Security Week 27: Android encryption bypass, medical Conficker resurrection, IoT botnet

Remember the vulnerability in Android Mediaserver? Those who are in the subject will first be asked to clarify - what kind of vulnerability is meant. Indeed, there were many vulnerabilities in the Mediaserver, starting with the memorable Stagefright, a hole discovered last year, which allows you to take control of the phone after sending the only prepared MMS message. Today we will talk about another vulnerability discovered in May by Duo Labs. Then it was reported that the vulnerability affects only smartphones on the Qualcomm hardware platform, which, however, is equivalent to 60% of all Android devices.

Unlike Stagefright, this hole is more difficult to exploit: you still need to download a malicious offer to your device that can get full access to the system, using the holes simultaneously in the Mediaserver and the Qualcomm Secure Execution Environment module. The latter is responsible for key aspects of system and data protection, including encryption. Initially, the possibility of obtaining system privileges was shown, but this vulnerability did not concern encryption.

Now - concerns. The same experts found out ( news , research ) that a similar set of vulnerabilities makes it possible to find the key to the encrypted data using the brute-force attack. As in iOS, Android provides protection against brute force, restrictions on the frequency of attempts and their number, but just managed to get around them.
All editions of the digest are available by tag .

The potential consequences of such a finding are broad and multifaceted, and the software-hardware essence of the new vulnerability is especially alarming. If we ignore the intricacies of the technical implementation, it is possible to decrypt data on any smartphone based on Qualcomm hardware, even if the vulnerability is closed at the software level. Most likely, it will not be possible to simply arrange a brute force attack on any device; cooperation with the manufacturer will be required, but law enforcement agencies will be able to organize such cooperation. Good or bad is a subject for a separate discussion, but now it’s about the fact that the implementation of the data encryption system on a noticeable part of Android devices is far from ideal.
')
The ancient Conficker worm is used to attack the outdated software of medical devices.
News TrapX Labs Study .

The IT industry, both in its software and iron parts, is moving forward under the influence of the earning carrot and the risk of insecurity of rapidly aging obsolete products. One of my Android devices works on OS 4.4, and it will continue to work on it - there are no updates. Knowing in advance about the number of bugs in the system, I try not to store anything critical on the device. Who knows, maybe security will eventually become the main motivation for the upgrade, more important than new features, performance gains, and so on. Once again, I’m wondering - is it not safer to use very ancient devices like Nokia smartphones on Symbian: they have long forgotten how to break them, and there’s really nothing to break. However, the “security through obscurity” approach has never saved anyone, and it is inconvenient.



Of all, ahem, IT-dependent sectors of the national economy, medicine has long been considered one of the most vulnerable. First, very sensitive information is stored and processed there. Secondly, the IT update in traditionally poorly funded hospitals is somewhere in the penultimate place on the list of priorities. Thirdly, computerized medical devices have characteristics similar to equipment in production: very expensive, very long-lived and not very frequently updated. Well, and critically important for the work of medical institutions, and to save lives.

It turned out that it would be very easy to recall the seemingly long-forgotten methods of attacking outdated software. It is enough to take the old malicious code and re-qualify it for solving new problems. The TrapX study provides an example of just such a real attack. Outdated (software) medical devices were attacked purposefully, used as an “entrance gate” to the organization's infrastructure. The key element of the attack was the 2008 Conficker worm (aka Kido), which hit millions of vulnerable systems on Windows XP . In a modern attack, Conficker is used for initial infection. Further, more modern methods of network distribution and data exfiltration are used.

And it’s not even possible to recommend “updating the system” - rolling patches on some tomograph without the approval of the vendor, but with a high probability that the device will fail, no one will. It is necessary either to take into account the presence of such outdated systems in the network (in the Laboratory, for example, there is a modern product capable of working on a system with 256 MB of memory), or to isolate them from sin away from everything else. The consequences of the hacking of medical institutions can be assessed by the example of one of the resonant news last week - about the leakage of 655 thousand patient records from several clinics offered for sale in darkweb.

A botnet detected from IoT devices capable of conducting a DDoS attack with a capacity of up to 400 gigabits per second
News Arbor Networks research .

In February, at the RSA conference, one of the important industry events on the topic of information security, everyone spoke about protecting IoT. They talked about the importance, the need for protection, and between the lines they hinted that this line of work of the security men was somehow not very clearly defined. Indeed, what is meant by IoT? Teapots? Refrigerators? Arduino? Smart watch with wifi? Webcams? Actually, all these devices fall under the criteria of IoT, and a few dozen more categories. I will try to summarize: everything that works autonomously is a black box for a user or network administrator, with not very clear features, proprietary hardware and often software of one of the hundreds of possible modifications. That is, it is possible to include industrial equipment here. We can talk not only about webcams, but also about traffic lights, smart water meters, solar panel controllers. Yes, about the same medical devices, by the way. The characteristics are the same, and new technologies for protecting critical infrastructure facilities may well be applied to the home network of a dozen smart devices.

In general, in February I wrote that the protection of IoT is a matter of the future, if not very remote. In a sense, there is still time until the moment when cybercriminals start using the main advantage of the Internet of things - namely, a huge number of devices - for criminal purposes.
And here and there, the future has already come . The first bell rang last week - when they discovered a botnet of 25 thousand video cameras. The scale, however, was too small, but this week, researchers from Arbor Networks showed the correct size.

The organizers of the botnet Lizardstresser, apparently, have long been engaged in this criminal business. Last year, a botnet was seen , consisting mainly of home routers. This year autonomous webcams came under attack. Their sometimes irreparable insecurity has long been known. Firmware is outdated and very rarely updated, and users forget to change the default username and password. It’s easy to break them down (to attack most devices in a particular case, use a brute force attack on an unclosed telnet interface), it’s more difficult to organize a bunch of small devices. This is achieved using a distributed network of dozens of command servers. The result was a structure capable of conducting DDoS attacks with a capacity of up to 400 gigabits per second. According to the researchers, several Brazilian companies and a couple of organizations from the USA became victims of such attacks.

This is not quite a real IoT-crime, like webcams - quite controversial representatives of this new category of devices. We are waiting for a botnet of billions of water meters and light sensors. Then it will be fun. That is sad.

Antiquities:
"Wisconsin-815"

Non-resident very dangerous virus is written to the beginning of .COM-files (except COMMAND.COM) of the current directory. In the infected file, the virus starts a counter, each time it attempts to infect this file, it increases it by 1, on the fourth infection, it displays the text “Death to Pascal” and deletes all .PAS files in the current directory. Before deleting each file displays a point.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 95.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.