Blog

  • Security researchers hack Android remotely over NFC to gain full control and steal all data from a Samsung Galaxy S3

    posted by Keito
    2012-09-20 21:43:37
    'Mobile Pwn2Own at EuSecWest 2012

    Today MWR Labs demonstrated an Android vulnerability at the EuSecWest Conference in Amsterdam. The demonstration of the 0day exploit took place at the Mobile Pwn2Own competition. The exploit was developed in a team effort between our South African and UK offices. The vulnerability was found and the exploit was developed by Tyrone and Jacques in South Africa and Jon and Nils in the UK.

    ### Impact

    MWR showed an exploit against a previously undiscovered vulnerability on a Samsung Galaxy S3 phone running Android 4.0.4. Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation.

    The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.

    ### The Vulnerabilities

    The first vulnerability was a memory corruption that allowed us to gain limited control over the phone. We triggered this vulnerability 185 times in our exploit code in order to overcome some of the limitations placed on us by the vulnerability.

    We used the second vulnerability to escalate our privileges on the device and undermine the application sandbox model. We used this to install a customised version of Mercury, our Android assessment framework. We could then use Mercury’s capabilities to exfiltrate user data from the device to a remote listener, including dumping SMS and contact databases, or initiating a call to a premium rate number.

    ### Challenges & Shortcomings

    Android 4.0.4 has many of the exploit mitigation features that are common to desktop Linux distributions, including Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP). Shortcomings in these protections allowed us to leverage the control we had of the device to trigger the second vulnerability. Crucially, the ASLR implementation is incomplete in Android 4.0.4, and does not cover Bionic (Android’s linker) and /system/bin/app_process, which is responsible for starting applications on the device. Other protections which would make exploitation harder were also found to be absent.

    A more in depth technical blog post will be released once the vulnerability has been patched by the vendor, detailing the process of finding and exploiting this bug.'
  • Disable Java NOW, users told, as 0-day exploit hits web

    posted by Keito
    2012-08-29 20:33:00
    'All operating systems, browsers vulnerable.

    A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

    The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

    The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself.

    In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

    All browsers running on these systems were found to be vulnerable if they had the Java plugin installed, including Chrome, Firefox, Internet Explorer, Opera, and Safari.

    Although the actual source of the exploit is not known, it was originally discovered on a server with a domain name that resolved to an IP address located in China. The malware it installed on compromised systems attempted to connect to a command-and-control server believed to be located in Singapore.

    Oracle has yet to comment on the vulnerability or when users should expect a fix, but it might be a while. The database giant ordinarily observes a strict thrice-annual patch schedule for Java, and the next batch of fixes isn't due until October 16.

    Downgrading to an earlier version of Java is not advised, because even though earlier versions aren't vulnerable to this particular exploit, they may contain other bugs that expose still other vulnerabilities.

    In advance of any official patch, and because of the seriousness of the vulnerability, malware researchers at DeepEnd Research have developed an interim fix that they say seems to prevent the rogue Java code from executing its payload, although it has received little testing.

    Because the patch could be used to develop new exploits if it fell into the wrong hands, however, DeepEnd Research is only making it available by individual request to systems administrators who manage large numbers of clients for companies that rely on Java.

    For individual users, the researchers say, the best solution for now is to disable the Java browser plugin until Oracle issues an official patch.'

    http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/
  • Hackers backdoor the human brain, successfully extract sensitive data

    posted by Keito
    2012-08-18 11:29:20
    And this, my friends, is why we need trust-worthy governments more than ever. The future is now, and politics has yet to catch up with technological advancements. We need open, honest and transparent governments if we are to embrace the next century peacefully; not the corrupt, secretive governments which we've put up with for far too long.

    This latest brain-breakthrough, put in the wrong hands, could quite easily be used by unscrupulous governments worldwide to usher in a nightmare Dystopian future for us all. It would obviously be a gross breach of human rights to impose this technology unwillingly on another human being, but time and time again we see our governments ignoring such pesky annoyances; and who's to say that this technology would have to be forcefully imposed upon someone? Whack a great big Apple logo on the hardware and people will not only wilfully wear such a thing, they'll pay a handsome fortune in order to do so! Such is the way of the sheep.

