All posts in “Hackers”

IoT will forever be in trouble, but there’s hope

Your coffee pot, refrigerator, thermostat, and in-home security system are all connected to the internet. Or, if they’re not now, they will be one day. Sadly, as the forgotten stepchildren of internet security, these Internet of Things devices are likely doomed to a future teeming with botnets and hackers

But that doesn’t mean there isn’t hope for the ever-expanding IoT universe — even if it just so happens to be a thin one. While default passwords and poor update policies all contribute to vulnerable internet-connected devices, there are steps that both companies and consumers can take to make sure their security cameras don’t end up crashing Twitter (or worse). 

Whether those steps will ever truly secure IoT products is unclear, but they’re at least enough to provide the smallest glimmer of hope in an industry otherwise devoid of much positive news. And it’s a good thing, too, because without that hope the ecosystem is pretty much screwed. 

Bad news for IoT

Let’s take the big security news of the week: KRACK. The recently disclosed vulnerability in the WPA2 Wi-Fi protocol means that a determined hacker can both intercept and manipulate traffic between a Wi-Fi-connected device and the web. Even properly configured sytems are currently at risk, and only switching to an ethernet cable hard line (or updating with a presumably forthcoming manufacturer-issued patch) can keep the bad guys out. While it’s true that an attacker needs some physical proximity to a device to pull this specific attack off — thus reducing the possibility that KRACK would be used to create botnets — there are, and always will be, vulnerabilities discovered in existing devices. 

It’s hard enough to convince people to update their computer and smartphone operating systems, let alone whatever firmware runs their smart toaster

And that’s a problem. It’s hard enough to convince people to update their computer and smartphone operating systems, let alone whatever firmware runs their smart toaster. That, plus the propensity for manufacturers to ship devices with default passwords, means that attackers can all too often find and exploit armies of devices for their every nefarious whim. That doesn’t even take into account all the products that are abandoned by bankrupt companies or manufacturers that simply decide they have better things to do than issue patches for years-old smart TVs.

When every IoT device is a potential weapon against a healthy internet, the devices themselves become a threat. And threats are to be eliminated. This very much risks being the permanent status of Internet of Things gadgets, and perhaps the smart consumer is right to be forever wary of camera-enabled refrigerators. However, that doesn’t bode well for the industry and suggests that IoT is structurally flawed. 

Some hope

Thankfully, there are straightforward steps that both consumers and device manufacturers can take to both mitigate the current risk posed by Internet of Things devices and make it so the IoT future isn’t a guaranteed security mess. 

The Department of Homeland Security laid out a series of measures that manufacturers can take that, if followed, would go a long way toward securing the world of IoT. Those suggestions include using “unique, hard to crack default user names and passwords,” “using the most recent operating system that is technically viable and economically feasible,” using “hardware that incorporates security features,” automatically applying security patches, and developing “an end-of-life strategy for IoT products.”

When it comes to some of these recommendations, consumers don’t have to wait for device manufacturers to act. Taking measures into your own hands is a sure fire way to make sure they get done, after all. 

For starters, when it comes to the default passwords devices are frequently shipped with: One of the first things the new owner of a shiny IoT gizmo should do is set a unique password. This should be easy, and will help keep it out of botnets. It should also, in theory, be simple to update a device when patches for security vulnerabilities are released. Security-focused hardware is out there in the world, too. You can buy routers that are specifically designed to monitor for things like suspicious web traffic.  

Perhaps the hardest part, simply from a psychological standpoint, is knowing when to say goodbye. If the company that made your widget goes out of business or stops issuing updates for it, you and your camera-enabled vibrator may just have to part ways. We know it’s sad, but it’s also for the best. 

While, in the end, the smartest security move may be to not to fill your home with IoT gadgets in the first place, that’s a hard sell for people who generally like and find value in their various internet-connected devices. And those people deserve device security just like the rest of us (besides, their unsecured stuff can gunk up the internet for everyone else). 

The IoT ecosystem has a long way to go before it’s not plagued by zombie coffee makers and easily hackable webcams, but with a serious concerted effort and pressure on manufacturers we may one day get there. Here’s hoping that we do, or the only place your favorite web-browsing toaster will belong is in the dumpster. 40b3 2d2f%2fthumb%2f00001

What the KRACK Wi-Fi vulnerability means for you and your devices

So it turns out your Wi-Fi is vulnerable to hackers. A newly released research paper dropped a pretty sizable security bomb: The security protocol protecting most Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept every password, credit-card number, or super-secret cat pic you send over the airwaves.

