Security Weekly 15: Riot of Industrial Robots, Cleanup of Google Play From Malware, An Ancient of Vulnerability In OS X
In the era of IoT machines with brains on the heel can be a great nuisance to their owners. Let’s say, to stop a conveyor of large-scale production or leave the owner to sleep over the threshold of a smart house.
- Researchers from IOActive counted almost 50 vulnerabilities in industrial robots manufactured by Rethink Robotics, Baxter/Sawyer, and Universal Robots. If you believe the published document, many models can be reprogrammed remotely, forcing them to spy on or even mess with a person (attack from a corner or offend their favorite seals). After all, it’s not just about any stationary manipulators – the robots are smarter, move independently, equipped with cameras, microphones and another body kit, adding the malicious code to taste will not be difficult.
Researchers thoroughly dig in public firmware and other embedded software to find out how machines work, how they connect to local networks and other robots, and how they interact with vendor services (for example, to get updates). As a result, they were able to detect holes in authentication systems, cryptographic vulnerabilities and other things dear to the heart of every hacker. Some of these vulnerabilities proved to be fairly easy to use.
- However, many holes in the trunks can be patched by properly configuring the safety-related parameters. In addition, designers are often insured and lay various restrictions – for example, the forces of impact or speed. In general, it will not be so easy to turn such robots into the operators of the Doomsday.
However, the problem exists, because vendors do not yet particularly think about security issues, which can come out sideways when a shelf of smart devices in the human environment arrives. This is confirmed by the IOActive experts: they contacted six major solution providers, and only a few acknowledged the existence of vulnerabilities, promising to fix them. In addition, there are many different studies in this field, the results of which (including the code) are publicly available – they eventually move into commercial products without security auditing, which again simplifies the task for hackers. And although we are still far from Skynet, it seems that somewhere in the Taiwan factories, router-insurgents are already flashing
Chinese SDK as a tool for downloading malicious code in Android
More than 500 applications created using malicious versions of the Chinese Igexin SDK have been removed from Google Play. It was found that this software allows you to install spyware on mobile devices.
- Igexin SDK is often used by developers to connect to ad networks. However, the most interesting thing about this news is that initially applications are not infected, and developers do not know anything about additional chips of their products. The malicious code is downloaded to the device already in the process of work. In other words, suspicious activity was detected when programs tried to access servers used to deliver malware or downloaded large encrypted files after executing REST API requests.
- According to researchers from Lookout, potentially vulnerable programs have been downloaded from the online store Google more than 100 million times. Although not all of them have been used for illegal purposes, the problem is serious, because games, weather informers, Internet radio, photo editors, educational applications, sports programs and many other devices have turned out to be suspicious. However, Android users are not accustomed to such surprises – large-scale sweeps of Google Play are not for the first time, and the number of malware for this mobile OS is growing every year.
It should be noted and the shock work of the Chinese comrades: this is not the first time that the programs created with the use of infected versions of the SDK from the Middle Kingdom got into official stores. Suffice it to recall the third-party advertising SDK Youmi, because of which Apple had to remove more than 250 programs from the App Store two years ago – they collected confidential user data, including the Apple ID and the serial number of the device.
Apple installer can download malicious code in OS X with root rights
The latest news of the digest is not new at all – the problem has been around for years, but it was again discussed at the last DEF CON. To install and update third-party software on OS X, the legacy AuthorizationExecuteWithPrivileges API is often used, allowing an attacker to get root privileges with little help from the computer’s owner.
- At first glance, there is nothing serious about this – you’ll think a villain can be replaced by an installer, you need to watch what you launch on your machine, and do not drag the software from anywhere. Interestingly, installers of a huge number of popular products (Slack, Google Chrome, Google-owned Dropcam, VMware Fusion, etc.) for OS X use an unsafe method instead of the long-established Apple alternative. Since 2013, the company recommends using SMJobBless, which allows verifying the authenticity of executable code. However, developers, including software giants, are not in a hurry to move to a new method that requires a paid certificate to sign their products. The fact is that in addition to money, you will have to spend a lot of time to make such a safe decision work, while the obsolete API is literally three lines of code.