    It's not a hop-skip-and-a-jump away to take a chip, embed it in this part of the brain, and then stream your 'thoughts' via wireless to some central computer system. I'm sure the NSA would love to extend their 'surveillance' operatives further into this realm... all in the name of keeping you safe from terror mind you. Isn't that the key-trigger-word to gain backing from the public now-a-days? This would be a great weapon to add to their arsenal in the War On Terror, nevermind the fact that the real (mis)use of such a technology would be almost certainly far more sinister... never underestimate the corruption that power brings, and the ability for our governments to go 'rogue'.

    To be honest, I'm more worried (read 'terrified') of our 'democratic' governments' attacks on freedom, civil liberties and human rights, than I am of some once-in-a-blue-moon terrorist attack. Hell, I was a child born of the 80's, and the good folk of Britain didn't lose their collective marbles when we were the victim of terrorist attacks back then. Yet, now it seems we're quite willing to drop all sensibilities and power for rational thought, as soon as the politicians tell us "the threat level is significant"... Really? Because I see more of a threat in our governments' daily actions. If anything, our governments actions continue to breed more and more terrorists (thanks to their ridiculous approach to foreign policy in the Middle East), increasing the risk everyday though, in their pursuit to 'combat terrorism' in their failed 'war on terror'. The word itself is an oxymoron. Are our very actions in this 'War On Terror' not terrorism itself? One need only look at the Collateral Damage video, released by the WikiLeaks organisation some time ago, to see that we our governments are waging a terrorism campaign... and not only that, but they are trying to keep this fact hidden from the people they are supposed to be representing/governing.

    Not once, during all this time, has anyone in any position of power addressed the real reason why these 'terrorists' have done what they have done. Who trained them? Why did they have a problem with the US/UK in the first place? Our governments wrongly feel that the way to 'fix' *their* mess is to go into the home countries of these terrorist, guns blazing... That, on closer inspection, is a dumb move (though, I for one, always thought as much).

    Anyway, the real story here, after our little excursion into rantdom, is this:

    "With a chilling hint of the not-so-distant future, researchers at the Usenix Security conference have demonstrated a zero-day vulnerability in your brain. Using a commercial off-the-shelf brain-computer interface, the researchers have shown that it’s possible to hack your brain, forcing you to reveal information that you’d rather keep secret.

    As we’ve covered in the past, a brain-computer interface is a two-part device: There’s the hardware — which is usually a headset (an EEG; an electroencephalograph) with sensors that rest on your scalp — and software, which processes your brain activity and tries to work out what you’re trying to do (turn left, double click, open box, etc.) BCIs are generally used in a medical setting with very expensive equipment, but in the last few years cheaper, commercial offerings have emerged. For $200-300, you can buy an Emotiv (pictured above) or Neurosky BCI, go through a short training process, and begin mind controlling your computer.

    Both of these commercial BCIs have an API — an interface that allows developers to use the BCI’s output in their own programs. In this case, the security researchers — from the Universities of Oxford and Geneva, and the University of California, Berkeley — created a custom program that was specially designed with the sole purpose of finding out sensitive data, such as the location of your home, your debit card PIN, which bank you use, and your date of birth. The researchers tried out their program on 28 participants (who were cooperative and didn’t know that they were being brain-hacked), and in general the experiments had a 10 to 40% chance of success of obtaining useful information (pictured above).

    To extract this information, the researchers rely on what’s known as the P300 response — a very specific brainwave pattern (pictured right) that occurs when you recognize something that is meaningful (a person’s face), or when you recognize something that fits your current task (a hammer in the shed). The researchers basically designed a program that flashes up pictures of maps, banks, and card PINs, and makes a note every time your brain experiences a P300. Afterwards, it’s easy to pore through the data and work out — with fairly good accuracy — where a person banks, where they live, and so on.

    In a real-world scenario, the researchers foresee a game that is specially tailored by hackers to extract sensitive information from your brain — or perhaps an attack vector that also uses social engineering to lull you into a false sense of security. It’s harder to extract data from someone who knows they’re being attacked — as interrogators and torturers well know.

    Moving forward, this brain hack can only improve in efficacy as BCIs become cheaper, more accurate, and thus more extensively used. Really, your only defense is to not think about the topic — but if you’re proactively on the defensive, then the hacker has already messed up. The only viable solution that I can think of is to ensure that you don’t use your brain-computer interface with shady software, brain malware — but then again, in a science-fictional future, isn’t it almost guaranteed that the government would mandate the inclusion of brain-hacking software in the operating system itself?"

    http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data