Security Week 30: five paragraphs about Black Hat

Black Hat is a conference on information security, performed in the traditional for the industry genre "unanswered questions". Every year, experts gather in Las Vegas to share their latest achievements that cause hardware manufacturers and software developers to experience insomnia and hand tremor. And not that it was bad. On the contrary, to hone the art of searching for problems, while being on the "bright side" - this is wonderful!

But there is still some internal conflict on Black Hat. It is impossible to insist endlessly that “with safety everything is bad, bad, bad”, without offering anything in return. But it is worth starting to talk about decisions - complaints begin: the conference is no longer the same, and boring, and the corporations have bought everything up to the spot. Solutions - this is really boring, there and the culture of writing code must be applied, and organizational measures to introduce, and the like. And problems are fun * and spectacular *! Today is a story about funny * and spectacular * problems from the Black Hat conference.

* Actually - difficult and sad. I hope you understand.


Perhaps the most fervent research work on the Black Hat 2018 was presented by Christopher Domas, who dug out a full-fledged hardware backdoor in the old VIA C3 processors. The most recent processors of this series were released in 2003, which obviously benefited the research: it would be difficult for many reasons to disclose information about the backdoor in the current hardware. And so, on Github , Domas has both a detailed description, and Proof of Concept, and even a utility for closing the backdoor. This is a separate computing module, built into the central processor, but using a different architecture than x86. If you pass a special magic spell to it, the backdoor allows you to execute code with maximum privileges (ring 0), even if you are initially at user level ring 3 and have no such rights. The backdoor is disabled, but the author of the study managed to find several systems where he was activated by default.
')

This presentation is desirable (when laid out) to look at the video, namely, you may be interested in the audio track. Researchers John Seymour and Azim Aqil from Salesforce questioned the reliability of person identification by voice. More precisely, they decided to explore how easy it is to fake a voice. It turned out that simple enough. Not that the voice is planned to be the main means of identification, but already now services like Amazon Alexa and Siri are learning to distinguish one person from another. And then there is, for example, the Microsoft Speaker Recognition API, which the researchers managed to successfully trick by having the victim's voice recording and machine learning algorithms available. Initially, it took them almost 24 hours to record someone else's voice to successfully recreate the voice. But since the interaction with the identification system is rather short and on the other side is also an algorithm, and not a living person, as a result, successful deception turned out to be possible if there is a voice sample only 10 minutes long. The final result sounds awful, but the identification system successfully passes.


At Black Hat 2018, two potential supply chain attacks showed at once. (This is when the device is sent from the vendor as a whole, and it arrives at the client already infected.) Researchers at Fleetsmith and Dropbox have found a problem in the Apple mobile device management system. Such a system is used by large companies to automatically configure laptops or smartphones to install the necessary software, change the browser home page and so on. When you first connect to the WiFi network, there are a number of checks both on the Apple side and on the provider side of the centralized device management service. In the process of these negotiations on the laptop arrives a list of software for download. And it turned out that his authenticity is not verified. So, there is an opportunity to pretend to be a contracting company and toss a prepared laptop to the victim. More precisely, no longer appears: the vulnerability was closed. Another vulnerability found by Eclypsium in Asus' UEFI devices is not closed yet. The classic problem: the automatic update is built into the firmware itself, requesting data via an unprotected HTTP protocol. Accordingly, anyone and everything can "respond" to such a request.


This year, Black Hat talked a lot about the fact that to improve the security situation, developers need to think a little bit like hackers. This is a rather controversial statement. But there was one interesting presentation, which does not break any special covers, but shows how this hacker motivates himself and what he can achieve with his hacker methods. The role of the reference hacker was performed by researcher Guillaume Valadon. About three years ago he had a simple photo frame that showed a photo from an SD card. And there was an inexpensive Toshiba FlashAir WiFi adapter, also in SD format, plus the desire to combine one with the other. The presentation is a story about traveling from the point “I don’t know anything about this device” to “through vulnerabilities in the network stack, I changed the firmware of the WiFi adapter to my own, which downloads pictures from the network and pushes them into the photo frame”. This pet project took Guillaume three years and included such iterations as visual identification of chips in the WiFi module, googling through unique lines that the module writes to the log, analysis of the disgustingly documented real-time OS and other “fun entertainment”. Speaking of the rough language of news material, the researcher "found a number of critical vulnerabilities in the wireless network adapter." But in fact, this story is about healthy enthusiasm (and a little bit about uproarism).

It was impossible to do without the most fashionable theme of the year - attacks on third-party channels. In the previous series, we explored how to implement the Specter attack option over the network. On Black Hat, they showed how to steal a data encryption key at a distance of 10 meters from a working device. Unlike Specter, this is a classic attack on a third-party channel, when there is a leak of useful information where no one expects it. Researchers at Eurecom have found that the “noise” from the operation of electronics can penetrate the radio channel. They were able to conduct a successful attack on the Bluetooth-adapter, and in general this story is about devices in which there is some kind of radio (that is, about a lot of devices). The key point of the study lies precisely in the distance: usually attacks on "hardware" require direct access to the device. Well, in extreme cases, something can be done in a meter away from him with an oh-oh-oh from such an antenna. And here are ten. And how to deal with it? There are ways: it is better to isolate the computational part from the radio transmitter, to build a “noise curtain” in the software. If you speak human language: you need to make the device even more difficult and more expensive. Not the fact that it will work out, well, so Black Hat, I repeat, this conference is not about decisions.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.