So what, if anything, can you do about all this — other than go back to the Ethernet cable-laden Dark Ages? While at present there is no all-encompassing way to protect your Wi-Fi, there are a few steps that you can take to mitigate your risk. And you definitely should. 

First, let’s take stock of just how bad things are. Researcher Mathy Vanhoef, who discovered the vulnerability, explains that it allows for an attack that “works against all modern protected Wi-Fi networks.” That means your home, office, and favorite cafe are all potentially at risk. 

At issue is WPA2 (the standard Wi-Fi security protocol) itself — not how it’s being implemented. Vanhoef realized that he could “[trick] a victim [device] into reinstalling an already-in-use key,” subsequently allowing transmitted information to “be replayed, decrypted, and/or forged.”

Vanhoef has dubbed this method the KRACK attack, which stands for “key reinstallation attacks.”

Importantly, the researcher makes no claim that bad actors are currently exploiting the flaw that he discovered. (That doesn’t necessarily mean they’re not, though.) 

“We are not in a position to determine if this vulnerability has been (or is being) actively exploited in the wild,” he writes on his website. So while no one may at present be using this method to snoop on your web browsing, it doesn’t mean someone hasn’t in the past or won’t in the future. In other words, it’s past time to take some precautionary measures. 

What to do

Unfortunately, our options right now aren’t great. You can make sure your router configuration is up to date, and you should, but even that may not protect you from KRACK. Oh, and changing your Wi-Fi password won’t do anything to help. However, there is some good news. Notably, the problem can be fixed. That means you shouldn’t have to actually replace your vulnerable devices. 

“[Luckily] implementations can be patched in a backwards-compatible manner,” writes Vanhoef.  “This means a patched client can still communicate with an unpatched access point, and vice versa. […] However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.”

Responsible device manufacturers around the world are scrambling to issue patches, and security researcher Kevin Beaumont notes a Linux patch already exists. Other companies are following suit, and Owen Williams of the Charged newsletter has compiled a list of which tech companies are on top of this mess. When patches do become available, you need to update your Wi-Fi-connected gadgets ASAP. 

But wait, there’s another reason you can take a deep breath. Beaumont argues that the level of sophistication required to pull off KRACK on certain devices means the average consumer doesn’t have to freak out right now. Unless they’re running Android, that is. 

“The attack realistically doesn’t work against Windows or iOS devices,” he explains. “The Group vuln is there, but it’s not near enough to actually do anything of interest. There is currently no publicly available code out there to attack this in the real world — you would need an incredibly high skill set and to be at the Wi-Fi base station to attack this. Android is the issue, which is why the research paper concentrates on it.”

So… we’re OK then?

The general consensus coming out of all this appears to be that yes, everything is screwed, but (for now) devices are vulnerable only to really skilled people, and most of those devices can also be protected. Basically, today is not the day that Wi-Fi died. If major providers scramble and release patches (some of which already have), and people actually update their devices, we’ll mostly be OK. 

Sure, some manufacturers won’t issue fixes, and some consumers won’t update, but that’s the ongoing story of online security. 

This is a good opportunity to make sure that your router’s settings are up to date (which, remember, at present still means it’s vulnerable to KRACK), and to set daily reminders to check if the manufacturer of your smartphone, laptop, desktop, tablet, router, smart TV, etc., have released a fix for KRACK. Because the responsible ones will, and when they do it will mean that you can go back to browsing the web one paranoid click at a time

In the meantime, consider digging out that old Ethernet cable for any sensitive online transactions — your credit card number will thank you. 312c 2552%2fthumb%2f00001

Huge security flaw leaves Wi-Fi devices wide open to hackers

There’s a hole in Wi-Fi security, and it affects the vast majority of Wi-Fi devices and networks. That very likely means your phone, your home wireless network, your wireless network at work — everything. 

Belgian security researcher Mathy Vanhoef from the imec-DistriNet research group at the KU Leuven university has discovered a vulnerability in the WPA2 security protocol, used by nearly every Wi-Fi device out there. It allows an attacker to remotely extract decrypted data from a protected Wi-Fi network without knowing the password.

