Perpetual IT

In this episode: we look at a network intrusion where the crooks tried to take over dozens of different online accounts from every user, we discuss the potential dangers of digital doorbells, and we give you some handy hints for improving your wireless security at home.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music: Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Well-known Google Project Zero researcher Ian Beer has just published a blog post that is attracting a lot of media attention.

The article itself has a perfectly accurate and interesting title, namely: An iOS zero-click radio proximity exploit odyssey.

But it’s headlines like the one we’ve used above that capture the practical essence of Beer’s attack.

The exploit sequence he figured out really does allow an attacker to break into a nearby iPhone and steal personal data – using wireless connections only, and with no clicks needed by, or warnings shown to, the innocently occupied user of the device.

Indeed, Beer’s article concludes with a short video showing him automatically stealing a photo from his own phone using hacking kit set up in the next room:

• He takes a photo of a “secret document” using the iPhone in one room.
• He leaves “user” of the phone (a giant pink teddy bear, as it happens) sitting happily watching a YouTube video.
• He goes next door and kicks off an automated over-the-air attack that exploits a kernel bug on the phone.
• The exploit sneakily uploads malware code onto the phone, grants itelf access to the Photo app’s data directory, reads the “secret” photo file and invisibly uploads it to his laptop next door.
• The phone continues working normally throughout, with no warnings, pop-ups or anything that might alert the user to the hack.

That’s the bad news.

[embedded content]

The good news is that the core vulnerability that Beer relied upon is one that he himself found many months ago, reported to Apple, and that has already been patched.

So if you have updated your iPhone in the past few months, you should be safe from this particular attack.

The other sort-of-good news is that it took Beer, by his own admission, six months of detailed and dedicated work to figure out how to exploit his own bug.

To give you an idea of just how much effort went into the 5-minute “teddy bear’s data theft picnic” video above, and as a fair warning if you are thinking of studying Beer’s excellent article in detail, bear in mind that his blog post runs to more than 30,000 words – longer than the novel Animal Farm by George Orwell, or A Christmas Carol by Charles Dickens.

You may, of course, be wondering why Beer bothered to take a bug he’d found and already reported, yet went to so much effort to weaponise it, to use the paramilitary jargon common in cybersecurity.

Well, Beer gives the answer himself, right at the start of his article:

The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine.

Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.

To be clear: Beer, via Google, did report the original bug promptly, and as far as we know no one else had figured it out before he did, so there is no suggestion that this bug was exploited by anyone in real life.

But the point is that it is reasonable to assume that once a kernel-level buffer overflow has been discovered, even in the face of the latest and greatest exploit mitigations, a determined attacker could produce a dangerous exploit from it.

Even though security controls such as address space layout randomisation and pointer authentication codes increase our cybersecurity enormously, they’re not silver bullets on their own.

As Mozilla rather drily puts it when fixing any memory mismangement flaws in Firefox, even apparently mild or arcane errors that the team couldn’t or didn’t figure out how to exploit themselves: “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.”

In short, finding bugs is vital; patching them is critical; learning from our mistakes is important; but we must nevertheless continue to evolve our cybersecurity defences at all times.

The road to Beer’s working attack

It’s hard to do justice to Beer’s magnum opus in a brief summary like this, but here is a (perhaps recklessly oversimplified) description of just some of the hacking skills he used:

• Spotting a kernel variable name that sounded risky. The funky name that started it all was IO80211AWDLPeer::parseAwdlSyncTreeTLV, where TLV refers to type-length-value, a way of packaging complex data at one end for deconstructing (parsing) at the other, and AWDL is short for Apple Wireless Direct Link, the proprietary wireless mesh networking used for Apple features such as AirDrop. This function name implies the presence of complex kernel-level code that is directly exposed to untrusted data sent from other devices. This sort of code is often a source of dangerous programming blunders.
• Finding a bug in the TLV data handling code. Beer noticed a point at which a TLV data object that was limited to a memory buffer of just 60 bytes (10 MAC addresses at most) was incorrectly “length-checked” against a generic safety limit of 1024 bytes, instead of against the actual size of the buffer available.
• Building an AWDL network driver stack to create dodgy packets. Ironically, Beer started with an existing open source project intended to be compatible with Apple’s proprietary code, but couldn’t get it to work as he neeed. So he ended up knitting his own.
• Finding a way to get buffer-busting packets past safety checks that existed elsewhere. Althouth the core kernel code was defective, and didn’t do its final error checking correctly, there were several partial precursor checks that made the attack much harder. By the way, as Beer points out, it’s tempting, in low-level code – especially if it is performance critical – to assume that untrusted data will have been sanitised already, and therefore to skimp on error checking code at the very point it matters most. Don’t do it, especially if that critical code is in the kernel!
• Learning how to turn the buffer overflow into a controllable heap corruption. This provided a predictable and exploitable method for using AWDL packets to force unauthorised reads from and writes into kernel memory.
• Trying out a total 13 different Wi-Fi adapters to find a way mount the attack. Beer wanted to be able to send poisoned AWDL packets on the 5GHz Wi-Fi channels widely used today, so he had to find a network adapter he could reconfigure to meet his needs.

