Perpetual IT

A researcher has stumbled on a big security flaw affecting OpenWrt, an open source operating system used by millions of home and small business routers and embedded devices.

OpenWrt has become a popular Linux alternative to the stock software that vendors ship with home routers. Other examples of this type of router software include DD-WRT and Tomato.

It can used to replace the factory firmware on any router product with the correct hardware, for example, models from NetGear, Linksys, Zyxel and others.

Discovered by Guido Vranken of ForAllSecure, the OpenWrt flaw is in the OPKG package manager, a program used to install or update OpenWrt.

To ensure these files aren’t corrupted or tampered with before being applied, their integrity is verified against an SHA-256 hash. If the two checksums don’t match, the file should be discarded.

Although served over an insecure HTTP connection, OpenWrt’s files are digitally signed, which implicitly guarantees that the listed hash is correct.

The bug arises when installation starts, during which Vranken discovered that the SHA256sum field is not read correctly due to a simple programming error, something which fails invisibly.

This means that as long as an attacker can create a file that matches the stated size, they can sneak malicious software on to the user’s router or device instead of the correct OpenWrt software.

Vranken suggests that attackers could either hijack the OpenWrt server or interfere with the domain’s DNS to redirect users to a rogue server.

Is this likely?

Neither attack would be easy to pull off but if achieved, the user’s router and its traffic would be invisibly compromised by what had looked like legitimate software.

Compromising a legitimate download source is the equivalent of battering down the front door. Because many attackers will never use more effort than they have to, it seems more likely that anyone targeting OpenWrt would try their luck with a brute force attack on its management credentials first.

But it’s still a tempting flaw to aim for and one that deserves immediate attention.

What to do

OpenWrt recommends upgrading to the latest version. The bug (CVE-2020-7982) was introduced in early 2017 and affects OpenWrt versions 18.06.0 through 18.06.6 and 19.07.0, and separately LEDE (an OpenWrt fork) 17.01.0 through 17.01.7.

The fix was applied to versions 18.06.7 and 19.07.1, released at the beginning of February.

OpenWRT’s full advisory can be viewed on the maintainers’ website.

---

Latest Naked Security podcast

Today is, wait for it, drum roll, please…

…World Backup Day.

You knew that already, didn’t you?

So you’re way ahead of us here, with your backups neatly done and safely stored away.

Or perhaps not, because sorting out your backups is a bit like taking the garbage out or washing the dog – you know it needs doing, and you might as well do it now, but it can probably wait until tomorrow.

Depending on what happens today, of course.

Well, the bad news is, now that so many of us are working from home, we can’t rely on IT to do it all for us, or to show up at our desks with a smile and a USB drive filled with all those precious files that we just deleted by mistake.

But the good news is, now that so many of us are working from home, that backup isn’t that hard to do right – the hardest part is just getting round to doing it properly, or even at all.

Here are some simple tips that will help you to keep both your work and your home data safe.

1. Don’t treat backing up simply as “something you do in case of ransomware”

In the early days of personal computers, the main reason people made backups, even if it was just a few important files saved on a special floppy disk, was the sheer unreliability of hardware and software.

If you ever used DOS, you’ll remember very clearly how one buggy program usually crashed everything, and that any crash could leave the hard disk corrupted so badly that you couldn’t reboot at all.

Malware was also a serious concern, not least because the crooks hadn’t yet figured out how to make money out of viruses, but nevertheless often used them to wipe out all your data for no clear reason at all.

Fast forward to 2020 and we have a lot less to worry about on the reliability front, but we still face a clear and present danger from data loss due to malware, notably ransomware.

For that reason, backups are a hot topic again, especially during the coronavirus pandemic, where IT can’t go round the office and give hands-on attention to afflicted computers.

Nevertheless, even though backups are a fantastic defensive tool against ransomware, we’re wary of IT procedures that are driven specifically by individual fears rather than by general good practice.

A regular and reliable backup process will protect you from unexpected data loss of any sort, including cases – as many people will have experienced when coronavirus lockdowns started and they couldn’t get back into the office – where your data isn’t lost, but you can’t get at it anyway.

Condensed into a easily-remembered saying: Backups are a job worth doing, and a job worth doing is worth doing well.

