This week in security news saw the world’s researchers discover a whole new range of Achilles Heels for PCs, the online privacy service Tor, and even ‘connected’ gadgets such as internet fridges – which, in an in-depth test of the most popular devices turned out, on average, to have 25 serious flaws each.
Such security news revelations are, of course, to be expected in the run-up to one of the biggest events in the security calendar – Black Hat USA 2014, scheduled for 2nd August in Las Vegas.
The story that probably worried the most people – a new technique for identifying individuals within the anonymizing service Tor – broke when researchers decided NOT to talk at Black Hat.
The talk, entitled “You Don’t Have to be the NSA to Break Tor” aimed to showcase a technique which could “uncloak” users of the anonymizing web service for less than $3,000. Tor (a privacy tool which conceals the identity of users by “bouncing” traffic around the web), is widely used by political activists – as well as criminals. At the last moment, Cornell University legal counsel cancelled the talk. A later blog post from the Tor Project said that an attack against the network, lasting five months, appeared to be associated with the researchers.
“Hidden service operators should consider changing the location of their hidden service,” the Project’s blog advised. The Tor Project also warned that the attack could pave the way for future attempts by other adversaries such as “large intelligence agencies.”
Even more spectacularly – given the sheer number of potential victims – another Black Hat speaker ‘uncloaked’ himself, and revealed that USB ports were not in fact a stable, reliable component – but a lethal back door by which malware could sneak into computers, with no current defense able to detect or stop it.
While current anti-malware services scan for malicious software on USB sticks, the devices also have firmware – to help the gadgets interact with PCs, for instance allowing a USB stick to download and upload files. Karsten Nohl of Berlin’s SR Labs says that this firmware can be spoofed – allowing devices to steal data, spy and control computers. Nohl said he would be “surprised” if the NSA were not aware of the technique.
Gizmodo reports that Nohl’s team wrote malware, titled BadUSB, specifically for the attack: “It can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.”
ESET Senior Research Fellow David Harley says that computer mice and keyboards are probably safe – so far. “No cause for panic, as far as I can tell from the information I have so far,” Harley says. “It’s not as though your 10-year-old thumb drive will suddenly be infected by Stuxnet, at any rate via this vector.
While security-conscious gadget fans were still reeling from the news that USB ports were gateways through which malicious mice might attack, the rest of the “connnected home” was revealed to be a security house of horrors, too.
In the first in-depth survey of its kind, popular “Internet of Things” devices found that intelligence services almost certainly have access to critical data such as grocery listings, and thermostat settings. HP’s tests found gadgets revealed personal information, accepted weak passwords such as “1234” and failed to encrypt messages to the cloud, to apps, and to home networks.
HP found that 70% of the devices had critical vulnerabilities, and said that they seemed to combine all the weaknesses of networks, applications and mobile devices into something “new and even more insecure”. Early adopters are advised (by HP) to put the leaky devices on a separate network. Perhaps waiting a while before making a purchase may be equally effective.
Android users – no strangers to security scares – were teased with details of a truly terrifying vulnerability – which leaves up to 80% of devices vulnerable to “bad apps” impersonating good ones. “It is very, very easy for malware to use this attack— it is silent, transparent, with no notifications to users,” Jeff Forristal of Bluebox Security, which uncovered the bug said. The bug allows apps to use digital signatures for other publishers and thus perform actions such as stealing data. Forristal will present more details of his research at Black Hat 2014, saying, “This can lead to a malicious application having the ability to steal user data, recover passwords and secrets, or in certain cases, compromise the whole Android device.” Google has patched the bug, but only for handsets running Android 4.4 or later. Older Android owners will just have to wait, and hope Google’s beefed up defenses in Google Play are enough to prevent apocalypse.
Author Rob Waugh, We Live Security