At this point, Beer had already reached a proof-of-concept result where most of us would have stopped in triumph.

With kernel read-write powers he could remotely force the Calc app to pop up on your phone, as long as you had AWDL networking enabled, for example while you were using the “Share” icon in the Photos app to send your own files via AirDrop.

Nevertheless, he was determined to convert this into a so-called zero-click attack, where the victim doesn’t have to be doing anything more specific that simply “using their phone” at the time.

As you can imagine, a zero-click attack is much more dangerous, because even a well-informed user wouldn’t see any tell-tale signs in advance that warned of impending trouble.

So Beer also figured out out techniques for:

• Pretending to be a nearby device offering files to share via AirDrop. If your phone thinks that a nearby device might be one of your contacts, based on Bluetooth data it is transmitting, it will temporarily fire up AWDL to see who it is. If it isn’t one of your contacts, you won’t see any popup or other warning, but the exploitable AWDL bug will be exposed briefly via the automatically activated AWDL subsystem.
• Extending the attack to do more than just popping up an existing app such as Calc. Beer figured out how to use his initial exploit in an detailed attack chain that could access arbitrary files on the device and steal them.

In the video above, the attack took over an app that was already running (the teddy bear was watching YouTube, if you recall); “unsandboxed” the app from inside the kernel so it was no longer limited to viewing its own data; used the app to access the DCIM (camera) directory belongong to the Photos app; stole the latest image file; and then exflitrated it using an innocent-looking TCP connection.

Wow.

What to do?

Tip 1. Make sure you are up to date with security fixes, because the bug at the heart of Beer’s attack chain was found and disclosed by him in the first place, so it’s already been patched. Go to Settings > General > Software Update.

Tip 2. Turn off Bluetooth when you don’t need it. Beer’s attack is a good reminder that “less is more”, because he needed Bluetooth in order to turn this into a true zero-click attack.

Tip 3. Never assume that because a bug sounds “hard” that it will never be exploited. Beer admits that this one was hard – very hard – to exploit, but ultimately not impossible.

Tip 4. If you are a programmer, be strict with data. It’s never a bad idea to do good error checking.

For all the coders out there: expect the best, i.e. hope that everyone who calls your code has checked for errors at least once already; but prepare for the worse, i.e. assume that they haven’t.

Did you know you can join us for a live cybersecurity lecture every Friday?

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be on air – it’s usually somewhere between 18:00 and 19:00 UK time, which is late morning/early afternoon on the West/East coast of North America.

(Note that you don’t need a Facebook account to watch our live streams, but you will need to login if you want to ask questions or post comments.)

We also upload the videos to our YouTube channel – here’s our latest video on mobile privacy:

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Thanks for watching… hope to see you online later this week!

Every day is a computer security day, but November 30th is officially Computer Security Day, intended to raise awareness of online security issues and to promote cybersecurity best practices.

Days like these are a handy nudge to do a few extra security checks. With that in mind, here are some tips from the Sophos support team on how to secure your Wi-Fi network at home.

Many people think that “no hacker would be interested in my home network.”

But everyone has something that’s valuable to attackers: personal information, bank details, financial data, perhaps even a webcam that could let criminals know when you aren’t at home, or that might let creeps spy on you when you are.

And if you’re working from home, it’s worth remembering that for a skilled attacker it’s just a hop, skip and jump across the network from your personal computer or connected device to your work laptop, and possibly from there to the whole company network.

For a detailed explanation of Wi-Fi, check out our Wi-Fi Fundamentals article on the Sophos Community site.

Tip 1. Apply those updates

“Patch early, patch often” is a regular mantra on Naked Security, and it applies to all access points, modems and routers you use for your home network, as well as all the devices that can connect to it.

Take a moment to check when your firmware was last updated. If it’s not up to date, patch without delay.