Called KRACK, the attack does not actually recover the victim’s Wi-Fi password. It works by reinstalling the encryption key that’s already in use which, due to a flaw in WPA2, can be used to remotely decrypt traffic. 

Since this is a hole in the WPA2 protocol itself, all devices are affected in some way, no matter the software you’re running. Wi-Fi routers, Android phones, iOS devices, Apple computers, Windows computers, Linux computers — all of them. 

The flaw is also present in the earlier, WPA security protocol, and with any encryption suite, including WPA-TKIP, AES-CCMP, and GCMP. 

The vulnerability is extremely dangerous. An attacker could use it to decrypt some or all traffic from a network, including your passwords, credit card numbers, metadata such as cookies etc. In some cases, an attacker could be able to inject malicious data directly into the traffic, like adding malware to a (normally safe) website you’re visiting. 

Depending on the encryption protocols one uses, the attack can range from bad to worse; in some cases, an attacker will only be able to decrypt your traffic. In others, they’ll be able to essentially take over your connection, forging and injecting packets as they please. 

For example, 41% of Android devices and currently in use and numerous Linux variants are vulnerable to a particularly nasty variant of the attack, which according to Vanhoef, “makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices.”

On the other end of the spectrum are iOS, Windows 7, Windows 10 and OpenBSD, which are only vulnerable to the most basic of attacks.

How screwed we all are, really?

There’s a sliver lining, however. Vanhoef claims that this hole can be patched on current devices in a way that doesn’t break compatibility. In other words, your patched device will still communicate with other, unpatched devices out there. It will take a long time for all vendors to update all devices out there, and some may never receive the update. But news of this vulnerability did not come overnight; it was anticipated and some vendors have already patched their devices. 

Furthermore, this is primarily an attack against clients; devices connected to a network, not routers. This means that, while routers may be vulnerable, the priority for users will be to update clients, such as laptops, smartphones, IoT devices and the like. And getting a macOS, Linux or an Android update will likely be faster than getting an update to that old router you have in the basement. 

Another important bit of news is that some of the attacks described in Vanhoef’s paper are hard to do, meaning there won’t be kid hackers wardriving and stealing your data anytime soon. Generally, an attacker needs to be in the range of the victim’s Wi-Fi network, launch a man-in-the-middle attack against a client connected to that network, spoof its MAC address and change the Wi-Fi channel, all of which can be done today but requires a fair degree of technical knowledge. Then, the attacker would have to launch a script exploiting the KRACK security flaw in some way and collect the decrypted data or inject new data into the network. Very few people possess the technical knowledge to do all this. 

Vanhoef has built a script that exploits this vulnerability on certain Android and Linux devices (see demo video below), but he will only release it “once everyone had a reasonable chance to update their devices.” But given the nature of this security flaw, it likely won’t turn WPA2 into WEP, the earlier Wi-Fi encryption standard, which is thoroughly insecure in all implementations and easily crackable by anyone within minutes. 

In other words, there’s probably no need to turn off your router and disable Wi-Fi on all your devices, at least not yet. You should, however, use HTTPS whenever possible, and a VPN might be a good idea as well. 

[embedded content]

Still, it’s hard to overstate the importance of this news. WPA2 was long thought to be an extremely secure and robust protocol. As Vanhoef explains here, the math behind WPA2’s encryption is still solid; as it often happens, the problem is in the way the WPA2 protocol is implemented. 

But besides being an impressive technical achievement, this is the type of problem that will likely haunt us for many years to come. Once easy-to-use tools that exploit this vulnerability are developed — and they will be — all Wi-Fi capable devices that haven’t been updated with a fix will be at risk. And since a vast number of devices have Wi-Fi connectivity — from your gaming console to your phone to your baby monitor — it’ll be a long time till KRACK stops being a threat. 

Vanhoef’s research paper on KRACK is available here 8838 9699%2fthumb%2f00001

This is the most diabolical Android ransomware we’ve ever seen

Consider this yet another PSA on why you should never ever download Adobe Flash Player, or anything resembling it if you’re using an Android phone.

Security researchers at ESET have discovered a new kind of ransomware infecting Android phones on a level nobody’s ever seen before. Called DoubleLocker, the exploit encrypts the data on the infected device and then changes its PIN number so victims are locked out of their device unless they pay the ransom demanded by hackers.

