Security Weekly 53: Five Paragraphs About Black Hat
Black Hat is a conference on information security, performed in the traditional for the industry genre “questions without answers.” Every year in Las Vegas, experts are going to share their latest achievements, which cause insomnia and hand tremors in hardware manufacturers and software developers. And not that it was bad. On the contrary, to sharpen the art of finding problems, while being on the “bright side” – it’s wonderful!
But there is still some internal conflict on Black Hat. It is impossible to repeat indefinitely that “everything is bad, bad, bad with security,” without offering anything in return. And it’s worth starting to talk about decisions – complaints begin: the conference is not the same, and it’s boring, and the corporations have bought everything up. Decisions – it’s really boring, there’s a culture of writing code you need to apply, and organizational measures to enter, and the like. And the problems are fun * and effective *! Today – a story about the fun * and spectacular * problems with the Black Hat conference.
Perhaps the most astounding research paper on the Black Hat 2018 was presented by Christopher Domas, who dug out a full-fledged hardware backdoor in the old VIA C3 processors. The most “fresh” processors of this series were released in 2003, which obviously benefited the research: it would be difficult … to uncover information about the backdoor in the current “hardware” … for many reasons.
And so on Gitkhab, Domas has a detailed description, and Proof of Concept, and even a utility for closing the backdoor. This is a separate computational module built into the CPU, but using an architecture other than x86. If you give him a special magic spell, the backdoor allows you to execute code with maximum privileges (ring 0), even if you are initially at the custom level of ring 3 and do not have such rights. The backdoor is disconnected, but the author of the study managed to find several systems where it was activated by default.
This presentation is desirable (when you put it) to look at the video, namely, you may be interested in the soundtrack. Researchers John Seymour and Azim Akil of Salesforce questioned the reliability of human identification by voice. More precisely, they decided to investigate how easy it is to forge a voice. It turned out that it is quite simple. Not that the voice is planned to be the main means of identification, but now services like Amazon Alexa and Siri are learning to distinguish one person from another.
And there is, for example, the Microsoft Speaker Recognition API, which the researchers managed to successfully deceive, having a voice record of the victim and algorithms of machine learning. Initially, to successfully recreate the voice, it took them almost 24 hours of recording someone else’s voice. But since the interaction with the identification system is short enough and on the other side also an algorithm, and not a living person, in the end, a successful deception was possible if there is a voice sample with a length of only 10 minutes. The final result sounds awful, but the identification system successfully bypasses.
On the Black Hat 2018, two potential attacks of the supply chain type were shown at once. (This is when the device leaves the vendor as a whole, and the client arrives already infected.) Researchers from Fleetsmith and Dropbox found a problem in the Apple mobile device management system. Such a system is used by large companies to automatically configure laptops or smartphones to install the necessary software, change the browser’s start page and so on.
- When you first connect to a WiFi network, there is a series of checks both on the Apple side and on the service provider side for centralized device management. In the course of these negotiations, a list of software for download is coming to the laptop. And it turned out that its authenticity is not checked. Therefore, it becomes possible to pretend to be a contractor company and to give the victim a prepared laptop. More precisely, it no longer appears: the vulnerability was closed.
Not yet closed another vulnerability, found by the company Eclypsium in UEFI devices company Asus. A classic problem: the firmware itself has an automatic update system that requests data over an unprotected HTTP protocol. Accordingly, anyone can answer this request and anything.
This year, Black Hat said a lot about the fact that to improve the security situation, developers should think a little bit like hackers. This is a controversial statement. But there was one interesting presentation that does not disrupt any special covers, but it shows how this hacker motivates himself and what he can achieve with his hacking methods. The role of the reference hacker was researcher Guillaume Valadon. About three years ago he had a simple photo frame that showed photos from an SD card. And there was an inexpensive WiFi adapter Toshiba FlashAir, also in SD format, plus the desire to combine one with another.
The presentation is a story about a journey from the point “I do not know anything about this device at all” to “through vulnerabilities in the network stack, I changed the firmware of the WiFi adapter to my own, which downloads images from the network and slides them to the photo frame.” This pet project took Guillaume three years and included such iterations as visual identification of chips in the WiFi module, googling through the unique lines that the module writes to the log, analysis of the disgustingly documented real-time OS and other “fun entertainment”. If you say the rough language of the new material, the researcher “found a number of critical vulnerabilities in the wireless network adapter.” But in fact, this story is about healthy enthusiasm (and a bit about gnarling).
- It was impossible to do without the most fashionable theme of the year – attacks on outside channels. In the previous series, we studied how to implement a variant of the Specter attack over the network. Black Hat showed how you can steal a data encryption key 10 meters away from a working device. Unlike Specter, this is a classic attack on an external channel, when there is a leak of useful information where no one expects it.
Researchers from the company Eurecom found that “noise” from the work of electronics can penetrate the radio channel. They were able to successfully attack the Bluetooth adapter, and in general, this story is about devices in which there is some kind of radio (that is, about a lot of devices). The key point of the research is precisely in the distance: usually, attacks on hardware require direct access to the device. Well, in extreme cases, something can be done a meter away from him with a-oh-oh-oh such an antenna. And here are ten. And how to deal with this? There are ways: it is better to isolate the computational part from the radio transmitter, to build a “noise curtain” in the software. If you speak the human language: you need to make devices even more difficult and even more expensive. Not the fact that this will work, well, so Black Hat, I repeat, is a conference not about the solution.