33 Linksys router models leak full historic record of every device ever connected

Hard-to-fix flaw cause >25,000 routers to leak >756,000 unique MAC addresses.

33 Linksys router models leak full historic record of every device ever connected

(credit: US Navy)

More than 20,000 Linksys wireless routers are regularly leaking full historic records of every device that has ever connected to them, including devices' unique identifiers, names, and the operating systems they use. The data can be used by snoops or hackers in either targeted or opportunistic attacks.

(credit: Troy Mursch)

Independent researcher Troy Mursch said the leak is the result of a persistent flaw in almost three dozen models of Linksys routers. It took about 25 minutes for the Binary Edge search engine of Internet-connected devices to find 21,401 vulnerable devices on Friday. A scan earlier in the week found 25,617. They were leaking a total of 756,565 unique MAC addresses. Exploiting the flaw requires only a few lines of code that harvest every MAC address, device name, and operating system that has ever connected to each of them.

The flaw allows snoops or hackers to assemble disparate pieces of information that most people assume aren’t public. By combining a historical record of devices that have connected to a public IP addresses, marketers, abusive spouses, and investigators can track the movements of people they want to track. The disclosure can also be useful to hackers. The Shadowhammer group, for instance, recently infected as many as 1 million people after hacking the software update mechanism of computer maker ASUS. The hackers then used a list of about 600 MAC addresses of specific targets that, if infected, would receive advanced stages of the malware.

Read 6 remaining paragraphs | Comments

The radio-navigation planes use to land safely is insecure and can be hacked

Radios that sell for $600 can spoof signals planes use to find runways.

A plane in the researchers' demonstration attack as spoofed ILS signals induce a pilot to land to the right of the runway.

Enlarge / A plane in the researchers' demonstration attack as spoofed ILS signals induce a pilot to land to the right of the runway. (credit: Sathaye et al.)

Just about every aircraft that has flown over the past 50 years—whether a single-engine Cessna or a 600-seat jumbo jet—relies on radios to safely land at airports. These instrument landing systems are considered precision approach systems, because, unlike GPS and other navigation systems, they provide crucial real-time guidance about both the plane’s horizontal alignment with a runway and its vertical rate of descent. In many settings—particularly during foggy or rainy nighttime landings—this radio-based navigation is the primary means for ensuring planes touch down at the start of a runway and on its centerline.

Like many technologies built in earlier decades, the ILS was never designed to be secure from hacking. Radio signals, for instance, aren’t encrypted or authenticated. Instead, pilots simply assume that the tones their radio-based navigation systems receive on a runway’s publicly assigned frequency are legitimate signals broadcast by the airport operator. This lack of security hasn’t been much of a concern over the years, largely because the cost and difficulty of spoofing malicious radio signals made attacks infeasible.

Now, researchers have devised a low-cost hack that raises questions about the security of ILS, which is used at virtually every civilian airport throughout the industrialized world. Using a $600 software defined radio, the researchers can spoof airport signals in a way that causes a pilot’s navigation instruments to falsely indicate a plane is off course. Normal training will call for the pilot to adjust the plane’s descent rate or alignment accordingly and create a potential accident as a result.

Read 36 remaining paragraphs | Comments

Bloomberg alleges Huawei routers and network gear are backdoored

Details are scarce, but the “backdoor” appears to be benign.

5G Logo in the shape of a butterfly.

Enlarge / PORTUGAL - 2019/03/04: 5G logo is seen on an android mobile phone with Huawei logo on the background. (credit: Omar Marques/SOPA Images/LightRocket via Getty Images)

Vodafone, the largest mobile network operator in Europe, found backdoors in Huawei equipment between 2009 and 2011, reports Bloomberg. With these backdoors, Huawei could have gained unauthorized access to Vodafone's "fixed-line network in Italy." But Vodafone disagrees, saying that while it did discover some security vulnerabilities in Huawei equipment, these were fixed by Huawei and in any case were not remotely accessible, and hence they could not be used by Huawei.

Bloomberg's claims are based on Vodafone's internal security documentation and "people involved in the situation." Several different "backdoors" are described: unsecured telnet access to home routers, along with "backdoors" in optical service nodes (which connect last-mile distribution networks to optical backbone networks) and "broadband network gateways" (BNG) (which sit between broadband users and the backbone network, providing access control, authentication, and similar services).

In response to Bloomberg, Vodafone said that the router vulnerabilities were found and fixed in 2011 and the BNG flaws were found and fixed in 2012. While it has documentation about some optical service node vulnerabilities, Vodafone continued, it has no information about when they were fixed. Further, the network operator said that it has no evidence of issues outside Italy.

Read 9 remaining paragraphs | Comments

This Windows Defender bug was so gaping its PoC exploit had to be encrypted

(credit: Microsoft)
Microsoft recently patched a critical vulnerability in its ubiquitous built-in antivirus engine. The vulnerability could have allowed attackers to execute malicious code by luring users to a booby-trapped website or attaching a b…

(credit: Microsoft)

Microsoft recently patched a critical vulnerability in its ubiquitous built-in antivirus engine. The vulnerability could have allowed attackers to execute malicious code by luring users to a booby-trapped website or attaching a booby-trapped file to an e-mail or instant message.

A targeted user who had real-time protection turned on wasn't required to click on the booby-trapped file or take any other action other than visit the malicious website or receive the malicious e-mail or instant message. Even when real-time protection was off, malicious files would be executed shortly after a scheduled scan started. The ease was the result of the vulnerable x86 emulator not being protected by a security sandbox and being remotely accessible to attackers by design. That's according to Tavis Ormandy, the Google Project Zero researcher who discovered the vulnerability and explained it in a report published Friday.

Ormandy said he identified the flaw almost immediately after developing a fuzzer for the Windows Defender component. Fuzzing is a software testing technique that locates bugs by subjecting an application to corrupted data and other types of malformed or otherwise unexpected input.

Read 6 remaining paragraphs | Comments