Security Bits Logo no alpha channel

Security Bits – 27 August 2019

Followups

Security Medium 1 — Bad Cables

At this year’s DEF CON security conference a security researcher generated a lot of media buzz by re-implementing something we’ve known about for a long time — a malicious cable.

Using only relatively cheap components and working at home in his kitchen the security researcher was able to take a legitimate Apple cable an seamlessly insert a malicious chip in it to allow him to remotely trigger attacks on the Mac the cable was connected to. At all times the cable would function like a regular USB to lightning cable, but, it would also be listening over WiFi waiting to be commanded to take action. When triggered the implant would become active, interacting with the Mac over USB and allowing the attacker to run commands on the Mac, including opening a remote terminal into the Mac.

Fundamentally there is nothing new here. We’ve known about malicious cables for years. This caught the media’s eye because technology has progressed to the point that the implant can be seamlessly hidden in a legitimate Apple cable.

What should we learn from this? IMO, the key take-home is that every time you plug a cable into a device you are expressing trust in that cable. You should ask yourself, where did this cable come from? Is it yours? Does it belong to a trusted friend, colleague, or acquaintance? Or did a strange person or organisation provide it? If it is yours, did you buy it from a trusted source for a believable price, or did you grab it from some random reseller with no reputation for an unrealistically cheap price? This is yet another way in which something that looks too good to be true could well be too good to be true!

How much of a real-world risk this is for your will really depend on who you are, where you are, and what you are doing. If you’re a high-profile person with control over something of value you should probably be more suspicious than the average person. If you’re travelling in a foreign country with an authoritarian or police-state streak, you really should be extra suspicious. If you’re in a situation where industrial espionage could be a problem, be more suspicious! And of course, if you’re at a security conference like DEF CON or BlackHat, just say no to anything or any shape that plugs into anything electrical what so ever 🙂

Links

Security Medium 2 — The Bluetooth KNOB Attack

Security researchers discovered a problem with the Bluetooth spec which they’ve dubbed KNOB, for Key Negotiation of Bluetooth. This vulnerability in the spec made it possible for fully compliant Bluetooth devices to be tricked into negotiating an encryption key with just one byte of entropy. Keys with so little entropy are trivial to brute-force, so the attack effectively allowed an attacker to silently disable encryption.

It’s important to note that the window of opportunity for this attack is very small — attacks can only be launched while devices are in the process of pairing, and only by an attacker within bluetooth range of the victim devices.

The flaw has been acknowledged and the spec updated to address the problem. It’s now up to software and hardware vendors to update their drives and firmware to abide by the improved spec.

An important silver lining here is that the attack only works if both devices are vulnerable, so OS update will nip this problem in the bud even if many devices never get updated because the vendors don’t bother releasing updated firmware and/or users don’t bother installing the updates.

Apple have patched the vulnerability in their latest OS updates. I haven’t seen updates of any other OS updates yet.

Links

Security Medium 3 — Contrasting Visions for Tracking Protection

Both Apple and Google have recently shared their updated visions for tracking prevention, and the contrast could not be more stark!

Starting with Apple, they laid out their new policy on their website. It’s not long, and it’s written in human-friendly language. The bottom line is simple — Apple will treat tracking like malware, and will do everything in their power to prevent it, even if that breaks some things.

Apple explicitly acknowledged Mozilla’s policy, saying their new policy was “was inspired by and derived from” Mozilla’s.

Google on the other hand took a very different tack. They released a blog post outlining an idea (not a product or feature, at least not yet) — a ‘privacy sandbox’ that will allow some tracking, but not too much. Websites will get a tracking budget which will let them insert only so much tracking data before Chrome will step in and block further tracking.

This sounds utterly un-workable to me, and seems to be a case of Google the ad company coming into direct conflict with Google the browser vendor. I’m far from alone in that view!

Links

Notable Security Updates

Notable News

  • The Better Business Bureau is warning that scammers are now using search result manipulation with voice assistants into giving customers the wrong customer support numbers — their advice, never use a voice assistant to get a customer support number, it can’t be done safely! — nakedsecurity.sophos.com/…
  • In a presentation at DEF CON Google Project Zero security researchers warn of the dangers of pre-installed malware on Android phones, particularly at the lower end of the market where manufacturers are not making much if any money from the sale of the devices themselves, and need other avenues for monetisation — nakedsecurity.sophos.com/…
  • Since 2015 Kaspersky AV has been injecting JavaScript into all web pages viewed by their users (even HTTPS pages) that contains an un-changing unique ID, creating an un-removable super tracking cookie. The software has been updated so the ID is now unique to the version of the product rather than the user, but that’s a security risk! (Editorial by Bart: this just confirms my opinion that 3rd-party AV does more harm than good these days. My advice remains to just use Windows Defender!) — arstechnica.com/…
  • Researchers at Kaspersky Labs have found an app in the Google Play Store with 100 million downloads that was updated to add a malicious payload — arstechnica.com/…
  • 🇮🇪 🇪🇸 🇰🇷 Facebook has started to roll our their data deletion tool in Ireland, Spain & South Korea. Unfortunately, it doesn’t actually delete anything! The tool allows all users to disassociate the data Google has collected on them from their accounts, but deletes nothing — nakedsecurity.sophos.com/…
  • 🇺🇸 Big Telecom, Every U.S. State Vow to End America’s Robocall Hell — gizmodo.com/…
  • 🇺🇸 AT&T and T-Mobile will now verify phone calls between their networks — www.engadget.com/…

Suggested Reading

Suggested Listening

Palate Cleansers

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Leave a Reply

Your email address will not be published.

Scroll to top