New zero-day vendor opens up shop, and more in infosec this week
Roundup This week, the infosec world descended on Las Vegas for BlackHat and DEF CON to share stories of bug hunting, malware neural nets, hefty payout offers, and more.
Meanwhile, outside of the desert…
Snapchat source sourced
Photo-slinging biz Snapchat had a pretty rough week, as a mystery code dump on GitHub turned out to be a chunk of the source for its iOS mobile app. The internal source code stayed up for a few days, and some users speculated as to whether it was genuine.
That question was answered when Snapchat filed a DMCA takedown notice to get it scrubbed from the site. While this got the code promptly yanked from GitHub, it also confirmed to everyone that the plundered source was, in fact, actual code from Snapchat’s mobile app.
The code snippet was reportedly taken from a buggy update issued for the iOS app back in May.
Web hosting biz GoDaddy accidentally left an Amazon Webb Servers S3 bucket open to the world that exposed details of 31,000 of its servers, such as their specifications and storage capacity. This was, apparently, due to a misconfiguration caused by an AWS salesperson.
Pacemakers, insulin pumps ‘hackable’
Medical device maker MedTronic is under fire for declining to fix some security weaknesses discovered in its pacemakers and insulin pump equipment.
Infosec bods Billy Rios and Jonathan Butts reported the flaws over a year ago to the manufacturer, and this week spoke about their experiences in dealing with the biz, and the slow rate of progress in getting things fixed, at Black Hat USA 2018.
We’re told miscreants can, over the air, stop vulnerable pumps from delivering insulin, or inject unexpected doses. Hackers can also insert malware into the firmware of a vulnerable pacemaker to disrupt its operation. Such attacks in the real world would be rather debilitating for a patient.
The insulin pumps can be screwed around by someone within wireless range. The pacemaker was infected by reprogramming it using a terminal doctors use to monitor and configure patients’ devices. The software on the terminal had to be altered to achieve this, which required physical access. Alternatively, someone on the local network could intercept and tamper with the firmware as it was downloaded to the programmer via the internet.
MedTronic said the insulin pump in question, apart from not being generally available at least in the US anymore, does not accept over-the-air commands by default, requires replaying radio signals to exploit, and will alert the user of the change in dosage. Rios and Butts argued that the equipment should in any case implement stronger authorization mechanisms for wireless-issued orders.
Similarly, the duo said the pacemakers should only accept firmware cryptographically signed by MedTronic, rather than any old code, when being updated by their reprogramming terminal. MedTronic dismissed malicious reprogramming as an impractical attack, and “low risk,” adding that patients should be safe if they and their doctors ensure the reprogramming terminals remain unhacked. Tell that to the hospitals hit by ransomeware.
The manufacturer has emitted a bunch of advisories lately for its products regarding the pair’s discoveries:
- MyCareLink Patient Monitor 24950 and 24952: “Successful exploitation of these vulnerabilities may allow an attacker with physical access to obtain per-product credentials that are utilized to authenticate data uploads and encrypt data at rest. Additionally, an attacker with access to a set of these credentials and additional identifiers can upload invalid data to the Medtronic CareLink network.” Changes have been made server-side to mitigate this. (CVE-2018-10626 and CVE-2018-10622)
- MiniMed 508 Insulin Pump: “Successful exploitation of these vulnerabilities may allow an attacker to replay captured wireless communications and cause an insulin (bolus) delivery. This is only possible when non-default options are configured. Additionally, the pump will annunciate this by providing a physical alert, and the user has the capability to suspend the bolus delivery.” No mitigations planned. (CVE-2018-10634 and CVE-2018-14781)
- N’Vision Clinician Programmer: “The 8840 Clinician Programmer executes the application program from the 8870 Application Card. An attacker with physical access to an 8870 Application Card and sufficient technical capability can modify the contents of this card, including the binary executables. If modified to bypass protection mechanisms, this malicious code will be run when the card is inserted into an 8840 Clinician Programmer.” No mitigations planned. (CVE-2018-10631 plus CVE-2018-8849)
- 2090 Carelink Programmer: “Successful exploitation of these vulnerabilities may allow an attacker with physical access to a 2090 Programmer to obtain per-product credentials to the software deployment network. These credentials grant access to the software deployment network, but access is limited to read-only versions of device software applications.” That means a miscreant could download copies of the software using hardcoded login details.”Additionally, successful exploitation of these vulnerabilities may allow an attacker with local network access to influence communications between the Programmer and the software deployment network.” That means it’s possible for someone on the local network to tamper with pacemaker firmware as it is downloaded to the programmer. Changes were made server-side to thwart this meddling. (CVE-2018-5446, CVE-2018-544, and CVE-2018-10596)
Whether exploiting these is easier or harder than just stabbing, shooting, or poisoning a victim is an exercise we’ll leave to, er, well, hopefully no one.