Set your devices to automatically install updates where possible. If you discover that you are unable to update (for instance, if the manufacturer is no longer providing support), consider migrating to a device that is properly supported.

Tip 2. Check your encryption settings

We recommend using at least WPA2-PSK (AES) encryption, also known as WPA2-CCMP. (PSK stands for Pre-Shared Key, which is the password you need to connect to the network in the first place.)

WPA2 was first ratified by the Wi-Fi Alliance in 2004. If the router you’re using doesn’t support WPA2, upgrade to a newer model that does.

Never use WEP, short for Wired Equivalent Privacy, because the encryption system it uses was cracked completely many years ago – it gives nothing but a false sense of security.

LEARN MORE ABOUT WEP AND WHY TO AVOID IT

Here’s a video we made more than seven years ago explaining why you should choose decent encryption for your home Wi-Fi. Some older network devices don’t support anything better than WEP, so it’s tempting to keep on using WEP if your router still supports it. Get rid of the old devices instead.

[embedded content]

Tip 3. Pick a proper password

Pick a proper password for your Wi-Fi network.

It’s tempting to use a short and obvious password so it’s easy to type in on devices such as phones, or to read out for friends who want to join your network while they’re visiting.

But an obvious password makes it easy for people you haven’t invited onto your network to connect up as well. You only need to enter it once, so a little bit of extra hassle putting in the password in the first place is worth it to make it harder for outsiders to guess the password in future.

Remember also that if you have allowed a guest to access your network but then decide that you don’t want them connecting any more, you will need to change the password to keep them out.

Tip 4. Check who’s on your network

It’s worth taking a moment to see which devices have accessed your Wi-Fi network recently. Many routers have an option in their management pages, usually accessed via your browser, that will show you which devices have connected recently.

Are there any rogue computers online? Perhaps the teenager next door is still connected from their last babysitting session? Are there any home devices such as webcams or baby monitors that you’d forgotten about or thought you’d turned off?

If there are devices accessing your network that shouldn’t be, disconnect them. Changing the Wi-Fi password will stop any unwanted devices getting back online automatically.

Tip 5. Review your IoT devices

IoT is short for Internet of Things, and it refers to devices that didn’t used to be computers in their own right, such as webcams, smart speakers and doorbells, but that now connect to your Wi-Fi network by themselves, and operate independently.

Paul Ducklin’s recent article on 8 tips to tighten your work-from-home network included some great advice for securing IoT devices such as webcams and smart speakers. The main takeaways are:

• Only connect devices that you really need to have online. Power down devices when you’re not using them.
• Make sure you know how to update your devices.
• Configure your devices correctly,
• Change any risky settings, such as default passwords.
• Check how much data you are sharing.
• Put IoT devices on a ‘guest’ network if you can.
• Turn on ‘client isolation’ if available.
• Make sure you know who to turn to if you have a problem.

Every day is a computer security day

Good computer security is, of course, something we need to take seriously every day, not just on November 30th.

That said, it’s worth using events like Computer Security Day as a prompt to take a deeper look at your security and check that everything is as it should be.

It’s the fourth Thursday in November, so it’s not just a day for saying “Happy Thanksgiving” to our US readers…

…but also a day for thinking about the cool new gadgets you have in mind for your Black Friday shopping spree tomorrow.

(Is it just us, or has Cyber Monday disappeared as a concept now that “Black Friday” is almost entirely online anyway, and seems to apply pretty much all day, every day from weeks before Thanksgiving to weeks afterwards?)

We don’t doubt that many people’s wish lists are topped out with new or newish devices such as Google Pixels, Apple iPhones, Sony PS5s and Microsoft Xboxen – if you can get them, that is.

But it’s not just the latest phones and gaming consoles that fill the Black Friday carts.

Home automation gadgets are popular purchases, too – especially if they look as though they’re top-notch products at bargain-basement prices.

That rings a bell

With that in mind, UK consumer magazine Which? recently went online and bought 11 different digital doorbells – a type of IoT device made popular by the Ring product – to see how they stacked up.

In theory, at least, a wireless doorbell is a splendid idea: you don’t need to drill a hole in your doorframe to shove a wire through; you can put the ringer wherever you like; you can take it with you when you move; and, thanks to the diminutive size of video cameras these days, many IoT doorbells let you see who’s calling, even when you’re not at home.

(With digital doorbells, you can also change the ring tone at will – you aren’t stuck forever with that two-tone chime that sounded so delightful at first but that you now regret.)