2. Don’t leave backups where crooks can find them

Even though we’ve just urged you to do backups for general reasons that go above and beyond the specific risk of ransomware, there are important risks posed by contemporary cybercriminals that you need to keep in mind.

In many recent attacks we’ve investigated, the crooks have had days or even weeks to poke around the victim’s network before initiating their final actions – such as firing up ransomware on hundreds of computers at the same time.

Therefore you need to assume, if your backups are accessible online, that the crooks will find them and wipe them out (or steal them and then wipe them out) as part of their attack.

If ransomware strikes your entire network, or a power surge takes out your laptop where you keep your backup drive plugged in all the time, then you no longer have a backup.

So, think of live snapshots and real-time backups that you keep online as secondary copies, and make sure you also keep true backup copies offline.

Whether you’re at home or at work, you can often do that simply by unplugging backup devices or explicitly logging out from cloud backup accounts.

We also recommend that you add 2FA (two-factor authentication) to your cloud backup accounts for two important reasons.

Firstly, it helps to keeps the crooks out, so they can’t use your cloud backup to breach your data; secondly, it means you can’t log in accidentally using cached passwords when you didn’t mean to.

3. Don’t make backups that everyone can read

As you probably know, most backup advice includes something about keeping “offsite” backups so that they’re not just offline, they’re stored in a different physical location to the master copy.

A removable drive stored in a safe-deposit box at your bank is an excellent way to protect your most vital backups, but that’s impossible if you’re in coronavirus lockdown.

Therefore you are almost certainly going to have to rely on cloud storage – where your data travels offsite via the internet rather than in your backpack.

However, we often hear people asking if they really need offsite backups, because they are understandably concerned that storing their data in two different ways in two different places simply doubles down on their risk of a data breach

Even high-security safe deposits can get burgled, and cloud storage services could suffer an intrusion that isn’t your fault and you couldn’t have prevented.

Fortunately, there’s an reliable way to protect your offsite data, whether it’s in the cloud or on a removable device, and that’s to encrypt it before it leaves your own laptop or network.

To help you out, Windows has BitLocker, Macs have FileVault, and Linux has LUKS and cryptsetup, which can be used to create encrypted drives and partitions. (You can create a disk partition out of a file, and then use cryptsetup on that, if you want.)

There are also numerous free and open source encryption tools that aren’t part of any operating system.

You can use one of these to encrypt both devices and folders on all your computers, if that’s what you prefer – remember that BitLocker and FileVault are proprietary and aren’t officially supported on other operating systems.

4. Don’t neglect the “restore” part of the process

Remember that you haven’t really backed anything up unless you can restore it.

We’ve helped numerous people over the years who made backups regularly and carefully, but weren’t able to get back the files they wanted when they needed to.

Ironically, perhaps, none of these cases happened because the user forgot or lost their decryption password – they simply weren’t well-practised enough in using the restore process to do it reliably, or even at all.

We also know of ransomware victims who ended up paying the ransom, even though they had working backups, because the restore process they’d created for themselves was just too slow and cumbersome for them to recover in time.

Treat restoring backups like a fire drill: you’re going down the fire escape, out into the street and getting clear of the building when there isn’t an actual fire so that if the real thing ever happens, you aren’t fighting against both fear and unfamiliarity at the same time.

Test yourself: work out how long it takes to get the backup ready for restoring, how long it takes extract everything, and how reliably and quickly you can restore just a single file without restoring everything else, which you might not want.

5. Don’t put it off until tomorrow

The only backup you will ever regret…

…is the one you didn’t make.

If you’re at home right now – and who isn’t? – then you’ve probably heard of Houseparty.

It’s a social networking app that came out back in 2015 and was bought by Epic Games – famous for Unreal and Fortnite – in the middle of 2019.

The name gives you a good idea of what is does: simply put, you go online, hang out and other members (players?) can join you in your “room” and engage in face-to-face chat, or as close to face-to-face as you can get in a virtual world.

Think of it as a multiuser video call that friends and family – or, indeed, anyone, if that’s your thing – can wander in and say, “Hi.”

As the app makers themselves put it early last year:

We’re the face-to-face social network bringing friends together for live video hangouts. Now, with the Heads Up! game available in app, we’re introducing a new way for users to spend time together.

