Security Weekly 8: Collisions in SHA-1, Practical Hacking of Routers, 85% of Android Devices Insecure
When you are in the epicenter of events, it is sometimes difficult to understand what really happened. Being in a traffic jam, you do not know that it happened because of an accident until you reach two padded pilots who occupied three lanes. Up to this point, you just do not have enough information to draw conclusions. In the IT Security field, it happens as well: the topic is complex, there are many nuances, and the result of some studies can be realistically assessed only after a few years.
- This week, the three most interesting news about security have nothing in common except a thick layer of subtext. If you do not deal with the topic all the time, the importance of some events can be judged incorrectly, or you can not see some important details.
- We will try to explain by examples as clear as possible. Although the subtext is a thing – everyone sees something of his own way.
Welcome to the 8th episode of SmartSpate Security Weeks. Traditional rules: every week the editorial board of the SmartSpate selects the three most significant news, to which we add a detailed overview.
The search for collisions for the SHA-1 algorithm seriously dropped
- Those who have advanced in the development of Linux a little further than the automatic installation of Ubuntu know that this system motivates to read the instructions. In the sense, at first I certainly try to google a dock where the sequence of commands is simply indicated, but in some cases, I will not have anything to start with, and then everything will break. This news from the same series: without even a minimal immersion in the match in it is difficult to understand. Despite the fact that this is perhaps the most difficult topic for the entire time of the series, we will try to tell you what the essence is, in simple words.
SHA-1 – algorithm of cryptographic hashing. Such an algorithm can be given at the input a sequence of data of almost unlimited length, and at the output, it is possible to obtain 160 bits of information, which allow us to identify the original data array. If, of course, you have it: it will not be possible to restore the information from the hash, it can not be turned back.
- More precisely, it should not be obtained, even if at the entrance, for example, there is a password for the hapless user of type 123456.
There are two requirements to any such algorithm:
- The impossibility of obtaining the original data, having only a message digest on hand and the inability to select such a pair of data sets so that their hash matched.
- More precisely, the opportunity to do both is almost always available. It just has to be connected with so much computing that there is nothing to even try. Well, that is, you buy the most powerful supercomputer, give it the task to break the cipher. After 240 years, it says that the answer is 42, but by the time you do not care.
But there is a nuance:
- First, the productivity of computers is constantly growing.
- Secondly, researchers are looking for workarounds that allow hacking cryptographic systems. For a hash algorithm, it is much easier to find a collision than to decipher the original data.
- Meanwhile, the same SHA-1 is used in various encryption and authorization systems, where its main task is to make sure that the data of two different subscribers coincide.
- If you can find two or more data sets that have the same hash, and do it cheaply and quickly – then the algorithm is no longer reliable.
Recently, a team of researchers from universities in the Netherlands, Singapore, and France published a report in which they shared new ideas for optimizing the collision search algorithm.
- Thanks to them, briefly, a real attack can cost “in Amazon prices” only 75 thousand dollars and will take approximately 49 days. Well, or more expensive and quickly, to whom it is convenient.
- A well-known expert in Cryptography, Bruce Schneier, commented this in the following way: the 2012 estimate took into account Moore’s law, but did not take into account the improvement of the attack algorithm and attack method (for example, the use of graphics processors for computations that perform the task faster and cheaper). It is really impossible to reliably predict the effect of such optimization.
And then we ask the traditional question: in practice, is this a new study and a new assessment is threatened by someone? Not so that very much.
And how in general such “vulnerabilities” can be exploited?
There is an example for a much less persistent MD5 algorithm:
- We take two different files (in this case we used photos of rock stars) and, subsequently modifying the data in one of them, we get the same hash for two completely different images.
And if more specifically?
- The Flame’s cyber-spy campaign used this technique to sign a malicious file with a valid (at that time) Microsoft certificate. More precisely, the signature was fake, but the hash of the fake signature and the real one coincided. According to an independent assessment, such a trick, even with a weaker algorithm, could cost between $ 200,000 and $ 2 million.
And what about SHA-1?
- The algorithm has been applied since 1995, and, in general, already in 2005, 10 years ago, it was clear that this is not the most reliable technology in the world. But even with new input data, it’s still far from the practical operation, while SHA-1 is gradually being taken out of use and replaced by more reliable hashing algorithms.
