mobile devices — including software deployment, device locks and wiping."
- 2. Peloton Bugs Expose Enterprise Networks to IoT Attacks
So tell me, when an attacker compromises a Peleton at someone's house, just how will they use it to gain access to the corporate/enterprise network? I think this is far-fetched.
- 3. EMBA
AI for firmware reversing? Something to check out.
- 4. Dragon863 – Rooting the Amazon Echo Dot
More Echo Dot "rewting".
- 5. Exploiting MikroTik RouterOS Hardware with CVE-2023-30799 – Blog – VulnCheck
This is a crazy story: "CVE-2023-30799 was first disclosed, without a CVE, in June 2022 at REcon by Margin Research employees, Ian Dupont and Harrison Green. At that time, they released an exploit called FOISted that can obtain a root shell on the RouterOS x86 virtual machine. A CVE was assigned last week (July 19, 2023) when VulnCheck researchers published new exploits that attacked a wider range of MikroTik hardware." And this: "In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively." - You need credentials, but many people do not change the defaults, even newer versions make you change the default creds (which wasn't always the case), when they do it will not enforce any password rules for complexity or length. Which means you can still make it blank.
- 6. Zenbleed
Amazing work (as usual): "The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization2, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work. We now know that basic operations like strlen, memcpy and strcmp will use the vector registers - so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!"
- 7. The Death of Infosec Twitter
If you're counting CVEs, there is evidence. There is, of course, many other pieces of evidence. Key people, like Kevin Beuamont, have left Twitter and moved to Mastodon and other alternatives.
- 8. The Complete List Of Hacker Video Games
- 9. Lenovo Update Your Privileges – Compass Security Blog
Key takeaway: "Whenever a privileged process performs operations on a user modifiable part of the filesystem, there is a potential for privilege escalation. Even if the operations performed are as small as a file deletion, the consequences may be significant."
- 10. xnl-h4ck3r/waymore: Find way more from the Wayback Machine!
This is new to me, many sites archive website responses and you can find stuff such as "even more links, developer comments, extra parameters".
- 11. James Kettle on Twitter
- 12. A surprisingly simple way to foil car thieves
So here's the method: "Battery Sleuth bypasses both the wireless communication that key fobs depend on and the standardized onboard communication network that’s used in today’s vehicles. Instead, it authenticates drivers by measuring voltage fluctuations in a vehicle’s electrical system. Drivers interact with it through a keypad device plugged into the auxiliary power outlet." - So regardless of how the car is started, you'd have to authenticate to this device first, with a keypad. The researchers, unfortunately for them, said this: “The great thing about the power outlet is its simplicity—it’s just a wire connected to the battery, so there’s nothing to hack,” - Uhm, except someone could guess or brute force the pin or somehow find a bypass by powering the battery some other way? it says it has some safeguards against this: "Battery Sleuth also has defenses to guard against hacking or physical attacks on the device itself, including a siren that sounds if illegitimate activity is detected and a resistor that shuts down the vehicle’s electrical system if an unauthorized power source is connected to the vehicle." - I am also curious how this would work with an electric car.
- 13. IoT Connected Devices Pose Significant Risk to Organizations
- 14. A Twist in the Code: OpenMeetings Vulnerabilities through Unexpected Application State
- 15. JQ: Another Tool We Thought We Knew – SANS Internet Storm Center
- 16. Google’s new security pilot program will ban employee Internet access
I'm not sure this is going to work.
- 17. Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios
- 18. A Google Cloud Build Vulnerability Could Aid Supply-Chain Attacks
- 19. Cisco Disclosed Vulnerabilities In SPA500 Series IP Phones – Won’t Fix
"However, these flaws are important for the users because the firm has confirmed not to address these issues. That’s because the SPA500 IP Phones have reached their end-of-life. Consequently, no workarounds exist to mitigate the issues. Therefore, the only way for users to protect their networks from potential threats is to migrate to other devices." - But can't you just disable the web interface on the phones? Also, can't Cisco just fix the vulnerabilities? What's the big deal with fixing it?
- 20. Firmware vulnerabilities in millions of computers could give hackers superuser status
"When combined with the No Auth option as described in CVE-2023-34329, any attacker on the host machine where the BMC chip resides, can POST arbitrary code (effectively achieving code execution). Without the No Auth option enabled, the attacker would also need BMC credentials. When combined with prior CVE-2023-34329 vulnerability, an attacker can POST arbitrary code remotely...When both of these vulnerabilities are chained together, even a remote attacker with network access to BMC management interface and no BMC credentials, can achieve remote code execution by tricking BMC into believing that the http request is coming from the internal interface. As a result the attacker can remotely upload and execute arbitrary code, possibly from the Internet, if the interface is exposed to it." - It should be noted that the advice many are giving is correct: Isolate the BMC network. Note I did not say "Do not expose it to the Internet". What I mean is: DO NOT EXPOSE IT TO ANYTHING. Of course, an attacker on this network can compromise all of your BMCs. You have to patch to really get rid of this vulnerability.
