Opengrep & Semgrep, Hacking Subarus, Hacking Synths, Stealing Cookies, and RANsacked – ASW #315
An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more!
Announcements
Security Weekly listeners save $100 on their RSA Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!
Hosts
- 1. Opengrep – The open-source code security engine
A group of infosec companies has forked the open source semgrep tool in response to perceived impacts to the community due to license changes by Semgrep the company.
One of Semgrep's founders explained noted that the changes applied only to the rules. The rules are where most of the value is to users. But the Opengrep group is also pointing out that some desirable features in the engine are being kept in the proprietary SaaS offering instead of making their way into the open source project.
This situation reminded me of Nessus, which back in 2005 went from an open source license to a proprietary one with its version 3 release. That action triggered a GNessUs fork, with a clever inclusion of GNU into the name. That fork lasted just a short time before turning into OpenVAS, which still runs today.
For the Nessus project owners at the time, some of their reasons have echoes from today, particularly, "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL...". But they also pointed out one of the eternal struggles of open source projects, in which "Virtually nobody has ever contributed anything to improve the scanning engine over the last six years..."
The above quotes are from this article.
As a personal aside, over a decade ago I had written some OCaml for "pfff" to detect several insecure PHP patterns and configs. The pfff project became part of semgrep over three years ago. I think it's a cool project and -- once you get over the hurdle of learning OCaml -- very simple and expressive to use!
- 2. Predictions for Open Source Security in 2025: AI, State Actors, and Supply Chains
We covered some other predictions last week in episode 314.
This list looks superficially similar. It includes AI, LLMs, and supply chains, but takes some different angles. I agree with the theme of an erosion of trust due to more LLM-backed bots and supply chain attacks in the manner of XZ Utils.
But I don't see AI (largely meant as LLMs in the article) as adding a huge leap in capabilities in terms of finding vulns and making phishing more effective. LLMs haven't yet proven better, let alone equivalent, to all the vuln discovery tools already available to attackers (and defenders!). And my stance is that if we're worried about phishing attacks having fewer misspellings and better grammar, then we're not missing the chance to adopt more fundamental controls like passkeys.
- 3. Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel
More car hacking! I wanted to broaden the types of vulns we cover and this article gives us a chance to talk more about car hacking (often still via web APIs) and the growing awareness of the privacy implications of always-connected cars.
- 4. Hidden Waymo feature let researcher customize robotaxi’s display | TechCrunch
Another car hacking article this week. The takeaway here is a reminder that people will always be reverse engineering client apps and that admin-only features or those otherwise reserved for a privileged group can't rely on being undocumented.
- 5. PARSING: Stealing HttpOnly cookies with the cookie sandwich technique | PortSwigger Research
I included this more as a long-term reference on the security implications of ambiguous specs, preserving vs. forgoing backwards compatibility, and problems with parsers.
It's also great research that serves as a nice reminder that "common" areas of tech like cookies can still have interesting attack surfaces.
- 6. Student bug bounty discovery supports picoCTF’s cybersecurity education efforts with $462,000 gift
An immensely generous act by this student. The slew of rewards comes from WebAssembly, which is a topic that I wished we'd seen more of in 2024. In particular there were, “Subtle design issues in the WebAssembly code, including optimizing compilers, facilitated a series of bugs that led to fragile sites that could easily be exploited.”
It still doesn't point to large projects and interesting use cases for WebAssembly, but it reinforces how (relatively) new designs and new code can still have systemic flaws.
- 7. COOL: World’s First MIDI Shellcode :: portasynthinca3’s blog
RCE on a synth via MIDI messages. This is a fun read with lots of hardware hacking details, reverse engineering, and generally being a hacker who wants to do really cool things with hacking.
- 8. Product Security Bad Practices | CISA
The list of bad practices is now up to 13. Take that, OWASP Top 10.
Check out the PDF here.
- 9. Cellular Security | Florida Institute for Cybersecurity Research
Honestly, I'm just noting this as possibly the last named vuln of 2024 and maybe(?) the first named vuln to use genAI (DALLE-3) to create their logo. It speaks more to my love of cybersecurity archeology.
But don't let that take away from the research and a successful demonstration of fuzzing.
- 10. FYI: No, Siri’s “Learn from this app” Setting Is Not Sending Data From Your Apps to Third Parties – The Mac Security Blog
There's a product security challenge in here. How do you succinctly convey security and privacy properties? How do you provide resources to educate users on features that are old to the app, but new to the user?
I also wanted to include this because I wanted to add more depth to discussions of app privacy controls and avoid the superficial framing of this feature being recently snuck in for AI.