Ionescu unveils low-level Windows 10 debug kit
Shortly before everyone headed off to catch their Vegas flights, an interesting new security and debugging tool was dropped for Windows 10.
Alex Ionescu’s r0ak utility lets users with an admin-level account get past all of Microsoft’s pesky security controls and execute code in ring 0, kernel-mode.
Ionescu, who has made something of a habit of cracking open Windows protections, says the tool is designed to help admins get a better handle on system-level events.
“For advanced troubleshooting, IT experts will typically use tools such as the Windows Debugger (WinDbg), SysInternals Tools, or write their own,” the guru explained. “Unfortunately, usage of these tools is getting increasingly hard, and they are themselves limited by their own access to Windows APIs and exposed features.”
Speaking of Windows, a desktop sandboxing feature may have been spotted in a public Insider beta this week.
There’s a new bug market in town
Researchers looking to make a living from bug discoveries will have one more place to do business this fall.
Exploit-brokers Crowdfense announced plans to launch a new service called the Vulnerability Research Platform. The program will look to streamline the process of testing, building, and selling proof of concepts for both individual and chained exploits.
“Through the VRP, Crowdfense experts work in real time with researchers to evaluate, test, document and refine their findings,” said Crowdfense director Andrea Zapparoli Manzoni.
“The findings can be both within the scope of Crowdfense public Bug Bounty Program or freely proposed by researchers (for a specific set of key targets).”
From the sound of things, Crowdfense wants to make it easier for researchers to report and get top dollar for their discoveries. While this might bring to mind images of covert government exchanges, more likely the buyers will be the companies themselves or security firms looking to tout protection from the latest high-profile security holes.
Comcast (again) irks customers (again), this time with a data leak
Stop us if you’ve heard this one: Comcast has done something else to piss off customers who will have little recourse.
This time, the cable giant has managed to let slip portions of customers’ home addresses or the last four digits of their social security numbers thanks to flaws in both its customer and dealer web log-in portals.
Apparently the holes have both been patched, and even when open an attacker would have been unable to get anything more than partial data for either the address or the social security number. But this is going to be yet another bit of bad press for a company that already has an awful reputation with customers.
The Pentagon’s latest security menace: fitness trackers
If you’re stationed abroad, you may no longer be able to post humblebrags about your daily workouts.
That’s because the Department of Defense has issued a directive that troops and department personnel in sensitive areas (i.e. any place where you won’t want to be tracked) quit sharing their fitness data.
The reason is easy enough to understand: Trackers and exercise apps will often share GPS coordinates and other location that would possibly allow a hostile party to track, in some cases even pinpoint, a person’s location at any given time.
The Pentagon says discretion on the ban will be given to military commanders and department heads, who will get to determine just how much info about the day’s workout their subordinates can safely share.
Que malo! MongoDB screw-up by Mexican health provider exposes patient data
This week in “forgot to set any sort of security on the cloud database”, we have Hova Health, a medical provider and unwitting records dealer from Mexico.
According to researcher Bob Diachenko, someone at Hova neglected to restrict access to the company’s MongoDB records database, leaving the entire collection exposed to the open internet (Diachenko discovered the cache via Shodan).
Diachenko estimates that, in total, around 2.3 million people in Mexico had their name, gender, national ID number, insurance details, date of birth, and home address left sitting out in the open. Diachenko said he notified the company and it is reviewing the incident. Hopefully that includes learning how to set access policies on its databases.