Security Week 34: Riot of industrial robots, clearing Google Play from malware and an ancient vulnerability in OS X

“Prove that you are not a robot: harm a person or your inaction let a person suffer” - this could be a captcha in the living worlds of Isaac Asimov with some admixture of late cyberpunk. In the meantime, the creators of workers side by side with a man of robots (co-bots, or “cobits”) do not think about the three laws. And it is completely in vain - in the era of IoT, machines with brains on their toes can annoy their owners. For example, stop the conveyor of large-scale production or leave the owner to spend the night beyond the doorstep of a smart home.

Researchers from IOActive have found almost 50 vulnerabilities in industrial robots manufacturers Rethink Robotics, Baxter / Sawyer and Universal Robots. If you believe the published document , many models can be reprogrammed remotely, forcing them to spy or even dirty the person (attack from the corner or offend their favorite cats). After all, this is not just about any stationary manipulators - the scrolls are smarter, they move independently, they are equipped with cameras, microphones and other body kits, and it’s easy to add malicious code to taste.

Researchers rummaged in public firmware and other embedded software to find out how the machines work, how they connect to local networks and other robots, and how they interact with the services of manufacturers (for example, to get updates). As a result, they were able to detect holes in authentication systems, cryptographic vulnerabilities and other things that are dear to the heart of every hacker. Some of these vulnerabilities have proven to be fairly easy to use .

However, many holes in cobos can be patched by properly setting security-related parameters. In addition, designers are often insured and put various restrictions - for example, the forces of impact or speed. In general, it would not be so easy to turn such bots into doomsday operators.
')
However, the problem exists, because vendors are not particularly thinking about security issues, which can go sideways when a regiment of smart devices in the human environment arrives. This is also confirmed by IOActive experts: they contacted the six main solution providers, and only a few acknowledged the existence of vulnerabilities, promising to fix them. In addition, many different studies are being conducted in this area, the results of which (including the code) are generally available - over time they move into commercial products without a security audit, which again simplifies the task for hackers. And although it’s still far to SkyNet, it seems that at some factories in Taiwanese factories, rebel routers have already winked ...

Chinese SDK as a tool for downloading malicious code in Android

More than 500 applications created using malicious versions of the Chinese Igexin SDK have been removed from Google Play. Found that these softwares allow you to install spyware on mobile devices.

Igexin SDK is often used by developers to connect to ad networks. However, the most interesting thing about this news is this: Initially, applications are not infected, and the developers do not know anything about the additional features of their products. The malicious code is downloaded to the device already in the process. In other words, suspicious activity was detected when programs tried to access servers used to deliver malware or download large encrypted files after executing REST API requests.

According to researchers from Lookout, potentially vulnerable programs have been downloaded from the Google online store more than 100 million times. And although not all of them were used for illegal purposes, the problem becomes serious, because the games developed for teens, weather informers, Internet radio, photo editors, educational applications, sports programs and many other applications were under suspicion. However, Android users are not accustomed to such surprises - large-scale strips of Google Play are not being held for the first time, and the number of malicious programs for this mobile OS is increasing from year to year.

It should be noted, and the shock work of Chinese comrades: this is not the first time that SDKs created using infected versions from the Celestial Program have been sent to official stores. Suffice it to recall the third-party advertising SDK Youmi, because of which Apple had to remove more than 250 programs from the App Store two years ago - they collected confidential user data, including Apple ID and device serial number.

Apple installer can download malicious code with root privileges on OS X

The latest news of the digest is not at all new - the problem is already more than one year old, but it was again discussed at the last DEF CON . OS X often uses the outdated AuthorizationExecuteWithPrivileges API to install and update third-party software, allowing an attacker to obtain superuser rights with a little help from the computer owner.

At first glance, there is nothing serious here - you will think, a villain can replace the installer, you need to look at what you are launching on your machine, and not drag software from anywhere. Another thing is interesting: the installers of a huge number of popular products (Slack, Google Chrome, Google-owned Dropcam, VMware Fusion, etc.) for OS X use an insecure method instead of the long-established Apple alternative. Since 2013, the company recommends the use of SMJobBless, allowing you to verify the authenticity of the executable code. However, developers, including software giants, are not in a hurry to switch to a new method that requires a paid certificate to sign their products. The fact is that, in addition to money, you will have to spend a lot of time to make such a safe solution work, while the outdated API is literally three lines of code.

Antiquities

Stone-Dinamo

Saves the old Boot sector of the floppy disks to the last sector of the root directory, regardless of the size of the disk. If an error occurs during the installation of the virus, it decrypts and displays the text "Dinamo (Kiev) -champion !!!".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 97.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.