[…]

Houseparty only works when people are online together. There’s no liking, commenting, or scrolling. Instead, the Houseparty experience brings empathy to online communication by requiring in-the-moment conversations and facilitating casual “drop-ins” from friends.

Imagine a video calling service, like Zoom or Skype, but without calls and conferences and meetings – it’s like arriving at the pub to see who’s there, rather than booking a table at a bistro and meeting a specific group who have all agreed to the time and place.

And, as Houseparty noted in the same article, given that the North American winter was in full swing at the time:

Whether snowed in, away from home, or just too cozy to leave bed, here’s another way to bond with your closest friends when you can’t be together!

For “snow” read “coronavirus lockdown” and you can understand why the app has become hugely popular in the last few weeks, as people try to maintain a social life of sorts when they aren’t allowed out to meet other people at all.

Has the party gone wrong?

Well, the Houseparty team have suddenly been turned into the bad guys, with breathless comments on other social networks warning you to stop using the app right away:

If anyone is using that house party app DELETE IT My friends email account
been hacked into by it And managed to get bank account details too and has hacked that.
I've seen a few other people saying this too on twitter.
I also keep getting dodgey emails.
Just a warning x

Is there any truth in this?

To be honest, we can’t tell you that the Houseparty app is bug-free, because we haven’t decompiled or analysed it, and even if we had, working out that an app is totally free of vulnerabilities is a close-to-impossible exercise, as are many tasks where you are expected to prove a negative.

But the claim in the post above is not that there’s a bug that’s being exploited in the app.

Instead, to us the post seems very clearly to imply that that Houseparty is a rogue app that is actively breaking into every part of your digital life and plundering it in a determined burst of criminality.

And as unlikely as that sounds, and for all that Houseparty itself has stated this…

All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites.

— Houseparty (@houseparty) March 30, 2020

..there are pages of counter-tweets insisting that…

BOYCOTT HOUSEPARTY, just found out that's how my Spotify was hacked and how many others are being hacked on various things DELETE HOUSPARTY!!!!! They are hacking into spotifys, snapchats and even online banking!!! Didn’t realise what was happening when i got these emails but is 100% that houseparty app!! Three new logins to my spotify and someone tried to reset my password for netflix!! Not worth it the risk

Well, here’s the thing.

There’s one thing missing in all of these aggressive!!! and SHOUTY!!!!! claims, and that is evidence.

What to do?

A few calm voices on Twitter are asking the obvious question, which is:

where's the evidence it was from houseparty? How do you know this had happened because of house party tho?

That’s a vital point to consider, and not just because it’s the ethically correct thing to do.

After all, if any of this “hacking” behaviour is not down to Houseparty, which is a mainstream app published by a well-known software company in Apple’s and Google’s official online stores…

…then deleting the app and feeling virtuous about closing your account is not going to help you, because you will still be at risk but will think you aren’t.

Our advice is simple:

• Don’t accuse Houseparty or Epic Games of malfeasance without strong evidence. The fact that lots of people repeated the same condemnatory text on Twitter proves nothing. If you aren’t part of the solution then you are part of the problem.
• Don’t assume that deleting Houseparty will fix your problems. The idea that all the listed symptoms above might suddenly appear on account of a single app has to be considered extremely unlikely, in which case removing the app will leave you at risk when you think you are safe.
• Do visit the Houseparty settings and decide how open you want to be. Do you want your rooms to be “locked” so you meet new people by invitation only? If not, or if you are scared of the app because trolls have been wandering into your online life, consider dialling back your openness rather than deleting the app but not changing your behaviour. Go through the same exercise for all your social media accounts.
• Do turn on 2FA (two-factor authentication) for any online accounts that support it. Don’t make it easy for someone who steals your password – which is more likely to happen via phishing that in any other way – to login to all your accounts and take them over.
• Do change passwords and watch financial statements carefully if you think your accounts have been hacked. Whether you think a specific product is to blame or not, just removing one app from your phone is not enough to “unhack” accounts that have already been taken over.

We’ll update this article if we learn any more genuine information – until then, please don’t blindly repeat other people’s unsubstantiated claims, because you can’t make something true simply by saying it over and over again.

