Security Week 47: Android bookmarks, Wi-Fi security, NTP vulnerability

In the last issue, I wrote that Apple seems to be sending information about the history of phone calls to iCloud by default, and it is possible to disable it only by completely blocking the cloud backup. This week was not the only news on the topic: the developer of devices based on Android was also distinguished. Researchers from Anubis Networks have discovered ( news , research ) a mechanism in Chinese smartphones of the OEM-company Ragentek, which by a number of parameters can be qualified as a backdoor.

We are talking about the firmware update scheme: the software module has root rights on the smartphones of this manufacturer, regularly requests the manufacturer’s servers, and can download and install updates from them. It seems that everything is not bad, but there are two "but". Firstly, all communications are carried out via HTTP, which makes smartphones vulnerable to man-in-the-middle attacks with the ability to execute arbitrary code. Secondly, of the three domains wired into the module, two software developers simply forgot to register - they would have been freely available if the researchers from Anubis had not registered them for themselves. Monitoring domain connections made it possible to estimate the approximate number of vulnerable devices: under three million.

A little earlier, on November 15, in the New York Times, citing the research group Kryptowire, they reported that a number of Android devices from the manufacturer BLU Products installed the monitoring module of the advertising network Adups, sending “somewhere to China” detailed information about the user, including "Call history, message texts" and so on. Then the manufacturer explained the problem with an annoying mistake, and released a patch. A week goes by and it turns out that BLU smartphones are also subject to a problem with the update loader.

')


It is likely that this is really a coincidence, and the fact is that they begin to think about privacy only after publication in the New York Times, and sometimes this does not help. Today, by the way, Yevgeny Kaspersky published his thoughts on the same topic in his blog. Of course, some Chinese OEMs are really bad at all, but that doesn’t mean that respected vendors are fine. They want to collect a variety of telemetry about the user absolutely everything, and yes, sometimes it is really necessary, and it benefits all. At a minimum, user information needs to be safely transmitted and stored, and this week’s news set an example of how not to do it. As a maximum, it is desirable to take into account the wishes of the users themselves, communicating the reasons and goals of data collection clearly and openly. Otherwise, there is a feeling that our gadgets are gradually getting out of our control. However, the case is not limited to privacy. Understanding exactly what your smartphone, tablet or laptop is doing is becoming increasingly difficult over time.

Detected and closed vulnerabilities in the NTP protocol
News

On Monday, the NTP project maintainers released a patch covering a number of vulnerabilities in the exact-time information transfer system. One of the vulnerabilities discovered by researcher Magnus Stabman allows you to disable the ntpd server with a single prepared request. Other vulnerabilities do not necessarily lead to a denial of service, but lead to increased resources, and can potentially be used to carry out a DDoS attack. Since 2013, there have been quite a few cases of DDoS attack amplification due to the exploitation of various problems in ntp servers. However, for the time being there is a unique Proof of Concept for new vulnerabilities, which only leads to a denial of service.

A quarter of Wi-Fi hotspots worldwide are not protected.
News Research "Laboratories".

According to Kaspersky Lab, approximately 22% of access points around the world are in principle not protected from unauthorized access and traffic interception. A little less than 3% are protected by the WEP protocol, about which it has been known for many years that it is not secure — that is, they can be equated to open hotspots. Interestingly, this information concerns not theoretically accessible to the user access points, but those that are actually used. The good news is that three-quarters of Wi-Fi hotspots are reasonably secure: in 68% of cases WPA2 is used, in 7% - WPA. One of the leaders in the share of unsafe hotspots is South Korea (48% of open points or WEP), Germany turned out to be the most protected country (85% of hotspots are reliably protected).


Unsafe hotspots by country

Connection security is an important factor, but if you connect to a foreign access point, it’s not so important how the connection itself is protected. The built-in paranoid reminds that it is undesirable to trust the transfer of important data in such a configuration. However, I personally have been using open WiFi for a long time only in conjunction with a VPN: regularly reading information about the information security suggests that there are no other options. Statistics "Laboratories" is based on the analysis of 32 million hotspots around the world.

What else happened:
Another Tesla hacking , although not really. Researchers have shown how to seize control of a proprietary application for remote control of a car on a smartphone.

The US Department of Defense formulates the rules for disclosing information about vulnerabilities. The recommendations are based on the experience of the Bug Bounty program (known as Hack The Pentagon) and look very progressive, especially for government agencies. Interestingly, "pentester" directly prohibit phishing against employees of the Ministry of Defense. It remains only to prohibit the cybercriminals from doing the same.

Antiquities

"Form"

A very dangerous virus that affects the boot sector of floppy disks when accessing them and the boot sector of the hard drive when booting from a floppy disk. On the hard drive is located in the last sectors of the disk on a floppy disk - using the “Brain” method. It appears on the 24th of every month - when you press the keys, the virus makes an idle cycle. When working with the hard drive may be data loss. Intercepts int 9 and int 13h. Contains the text “The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne. ”

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 101.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.