Battery Hack

July 27, 2011

Charlie Miller, a researcher with Accuvant Labs, has discovered an interesting new flaw in Apple’s software ecosystem. Their “Smart Battery System”, which monitors battery charging and power levels, can actually be compromised and the firmware reflashed, allowing an attacker to destroy a battery or perhaps even make it explode or catch fire.


Automotive Security Holes

March 14, 2011

Researchers at UCSD and University of Washington have released a paper on finding remote vulnerabilities in automotive computer systems. Though the simplest method is still to use the automotive data interface, there are also exploitable holes in the cellular network interface, bluetooth network interfaces, and even the car stereo system.

From the article:

But their most interesting attack focused on the car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on file-sharing networks without arousing suspicion, they believe. “It’s hard to think of something more innocuous than a song,” said Stefan Savage, a professor at the University of California.

Adding computers to things also adds security implications. It’s too bad that this is not better understood in the world of product development.

Secondhand Data

March 14, 2011

The State of New Jersey very nearly auctioned off dozens of computers containing sensitive data – and they almost certainly have done so in the past. This was the first time that the state comptroller’s office thought to look at the disposition of the equipment that was to be auctioned.

If your company is looked to get rid of old equipment, it is imperative that you check it for data first. This includes desktops and laptops, of course, but also devices like networked printers or fax servers that may contain a hard drive. For wiping data and leaving the drive usable by the buyer, I recommend DBAN. If that drive doesn’t need to be usable in the future, I suggest one of these, or perhaps a giant hammer.


Speculation on Thunderbolt

March 1, 2011

Thunderbolt, a new I/O interface, was introduced last week on the latest line of Macbook Pro portable computers. Physically, it uses a DisplayPort connector – and, if you like, it can be used as a simple DisplayPort interface to connect a monitor or projector to the computer. But it is also a successor to Firewire, capable of daisy-chaining up to five devices with a shared bus bandwidth of 10Gb/s.

It is also a successor to Firewire in that it is an unauthenticated peer-to-peer bus protocol (as distinct from a master-slave protocol like USB). This characteristic has been exploited in Firewire to forensically read the contents of RAM or attached disks from a live machine. While the details on Thunderbolt are rather sketchy right now, it’s easy to imagine that an adversary could rig a display device to surreptitiously harvest data from a client machine, while appearing to function normally.

Physical security is tricky to enforce. Most people are smart enough to avoid plugging a random USB drive or Ethernet cable into a machine that holds sensitive data – but they won’t think twice about using a projector in a classroom or at a conference. Thunderbolt adds a whole new class of peripherals into the “untrusted” group. Watching the professionals take a crack at this will be very interesting.

Icelandic Espionage

January 21, 2011

An unmarked computer with an encrypted drive was found in the Icelandic Parliament building recently. It has no markings, no fingerprints, no serial numbers, and the police who discovered it powered it down without taking a forensic image of the contents. This computer was attached by an unknown party directly to the internal network for the Icelandic government.

This is an excellent example of the necessity of proper physical security in a network environment. All of the firewall mojo in the world is useless if someone can just plug anything they like into your network, or (even worse) connect to it from the outside using an official or rogue wireless access point.

So, how would you defend against an attack like this?

One possibility would be to use managed switches with 802.1x capability; this requires each device connected to the network to be authenticated against a RADIUS server. If you’re especially paranoid, you can require multifactor authentication using smart cards or tokens to ensure that authentication with a stolen passphrase is impossible.

A simpler route would be to only “light up” network ports that have been requested, in writing, with the names of the requestors recorded in a central repository. MAC locking can be used to make sure that only the approved device is used in that port. This isn’t as bulletproof, of course – you’re expecting all employees to follow a procedure 100% of the time, you need to make sure the ports that are no longer in use are turned off, and a sophisticated attacker would clone an authorized MAC address and use it on another device. But it’s still better than nothing.