Wi-Fi

Hack Brief: Mobile Manager’s Security Hole Would Let Hackers Wipe Phones

Posted on

REMOTE MANAGEMENT SYSTEMS for mobile phones are supposed to make it easy for companies to wipe a device clean if it gets lost or stolen. But a vulnerability discovered in a popular remote management system used by thousands of businesses to manage employee mobile phones would allow an attacker to wipe a CEO’s phone clean, steal the phone’s activity log, or determine the executive’s location, researchers say.

The Hack

The hack involves an authentication bypass vulnerability in SAP AG’s Afaria mobile management system used by more than 6,300 companies. Ordinarily, system administrators send a signed SMS from an Afaria server to lock or unlock a phone, wipe it, request an activity log, block the user, disable the Wi-Fi or obtain location data. But researchers at ERPScan found that the signature is not secure.

The signature uses a SHA256 hash composed from three different values: the mobile device ID, or IMEI; a transmitter ID, and a LastAdminSession value. An attacker can easily obtain the transmitter ID simply by sending a connection request to the Afaria server over the Internet, and the LastAdminSession—a timestamp indicating the last time the phone communicated with the Afaria server—can be a random timestamp. The only thing the hacker needs to direct the attack, then, is someone’s phone number and IMEI, or International Mobile Station Equipment Identity. Phone numbers can be obtained from web sites or business cards, and an attacker can determine the IMEI number of devices by sniffing phone traffic at a conference or outside a company’s office, using a home-made stingray-like device. Since IMEI numbers are often sequential for corporations who purchase phones in bulk, it’s possible for an attacker to guess the IMEI’s for other phones belonging to a company simply by knowing one.

Hack Brief

Who’s Affected?

Because the vulnerability is in the management system, not a phone’s operating system, it affects all mobile operating systems used with the Afaria server—Windows Phone, Android, iOS, BlackBerry and others. Afaria is considered one of the top mobile device management platforms on the market, and ERPScan estimates that more than 130 million phones would be affected by the vulnerability. The ERPScan researchers presented their findings last week at the Hacker Halted conference in Atlanta, but say many companies who use the Afaria system did not get the message.

SAP AG, a German-based company, has issued a patch for the vulnerability, but Alexander Polyakov, CTO of ERPScan, says his company, which specializes in Systems Applications and Product security, often finds businesses with years-old vulnerabilities unpatched in their SAP systems.

“The administrators usually don’t apply patches especially with SAP [systems] because it can affect usability,” he notes. “So what we see in the real environment is, we see vulnerabilities that were published three years ago but are still in the system [unpatched]. They really need to implement these patches.”

How Severe Is This?

The vulnerability is somewhat similar to the recent Stagefright security hole that hit Android in that both attacks involve sending a text message to a phone. But Stagefright, which would allow an attacker to execute remote code on a phone to steal data from it, affects only Android phones, whereas the SAP Afaria vulnerability affects a broader range of mobile phones and devices. Although wiping data from a phone isn’t catastrophic—if there is a backup from which the phone can be restored—not all employees and businesses back up phone data. And even if phones are backed up, it can take days to restore them if an attacker wipes numerous phones at a company.

The authorization bypass vulnerability wasn’t the only flaw ERPScan researchers discovered in the SAP Afaria system. They also found hard-coded encryption keys as well as a cross-site scripting vulnerability that would allow an attacker to inject malicious code into the Afaria administrative console and potentially use it to deliver malware to employee phones. SAP has patched this flaw as well.

Source:http://www.wired.com/

This entry was posted in Expoilts & Vulnerabilities and tagged .

“Funtenna” software hack turns a laser printer into a covert radio

Posted on Updated on

LAS VEGAS—During the Cold War, Soviet spies were able to monitor the US Embassy in Moscow by using a radioretroreflector bug—a device powered, like modern RFID tags, by a directed radio signal. But that was too old school for Ang Cui, chief scientist at Red Balloon Security and a recent PhD graduate of Columbia University. He wanted to see if he could do all of that with software.

Building on a long history of research into TEMPEST emanations—the accidental radio signals given off by computing systems’ electrical components—Cui set out to create intentional radio signals that could be used as a carrier to broadcast data to an attacker even in situations where networks were “air-gapped” from the outside world. The result of the work of his research team is Funtenna, a software exploit he demonstrated at Black Hat today that can turn a device with embedded computing power into a radio-based backchannel to broadcast data to an attacker without using Wi-Fi, Bluetooth, or other known (and monitored) wireless communications channels.

It turns out that embedded computing devices can be used to broadcast data covertly in all sorts of ways, as demonstrated in this video from Ang Cui's Funtenna project.
It turns out that embedded computing devices can be used to broadcast data covertly in all sorts of ways, as demonstrated in this video from Ang Cui’s Funtenna project.