- 21. (Pwn2Own) Lexmark MC3224i Unprotected API Remote Code Execution…
- 1. Hacking my “smart” toothbrush
- 2. Video showing Flipper Zero Smoking a Smart Meter may be Fake
- 3. RFID TAGS INSIDE AMAZON PRODUCTS
- 4. NETGEAR Routers: A Playground for Hackers?
- 5. US government launches the Cyber Trust Mark, its long-awaited IoT security labeling program
- 6. Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios
- 7. How Are OT Hackers Getting IN today
- 8. The Death of Infosec Twitter
- 9. NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing
- 1. Australia fines Facebook owner Meta $14 mln for undisclosed data collection
Meta (Facebook) continues to receive fines over data privacy violations. Notable examples include a $5 billion payout to the FTC in 2019, $277 million to Ireland in 2022, $414 million to the EU in Jan 2023 and $1.3 billion to the EU in May 2023. Australia has now fined the company $14 million via a civil lawsuit.
- 2. SEC approves new cyber reporting regulations for public companies
The Securities and Exchange Commission voted 3-2 to adopt new regulations that would require publicly traded companies to notify the government when their IT systems are hacked and periodically disclose details around their cybersecurity risk governance in public filings.
- 3. MIT’s ‘PhotoGuard’ protects your images from malicious AI edits
New AI-empowered capabilities come familiar pitfalls, like the unauthorized manipulation of, or outright theft of, existing online artwork and images. Watermarking techniques can help mitigate the latter, while the new "PhotoGuard" technique developed by MIT CSAIL could help prevent the former.
PhotoGuard works by altering select pixels in an image such that they will disrupt an AI's ability to understand what the image is.
- 4. North Korean hackers targeting JumpCloud mistakenly exposed their IP address, researchers say
One of the country’s newest hacking groups (UNC4899) attacked a Colorado-based software company- JumpCloud (and screwed up). Many hackers use VPN services to mask their identity – but this time they exposed their real world TCP/IP address.
- 5. Super Admin elevation bug puts 900,000 MikroTik devices at risk
A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected.
The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface.
- 6. Zyxel users still getting hacked by DDoS botnet emerge as public nuisance No. 1
In late April, Zyxel released a security advisory for a critical OS command injection vulnerability in its network devices and urged users to apply patches. Five weeks after the fixes were released, Shadowserver said that if devices had not been patched, users/owners should assume compromise.
- 7. 7 tech companies agree to White House’s new trustworthy AI commitments
Seven technology companies – Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI – have voluntarily committed to the Biden administration’s trustworthy AI principles. The companies have committed to ensuring products are safe before bringing them to market, prioritizing security in the development process, and being clear about which content is in its original form and which has been altered by AI.
We also need to be fully aware that other AI projects, such as WormGPT, are making no such commitment, and are focused on empowering cyber criminals.
- 8. Apple Updates Everything (again) – SANS Internet Storm Center
July 24, Apple released updates for tvOS, watchOS, and multiple versions of macOS , iPadOS, and iOS. The update includes a fix for the WebKit vulnerability addressed in a recent Rapid Security Response (RSR) update. The updates address a total of 46 CVEs; of those, six are rated critical.
- 9. Healthcare Sector Breach Costs Top the List in IBM’s Cost of a Data Breach Report 2023
The average cost associated with a data breach in the healthcare sector was $11 million, up 10 percent over last year. The average cost of a data breach globally was $4.45 million. The report is based on data breaches reported by 553 organizations between March 2022 and March 2023.
- 10. Code Kept Secret for Years Reveals Its Flaw—a Backdoor
The encryption behind TETRA radios has been discovered to have a flaw where those communications can be decrypted. The question - implementation flaw or deliberate weakness?
- 11. Zenbleed Flaw Allows Data Theft from AMD CPUs
A vulnerability in AMD Ryzen and Epyc Zen 2 CPUs could be exploited to steal sensitive data at a rate of 30KB/sec per core. Dubbed Zenbleed, the flaw was discovered and reported to AMD in May by Google Project Zero’s Tavis Ormandy. AMD has provided firmware updates to address the vulnerability.
Per AMD: under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.