Threat Research

Recent Security Research News

By Axelle Apvrille | June 28, 2018

This blog post is a summary of some recent research work that caught my attention in May 2018.

Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

D. Poddebniak et al.

This attack received quite a lot of publicity in May 2018. The paper will be presented at the USENIX Security Symposium in August.

The attack consisted of tricking mail clients into decrypting PGP-encrypted messages and then sending the plaintext content to the attacker.

There are two different variants, but both more or less rely on the same trick: the encrypted content that the attacker wants to decrypt is mixed inside a truncated message that redirects to a URL controlled by the attacker. The idea is to get the mail client to automatically decrypt the encrypted part, and then have it append to the URL and therefore leak the plaintext by going to http://controlled-by-attacker[.]com/plaintext-is-over-here

This attack is not a vulnerability of OpenPGP or S/MIME. It is not a vulnerability of GPG software. It exploits a useful but dangerous feature of mail clients. It affects mail clients that 1) automatically decrypt encrypted emails, and 2) support HTML emails.

It is a clever attack, but IMHO, it should not affect too many people in reality. That’s because mostly geeks or privacy-aware people use GPG, and when they do they usually disable viewing HTML emails (or use mail clients that do not support it altogether.) Nevertheless, if you fall into this category of GPG users, make sure to disable the feature.


Smart Car Forensics and Vehicle Weaponization

S. Tanase, G. Cirlig — PhDays, May 2018

In this talk, the authors come back to an interesting car hack they found in November 2017. They start by explaining that there are different levels of autonomous cars. We are only at the beginning of this evolution, where cars only have some automated functions (level 2). By comparison, a fully autonomous car is level 5.

The development of their hack was triggered when they spotted a hack posted in a forum that was designed to provide SSH access for root on a car. They put that hack on a USB key with autorun enabled, and plugged it into a car's infotainment system. Success: they got root on the infotainment system. Investigating records on the car, they found that when they had plugged a smartphone into the infotainment system the car had crawled its entire address book, emails, SMS, and visited locations—and all of this was stored in plaintext in the system.

They also showed they could use the hack for war-driving:

  • The car would report its geographic location all the time
  • While driving, it would constantly look for open wi-fis and report them

This hack affects the infotainment system. It would be an error to underestimate its security. I personally predict the first car malware will affect a car's infotainment system because that is where most of the interactions / interfaces with the external world occur.

The authors also investigated one hack which affects automatic braking. The car’s braking system constantly sends a 40kHz pulse of sound and then uses the echo to detect an obstacle. This function can be abused to create fake obstacles.


Things Attack

Tan Kean Siong — PhDays, May 2018

The author set up three different IoT honeypots based on some of the most used protocols for IoT:

  • The author configured Dionaea as a Samsung TV to create a Dionaea-based honeypot that acted as an MQTT broker. Attacks on this honeypot peaked in January-February 2018 with over 400 connections from an unknown attacker using an  MQTT client.
  • Another Dionaea honeypot was also configured to support UPnP to fake a SuperMicro, Samsung TV, or Xbox 360. This honeypot recorded several attack peaks during 2016-2018, with a total of over 9.3 million connections detected.
  • A Glutton-based honeypot was also created with default telnet. This honeypot attracted several instances of Mirai and Hajime.

The MQTT clients detected were clearly unauthorized clients, but it's not clear if they were malicious. They could have been a borderline test from a developer. Same with the connections on UPnP. They are not explained, and we don't have enough information to know if they were malicious. However, given the amount of UPnP connections, I would keep an eye on UPnP for botnets in the future.

the Crypto Girl

“Research is formalized curiosity. It is poking and prying with a purpose.”
- Zora Neale Hurston