The DoubleLocker hack is a threat to any Android device; it’s particularly worrying since it doesn’t require a “rooted” phone that gives extra access for the hacker to run its own code, but the effect is severe — locking the user completely out of their own device.

ESET researchers say this is the first time on Android that any malware has been created that combines both data encryption and PIN changes.

The ransomware is distributed through fake Adobe Flash Player downloads shared on compromised websites and it installs itself once you give it accessibility access through the “Google Play Service.” You can see a video of how the ransomware is triggered in the video below.

[embedded content]

The malware installs itself as the default Android launcher, the piece of software that controls the look and feel of the device and how apps and widgets launch, and essentially creates an invisible shortcut that activates itself whenever the home button is pressed.

You’ll know your files are infected if you see a “.cryeye” extension at the end of the file.

DoubleLocker also changes your device’s PIN number to a random combination which isn’t sent to the hackers. With no digital trail, it’s virtually impossible to recover the PIN. The hackers can remotely reset the PIN when you pay the ransom.

Users with DoubleLocker-infected devices have 24 hours to pay 0.0130 Bitcoin (about $73.38 at the time of this writing) to un-encrypt their data. Fortunately, your files aren’t deleted if you don’t pay up. But still, this is ransomware and since your phone will be locked with an unknown passcode, you’re at the hackers’ mercy.

At this time the only way to remove DoubleLocker is to perform a factory reset, which will erase all of your files. 

However, if you have a phone that was rooted and in debug mode before DoubleLocker locked it up, you can bypass the malware’s randomized PIN code without a factory reset, according to WeLiveSecurity. If your device meets both of these parameters, you can by access it with the Android Debug Bridge (adb) and remove the file system where the PIN code is stored. Once that’s done, you can switch your device to “safe mode” to disable the admin permissions for the malware and remove it. It’s not an easy process and you should definitely wipe the entire device once you’ve recovered your files, just to guarantee that DoubleLocker is completely removed.

You’ll know your files are infected if you see a “.cryeye” extension at the end of the file.

In 2012, Adobe removed Flash from the Google Play Store, officially ending its development on mobile. While Flash was pivotal to the development of the interactive websites during the ’90s and early ’00s, it’s no longer relevant in mobile ecosystems.

Steve Jobs openly criticized Flash for its being a huge battery hog and for its endless security exploits. 

While no longer crucial on mobile devices — developers have moved on to the faster and more secure HTML 5 — DoubleLocker is a reminder that there are many people who aren’t informed on the dangers that come with installing Flash. 

It might take something as courageous as Adobe publicly denouncing Flash before people ingrain it in their brains that installing Flash anything is extremely insecure and not worth potentially compromising their devices. 2dbb 83fc%2fthumb%2f00001

Equifax may have been hacked again and it’s not even funny anymore

Image: JUSTIN LANE/EPA-EFE/REX/Shutterstock

Equifax, the credit rating reporting agency that exposed personal data of nearly 150 million people, appears to have been hacked — again.

The (probable) hack was noticed by security researcher Randy Abrams and first covered by Ars Technica. While visiting Equifax’s website, Abrams noticed that some pages redirect to a site offering a fake, malware-bearing Flash update. 

Hijacking some pages on a hacked site to target visitors is a common tactic amongst malicious hackers. Often, you won’t see the malware-infested links on every page, and nothing else on the site will indicate that something’s wrong. But click on the link, and boom — your computer is infected. 

Abrams was able to reproduce the behavior several more times, and even took a video (below). 

[embedded content]

I was unable to reproduce this behavior in several browsers and from several IP addresses on my computer, and according to Ars Technica, Abrams, too, didn’t see it in recent visits to the site. It’s possible that Equifax took back control of the site, or that the hackers removed or changed the malicious code on the site. 

If Equifax’s site was really compromised by hackers, it’s just adding insult to injury for the thoroughly embarrassed company. The first breach, announced Sept. 7, allowed hackers to get away with personal information, including social security numbers, of 145.5 million Americans. “We continue to take numerous steps to review and enhance our cybersecurity practices,” interim CEO Paulino do Rego Barros, Jr. said in the original press release

We’ve contacted Equifax for comment but haven’t yet heard from them. f41a afb5%2fthumb%2f00001