In other words, a wireless video doorbell sounds – pun intended! – as though it ought not only to simplify the DIY task of installing it but also to improve your home security as soon as it’s turned on.

In practice, of course, there’s a lot that can go wrong with internet-enabled doorbells.

You might end up reducing both your physical and online security at the same time.

Your physical privacy and security could be harmed because of the live video features of the doorbell – exploited by crooks or creeps to spy on you instead of helping you keep an eye out for them.

And your online security could be harmed because most digital doorbells need to be hooked up to your home Wi-Fi, thus potentially bringing exploitable software vulnerabilities or privacy-busting data collection “features” right onto your own network.

Cause for concern

As you have probably already figured out if you looked at the headline and the subtitle of the Which? article above, the results of the magazine’s experiment give real cause for concern:

The smart video doorbells letting hackers into your home.

All 11 doorbells we tested demonstrated high-risk security issues. [Which? 2020-11-23]

For what it’s worth, we might not describe all the vulnerabilities that Which? found as “high-risk” ourselves, given that it seems some of them aren’t irremediably baked into the affected devices and can be avoided by taking the time to set up the devices correctly, such as picking a proper password…

…but “high-risk” was the adjective that Which? chose, and we aren’t going to argue with their reasoning.

Sure, a device that arrives with a weak (and widely-known) default password can easily be made more secure at install time.

But if that’s what you expect new users to do, why not ship the device in a configuration that will prevent it working at all until it is set up properly?

Indeed, as Which? points out, UK regulations proposed at the start of 2020 for IoT devices would prohibit default passwords altogether:

All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.

Pick of the worst

Ironically, if we wanted to take issue with the word “high-risk”, it would be that for some of the flaws reported, the term simply isn’t strong enough, and “critical vulnerability” might be a better choice.

Here are three of the security holes that Which? found:

• One product uploaded the local Wi-Fi password to the vendor’s servers in China unencrypted. Not only does the maker of the device have no need for your wireless password, sending it unencrypted means anyone snooping in the network along the way could retrieve it and sell it on.
• A second product could be detached from your front door and stolen using a mobile phone SIM ejector tool (a thin metal pin on the end of a miniature handle), even though any data stored on it – presumably including images of recent visitors and your Wi-Fi password – was unencrypted.
• A third device could be forced back into ‘setup’ mode at will from outside your house, essentially allowing crooks to turn it off before burgling your property.

What to do?

We wish we could give you some simple technical tricks that would let you tell good and bad home gadgets apart before buying them, or even suggest a reliable and practicable way to tell a well-secured device from a badly programmed one after setting it up.

Unfortunately, things aren’t that straightforward – and, ironically, finding privacy and security holes in devices that do “a bit of cybersecurity but not enough” can be surprisingly difficult.

(As an example, the researchers at Which? would have had to do a lot more work to detect the exfiltrated Wi-Fi password mentioned above if the device had used an encrypted connection to call home in the first place.)

So, here are four “buyer beware” tips to help you keep risky devices out of your home network:

• 1. Ignore online reviews on merchant sites. You have no idea who wrote those reviews or gave the product a good score. Which? reported that most of the 11 flawed doorbell devices they chose had “[20 or more] 5-star reviews.” Sadly, there’s a plentiful supply of fake reviewers out there who will promote products they’ve never seen, let alone used, often for very modest amounts of money.
• 2. Don’t be deceived by name or looks. Budget devices are easy to build so they look similar to devices that have a good reputation. Also, many different-looking products are made by the same manufacturer, based on identical hardware and software, and then branded to look like different devices for a range of affiliate merchants. In short, just because a device looks like a known-good product means very little; and just because a device looks completely different from one you already know to be bad doesn’t really help you decide, either.
• 3. Talk to someone you know and trust to help you judge. Some home device vendors have a good reputation for security, including providing prompt updates if vulnerabilities are found. Look for independent and objective advice to confirm that’s the case for any devices you plan to buy, to ensure that you are looking at the real deal, and that you are buying the right model.
• 4. Be prepared to write off devices that don’t shape up. If you discover that a home device you bought has dangerous flaws and won’t be getting updates – and for cheap devices from budget merchants, that often happens – then ask for your money back. If you can’t get it back, be willing to get rid of the flawed device (please recycle responsibly!) and take the financial loss on the chin. Then GOTO 1.

Simply put, if in doubt, leave it out.

When it comes to home security gadgets, don’t risk making your security worse than it was before – you might as well keep your money in your pocket.