---

Latest Naked Security podcast

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

Monday 23 March 2020

Tuesday 24 March 2020

Wednesday 25 March 2020

Thursday 26 March 2020

Friday 27 March 2020

Latest Naked Security podcast

Latest Facebook Live video

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

60 Second Security

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

News, straight to your inbox

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Android apps are snooping on other software on your device – and that could tell shady advertising companies more about you than you’d like.

The news emerged this week in a paper from researchers in Italy, the Netherlands, and Switzerland. The privacy violations centre around installed application methods (IAMs), which are application programming interfaces (APIs) that allow applications to interact with other software on your phone without telling you. It lets them do a variety of things including finding the names of those other installed apps.

There are legitimate uses for IAMs. An app such as a VPNs, backup software, or firewall might use them to co-operate with other installed software. An accessibility app can use them to make other software more usable for people with disabilities.

That doesn’t mean all instances are in the user’s best interest. The researchers studied 14,342 free Android apps in the Google Play Store, along with 7,886 open-source Android apps. They analysed the software’s use of IAM APIs and also followed up with a questionnaire for the apps’ developers to assess how aware they were of what the apps were doing (70 developers participated).

The most common piece of information collected via IAMs was packageName, which just reports the names of other installed apps. This alone can reveal a lot about a phone’s user, though. The paper cites other research showing that it’s possible to deduce certain things about the user purely from the apps installed on their devices, including gender, religion, relationship status, and countries of interest. They can also predict major life events such as marriage and becoming a parent with up to 87% accuracy.

It’s no surprise, then, that commercial applications tended to use IAMs far more. 4,214 commercial apps used these, compared to just 228 of open-source apps. The most popular types of commercial app using this technique were games at 73%.

Most of the commercial apps snooping on other installed software didn’t do it from within their own code. Instead, 83.66% of these queries came from third-party libraries that the apps used. More than one third (36%) of those libraries were classed as advertising-based, while the next most common category (31%) came under the utility category, which is effectively a catch-all of different functions to streamline software development.

In many cases, app developers were not aware that these libraries were making calls at all, and in one case asked the researchers which piece of code the call was being made from so that it could be removed. One developer blamed a point-and-click app builder that they used.

The fact that developers don’t always know what their apps are doing is worrying, and it leaves two options. The first is for Google to enforce stricter notifications and controls around their use. The paper said:

As other privacy-sensitive parts of the Android platform are protected by app permissions, forcing developers to explicitly notify users before attempting access to these parts, begs the question on why IAMs are treated differently.

You’d think Google would be wise to apps that like to sniff around their users’ installed software. Apple politely asked Facebook to remove the VPN app Onavo from its app store for just this reason after the media giant used it to snoop on its users’ other mobile app software usage.

Google didn’t respond to our request for comment but it seems to be aware of the problem now. It is introducing a <queries> tag in app manifest files that enable apps to describe what app they’re querying. However, it isn’t clear what limitations the company will enforce on these queries. It will include a QUERY_ALL_PACKAGES permission that lets an app talk to any other app it wants, for which the company will provide usage guidelines in the future.

This new tag and permission will ship with Android 11 but the researchers aren’t entirely happy with it. They said:

The newly introduced permission does not appear to be considered as a dangerous permission. Hence, access to IAMs is still silent for the end-user. Although these new rules are a step in the right direction, it is unclear whether they are sufficient to limit data collection activities.

This use of IAMs is a risk in iOS, too, the researchers said, but Apple seems ahead of Google here. More recent versions of iOS force apps to declare applications of interest for app store moderators to review.

The other option for stopping this kind of information harvesting is to rely on privacy-aware users to fill in the gaps. The researchers recommended that users check vetting services like Virus Total to examine an app’s activities and focus on those that don’t make their money from ads.

The takeaway here is clear: no matter how many ad blockers and other tools you deploy, data-hungry companies continue to find new ways to carry off data about you under the radar that they can use to profile you more accurately. If they can do this by sneaking such things into other apps via libraries, they will. This will continue to erode trust in mobile apps. Isn’t it time for a more honest app ecosystem?

---

Latest Naked Security podcast