- Until 2017, developers of major browsers plan to abandon the use of SHA-1. Perhaps it is worth hurrying, because if in three years the estimated price of the attack has fallen from $ 2.77 million to $ 100,000, then what can happen in a year? On the other hand, all vulnerability studies of SHA-1 are of purely scientific value.
- In the Netgear N300 routers found a vulnerability. Well, yes, another hole in the routers, and somehow it turns out that they are all different but at the same time. In one of the last series, we already discussed a pack of holes in Belkin devices. At Netgear and all somehow quite insulting. Open the web interface of the router. We enter the password, incorrect because the router is a stranger and the password we do not know. We are sent to the page where they write Access Denied. But if you try to open a page named BRS_netgear_success.html, then … we, too, will not be allowed anywhere. But if you try to do this several times in a row, then – you will be given an access.
- Naturally, while it is desirable to be already inside the local network, which somewhat complicates the task. Although if a router, for example, distributes WiFi in a cafe, then getting inside is not a problem. And if the owner for some reason included access to the web interface from the Internet, then everything is simple.
By the way, can anyone say why in principle you need access to the web interface from the outside?
- It is to the web interface of the router, and not to any pieces on the local network. I think there are no reasons to do this at all, and there are plenty of reasons not to do it, as you can see.
In general, everything went well enough:
The vendor was notified, two months later he made a beta version of the firmware. Still a little bit and it turned out, but no, it turned out that the vulnerability is exploited, as they say, “in the fields.”
- The Swiss company Compass Security discovered such a router with changed settings: as a DNS server, it was not the provider’s address that was registered, as it usually does, but do not understand that. Accordingly, through this have passed all DNS-requests. Investigation of the server of attackers showed that it “serves” more than 10 thousand hacked routers.
Fun fact: Compass Security for a long time could not get any response from NetGear. Then the dialogue did happen, and they were even sent a beta version of the firmware for testing. But then (from nowhere), the Shellshock Labs company appeared and published its study of the same vulnerability in general without agreeing with anyone (which is not very good). Of course, to name the company in honor of the bug in bash is cool, but the principle of “do no harm” has not been canceled. But from the study of “shakers,” it becomes clear where the vulnerability in the web interface came from. The firmware code allows you to enter the web interface without a password once, the first time you start it. To continue this did not work, a flag was provided, which was simply forgotten. Yes, the firmware was finally updated.
- We are talking about another scientific study, although certainly not such a giver like in the history of SHA-1. Researchers from Cambridge University have done an interesting thing. They collected data on 32 serious vulnerabilities in Android, because they chose the 13 most serious of them, and checked at once many phones from different manufacturers for the presence of this vulnerability.
It was checked as follows:
- The Device Analyzer application was made, through which various anonymous telemetry was openly collected from the participants of the experiment, including such parameters as OS version and build number. Total managed to collect information from more than 20 thousand smartphones.
Next, comparing the version number of Android with information about the vulnerabilities, were able to roughly assess the scale of the disaster. The result is this
- The average of the indicators for the whole period of research and gave the same figure in 85% – on average at any time this is the proportion of devices on Android subject to one of the known and potentially dangerous vulnerabilities. Or not one. As usual, the stress should be made on “potentially” – the Stagefright example makes it clear that even the most dangerous vulnerability is subject to severe restrictions on practical implementation.
- But on this the researchers did not stop and made a rating of the “danger” of devices by manufacturers, calling it the FUM Score. It takes into account the reaction time of the vendor to information about the new vulnerability – how quickly the patch appears in the devices of a particular manufacturer.
- The winner was, predictably, a series of smartphones Nexus: it fixes bugs as quickly as possible.
- In the second place, LG, on the third – Motorola. However, there are no “winners” here, some are losers.
- The calculation takes into account the share of the updated devices, that is, not only the vendor should release the patch, but also the owner – do not be too lazy to update. The older the device, the worse: in a separate ranking of models of smartphones, not the oldest devices two or three years ago, very dismal performance. Why? Without update. But still in use.
In general, there are quite a few loose assumptions in the research methodology, and it proves that everyone knows. According to the researchers, one of the goals of their work is an additional motivation for manufacturers to fix the system of patching holes in their devices. But what is really important is that in the picture above we see an example of an ecosystem that in principle can not be 100% safe. Although Android with its fragmentation is the most revealing example, there are many such ecosystems. You can say that IOS is safer, but as the first digest history shows, there is no absolutely reliable system, there are budget limitations.
And this is such a very important time when choosing a defense strategy.