33 Linksys router models leak full historic record of every device ever connected

Hard-to-fix flaw cause >25,000 routers to leak >756,000 unique MAC addresses.

33 Linksys router models leak full historic record of every device ever connected

(credit: US Navy)

More than 20,000 Linksys wireless routers are regularly leaking full historic records of every device that has ever connected to them, including devices' unique identifiers, names, and the operating systems they use. The data can be used by snoops or hackers in either targeted or opportunistic attacks.

(credit: Troy Mursch)

Independent researcher Troy Mursch said the leak is the result of a persistent flaw in almost three dozen models of Linksys routers. It took about 25 minutes for the Binary Edge search engine of Internet-connected devices to find 21,401 vulnerable devices on Friday. A scan earlier in the week found 25,617. They were leaking a total of 756,565 unique MAC addresses. Exploiting the flaw requires only a few lines of code that harvest every MAC address, device name, and operating system that has ever connected to each of them.

The flaw allows snoops or hackers to assemble disparate pieces of information that most people assume aren’t public. By combining a historical record of devices that have connected to a public IP addresses, marketers, abusive spouses, and investigators can track the movements of people they want to track. The disclosure can also be useful to hackers. The Shadowhammer group, for instance, recently infected as many as 1 million people after hacking the software update mechanism of computer maker ASUS. The hackers then used a list of about 600 MAC addresses of specific targets that, if infected, would receive advanced stages of the malware.

Read 6 remaining paragraphs | Comments

The radio-navigation planes use to land safely is insecure and can be hacked

Radios that sell for $600 can spoof signals planes use to find runways.

A plane in the researchers' demonstration attack as spoofed ILS signals induce a pilot to land to the right of the runway.

Enlarge / A plane in the researchers' demonstration attack as spoofed ILS signals induce a pilot to land to the right of the runway. (credit: Sathaye et al.)

Just about every aircraft that has flown over the past 50 years—whether a single-engine Cessna or a 600-seat jumbo jet—relies on radios to safely land at airports. These instrument landing systems are considered precision approach systems, because, unlike GPS and other navigation systems, they provide crucial real-time guidance about both the plane’s horizontal alignment with a runway and its vertical rate of descent. In many settings—particularly during foggy or rainy nighttime landings—this radio-based navigation is the primary means for ensuring planes touch down at the start of a runway and on its centerline.

Like many technologies built in earlier decades, the ILS was never designed to be secure from hacking. Radio signals, for instance, aren’t encrypted or authenticated. Instead, pilots simply assume that the tones their radio-based navigation systems receive on a runway’s publicly assigned frequency are legitimate signals broadcast by the airport operator. This lack of security hasn’t been much of a concern over the years, largely because the cost and difficulty of spoofing malicious radio signals made attacks infeasible.

Now, researchers have devised a low-cost hack that raises questions about the security of ILS, which is used at virtually every civilian airport throughout the industrialized world. Using a $600 software defined radio, the researchers can spoof airport signals in a way that causes a pilot’s navigation instruments to falsely indicate a plane is off course. Normal training will call for the pilot to adjust the plane’s descent rate or alignment accordingly and create a potential accident as a result.

Read 36 remaining paragraphs | Comments

Bloomberg alleges Huawei routers and network gear are backdoored

Details are scarce, but the “backdoor” appears to be benign.

5G Logo in the shape of a butterfly.

Enlarge / PORTUGAL - 2019/03/04: 5G logo is seen on an android mobile phone with Huawei logo on the background. (credit: Omar Marques/SOPA Images/LightRocket via Getty Images)

Vodafone, the largest mobile network operator in Europe, found backdoors in Huawei equipment between 2009 and 2011, reports Bloomberg. With these backdoors, Huawei could have gained unauthorized access to Vodafone's "fixed-line network in Italy." But Vodafone disagrees, saying that while it did discover some security vulnerabilities in Huawei equipment, these were fixed by Huawei and in any case were not remotely accessible, and hence they could not be used by Huawei.

Bloomberg's claims are based on Vodafone's internal security documentation and "people involved in the situation." Several different "backdoors" are described: unsecured telnet access to home routers, along with "backdoors" in optical service nodes (which connect last-mile distribution networks to optical backbone networks) and "broadband network gateways" (BNG) (which sit between broadband users and the backbone network, providing access control, authentication, and similar services).

In response to Bloomberg, Vodafone said that the router vulnerabilities were found and fixed in 2011 and the BNG flaws were found and fixed in 2012. While it has documentation about some optical service node vulnerabilities, Vodafone continued, it has no information about when they were fixed. Further, the network operator said that it has no evidence of issues outside Italy.

Read 9 remaining paragraphs | Comments

Woman from China, with malware in tow, illegally entered Trump’s Mar-a-Lago

Event raises serious questions about security practices of the US Secret Service.

Large helicopter emblazoned with presidential logos lands at a seaside resort.

Enlarge (credit: The White House / Flickr)

A woman carrying four cellphones, two Chinese passports, and a thumb drive containing malware was arrested over the weekend after gaining access to President Donald Trump’s Mar-a-Lago resort under false pretenses, a court document alleged.

The woman, identified as 32-year-old Yujing Zhang, on Saturday afternoon told a US Secret Service agent she was there to use the pool and produced the passports, a criminal complaint filed in US District Court for the Southern District of Florida alleged. She was admitted past a security checkpoint after a resort security manager verified that her last name matched the surname of a club member. A “potential language-barrier issue” raised the possibility she was the daughter of the member. She didn’t give a definitive answer when asked if she was there to meet anyone and was escorted to a front desk in a golf cart.

When questioned by a receptionist inside the club, Zhang said she was there to attend a United Nations Chinese American Association event later that evening, according to the complaint. The receptionist confirmed that no such event was scheduled and was unable to find Zhang’s name on any list of people approved to be past the security checkpoint.

Read 6 remaining paragraphs | Comments