Last week there were two security conferences - Black Hat and DEF CON. Due to coronavirus restrictions, both events were made virtual this year, and DEF CON materials were completely open. The recordings of the presentations were posted on Youtube , the Q&A sessions were conducted in real time on Twitch and in the conference chat on Discord. The event was named DEF CON Safe Mode.
One of the most, if not interesting, then large-scale presentations was the study of vulnerabilities in Qualcomm mobile chips used in a large number of Android devices (up to 40% of the market). The six fixed vulnerabilities caused denial of service, arbitrary code execution, direct access to the camera, microphone, GPS sensors, and more. In February - March, the data on these holes was passed on to the manufacturer, who patched them in July, but it is not yet clear when the patches will reach real devices. Because of this , there are no technical details in the announcement of the study on the site, but they are in the presentation at DEF CON.
The Hexagon is essentially a separate processor within a Qualcomm SoC, responsible for communicating with peripherals, from the camera to the device's charging circuit. To work with it, the manufacturer distributes the SDK, but in fact, only the code signed by Qualcomm can work with the DSP part. Using fuzzing, the researchers found a lot of small bugs in all libraries for working with DSP, more than 400 in total. They cause a failure in the execution of the code with different consequences, and in some cases lead to either a reboot or freeze of the phone, or to code execution, or open uncontrolled access to peripheral devices. Exploitation of vulnerabilities involves launching a malicious application on a device that accesses the DSP, crashes, and gets extended rights.
It is still impossible to assess the real scale of the problem without details. We only know that Qualcomm's developers have closed the vulnerabilities, but the patches still need to be delivered to the devices. Analysis of the latest set of security updates for Android showed that the fixes were not included in it. In addition, Check Point suggests that vendors will also have to recompile their own code to work with Hexagon in order to completely eliminate the vulnerabilities. Unsupported devices that do not receive security updates are likely to remain vulnerable.
Other interesting presentations with DEF CON and Black Hat:
- Discussion of a hypothetical attack on high power IoT devices such as washing machines and heaters. The authors offer interesting hacking scenarios. For example, turning on thousands of heaters at the same time can affect the cost of electricity. And it, in turn, indirectly affects the exchange rate of cryptocurrencies, which depends on mining ( news ).
- 19 vulnerabilities were found and closed in the multimedia system of Mercedes E-class cars, one of them allows you to remotely open doors and start the engine. An analysis of the device's firmware also showed the possibility of an attack on the manufacturer's control servers ( news ).
- Research by James Pavour on the results of "satellite fishing" - a method of intercepting satellite data. It would seem that with the spread of encrypted data transmission, such a scenario should have become a thing of the past, but no. It's not just legacy systems that run over HTTP. The author managed to intercept the communications of a Chinese airline plane, login to the admin panel of a wind turbine in France, negotiations on repairing a generator on a fuel tanker in Egypt (see also the article in ArsTechnica).
What else happened:
Intel is investigating a leak of 20 gigabytes of data, including source codes ( ArsTechnica article , discussion on Habré). Most likely, information has leaked, which the vendor shares with partners under the NDA.
Interesting articlebased on user observations of the Google Home smart column. The owner of the device triggered a fire alarm, and he received a notification on his phone. This is generally good, but it assumes that the sound is always recorded on the smart device, and not just when the code word is spoken. Google called the incident a mistake - the feature being tested accidentally got into production.
Canon has fallen victim to a ransomware attack.
The network has leaked data on 900 VPN servers using Pulse Secure software. This is a consequence of a serious vulnerability discovered last year. Due to the possibility of arbitrary remote reading of data from a vulnerable server, the database contains not only domains and IP addresses, but also SSH keys and other information.