Cui has previously demonstrated a number of ways to exploit embedded systems, including printers and voice-over-IP phones. In 2012, he demonstrated an exploit of Cisco phones that turned on the microphone and transformed phones into a remote listening device. Michael Ossmann of Great Scott Gadgets, a hardware hacker who has done some development of exploits based on concepts from the NSA’s surveillance “playset,”  suggested to Cui that he could turn the handset cord of the phone into a “funtenna”—an improvised broadcast antenna generating radio frequency signals programmatically.

With just seven lines of code injected into the embedded computer of an otherwise unmodified laser printer, Cui was able to turn the printer into a radio transmitter by simply leveraging the electrical properties of existing input and output ports on the printer. By rapidly flipping the power state of general purpose input/output (GPIO) pins, Pulse Width Modulation (PWM) outputs, and UART (serial) outputs on a Pantum P2502W laser printer—“the cheapest laser printer we could find,” Cui said—the Funtenna hack was able to create a modulated radio signal as a result of the magnetic fields created by the voltage and resulting electromagnetic waves.

The hack couldn’t generate signals strong enough using the relatively short wires of the GPIO connections on the printer. Despite flipping every GPIO output available, he only got an effective range of transmission of a few meters. Instead, the UART output with a 10-foot cable generated a signal that could be picked up from outside a building—even through reinforced concrete based on Cui’s research.

The demonstration, Cui said, shows that embedded devices need their own built-in defenses to truly be secure. And printers are merely a starting point for Cui’s work. The same sort of attack could conceivably be launched from any “internet of things” device or other system with onboard computing power—including network routers and firewalls.

“A network [intrusion detection system] is no substitute for host-based defense,” he said. “You could monitor every known spectrum, but it would be very expensive and may not work. The best way is to have host-based defense baked into every embedded device.”

Source:http://arstechnica.com/

This entry was posted in Ciber Seguridad General, Malware, Virus and tagged , , , .

El condón USB evita que el teléfono se contagien con enfermedades de los puertos de carga extrañas

Posted on Updated on

Los dispositivos móviles se están convirtiendo en una parte importante de nuestra vida cotidiana, pero la duración de la batería a menudo se queda corto de las expectativas. Esto ha llevado a mucha gente a ver a un puerto de carga abierta como un oasis en el desierto. De energía libre? ¿Qué podría salir mal? Bueno, para empezar, la toma de corriente en un teléfono inteligente es también un puerto de transferencia de datos, por lo que hay, al menos, cierto riesgo de sus pedacitos siendo arrebatados. Esto se llama jugo-jacking, pero ahora hay una defensa profiláctica útil – el USB condón.

Esto no es casi seguro que el producto se le ha ocurrido al oír el nombre. El condón USB es una placa de circuito que se conecta al puerto USB de su teléfono y que está destinado para detener cualquier y todas las transferencias de datos. Con el condón USB entre el dispositivo y el enchufe en el anonimato, puede supuestamente conectar con tranquilidad.

El condón es un dongle USB que funciona sentándose entre el teléfono y la fuente de energía para controlar qué pins son realmente conectados al puerto de carga aleatoria. Echa un vistazo en el conector del cable USB más cercano. Verás que no es sólo un conector monolítico, sino una serie de cuatro pines. Hay dos clavijas de datos, uno para la alimentación, y uno para suelo. El condón USB simplemente encamina los pines de alimentación, pero bloquea los pines de datos.

El dispositivo aún no está disponible para su compra, pero será en algún momento la próxima semana. Todo lo que tenemos que ir a es un diagrama de la placa simple. Va a ser un componente simplificada – tal vez incluso un tablero desnudo, pero debe ser completa y funcional, ya entregado. Sí, va a ser otra cosa que llevar a todas partes, pero nadie paranoico sobre la seguridad de datos estará encantado de tener uno.

USB Los investigadores de seguridad han estado especulando desde hace años que un quiosco de carga podría ser utilizado para transmitir el malware para móviles, o incluso chupar la derecha de los datos del dispositivo. En muchos casos, esto puede requerir un exploit para eludir las medidas de seguridad básicas incorporadas en el teléfono, pero algunos usuarios han arraigado o jailbreak dispositivos que necesariamente reducen el nivel de protección del sistema.

En las manos equivocadas, los datos de su teléfono es más valioso que el teléfono en sí, por lo que hay un montón de motivación para los chicos malos para perseguir jugo-jacking. Que los dioses de USB se apiade de sus datos si se conecta a un puerto USB pública a 50 millas de la anual conferencia de seguridad DefCon en Las Vegas. Este es un lugar donde el uso público WiFi o cajeros automáticos es muy arriesgado. Si hay cualquier jugo-jacking es probable que ocurra, que está ahí.

Si los fabricantes del condón USB tienen ningún sentido, van a establecer una tienda en DefCon del próximo año y hacer un montón de dinero vendiendo sus profilácticos de teléfonos inteligentes. Vendrá en mini y micro USB sabores. No hay precio que aparece en la página del condón USB todavía, pero puede realmente poner un precio a ese tipo de paz de la mente?

Instituto Internacional de Seguridad Cibernética
International Institute of Cyber Security
www.iicybersecurity.com

This entry was posted in Mobile Security and tagged , .