April 24, 2017

Intel ME: The Way of Static Analysis

Image: Clive Darra, Flickr

Intel Management Engine (ME) has been known for over 10 years (since 2005), but official Internet sources about ME are few and far between. Fortunately, excellent works on the topic have been published in recent years. However, all of them deal with ME 10 and earlier, while modern computers implement ME 11, which was introduced in 2015 for the Skylake microarchitecture.

If you have never heard about ME, this is a good time to check out great slides from Igor Skochinsky about previous versions of ME.

In short, ME is a separate processor embedded in the chipset of any modern computer with an Intel CPU. ME runs even when the computer is sleeping or powered off (as long as it is plugged in to a power outlet). ME can access any part of RAM, but the RAM region used by ME is not accessible from the OS. What’s more, ME is capable of out-of-band access to the network adapter.

April 19, 2017

Bank employees using social networks at work: danger or mere distraction?

Banks always have been a lure for attackers, and while new technologies help to improve client service, they also create additional information security risks.

Cyberattacks on banks frequently start with criminals persuading employees of a financial institution to open specially crafted malware. Positive Technologies expert Timur Yunusov explains below if it makes sense for banks to ban workplace use of social networks to reduce the risk of such attacks.

April 13, 2017

Intel and Lenovo have restricted access to debugging interface of CPUs after Positive Technologies' revelations

Intel and Lenovo have released recommendations that help restrict access to JTAG debugging interface of processors which can be used by attackers. The insecurity was first discovered by Positive Technologies’ experts in December 2016.

At that time Positive Technologies’ experts Maxim Goryachiy and Mark Ermolov presented their findings, during a session at the Chaos Communication Congress (33C3) in Hamburg, explaining that modern Intel processors allow usage of the debugging interface via a USB 3.0 port available on many platforms to gain full control over the system. Modern security systems cannot detect such attacks.

April 7, 2017

Our new R&D center in Brno

We are pleased to announce the opening of our brand new   R&D center Brno, Czech Republic, which will focus on developing products to secure mobile telecommunications systems.

March 31, 2017

CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP

This article discloses the exploitation of CVE-2017-2636, which is a race condition in the n_hdlc Linux kernel driver (drivers/tty/n_hdlc.c). The described exploit gains root privileges bypassing Supervisor Mode Execution Protection (SMEP).

March 6, 2017

Security reflections from Mobile World Congress

Michael Downs, Director of Telecoms Security, EMEA

Mobile World Congress is not just a name, it is perfectly descriptive.  The entire mobile world squeezes into a few square kilometres of Barcelona for four days. Given this concentration of senior execs, it’s a good place to form an opinion on industry trends and try to understand the place security has in the future of mobile.    

Transport was a massive theme this year.  Someone mentioned there were more car companies here than at a recent major motor show, and everything from chip-set manufacturers to infrastructure providers were touting their connected mobility play.  It seems to be the most obvious large scale early application for the Internet of Things as companies see problems that can be solved with data connections, namely accidents, congestion and general resource waste. The promise is great. 

However, from a security point of view, I got the impression the priorities for many of these propositions was traditional elements such as speed to market, efficiency of UI, prioritizing functionality, hardware power, connection speeds etc.  Not many of the people on the booths I questioned could truly answer the question of what they were doing to keep connected cars, trucks and buses secure from abuse.  Maybe it was an unfair question, but given the scale of what is being proposed, this raised a few eyebrows amongst our experts.  The consequences of attacks on a fleet of trucks, or the targeting of a car’s systems, don’t bear thinking about.  Theoretically, such attacks are possible in the same way an attacker would abuse existing Diameter or SS7 networks.  Everything is assigned a number in the network the same way a phone is, providing a marker from which to develop an attack profile.

This theme grows further when you look at the underlying narrative for the show as a whole, that of attaching a data connection to everything. Lots of marketing dollars were spent on tiny models of everything from stadiums, to entire cities.  This is being enabled by the hope the industry has for emerging protocols such as 5G and LTE-M.  More capacity and higher speeds, means more things can now talk to the Internet.    

This is good for the mobile industry, but also for attackers, as more connected things simply mean a larger attack surface on which to work.  As was demonstrated at our expert dinner, we believe too many vulnerabilities are still present, both in the underlying infrastructure that carries data and also in the radio delivery from base station to user.  This will only be compounded on as more things become connected on an application level, driven by increased digitization and usage of emerging web technologies.

From a signalling (SS7 and Diameter) point of view, the underlying infrastructure to support this brave new world is vulnerable, and becoming easier and cheaper to access by an attacker. For dollars per day, bad actors can now buy access to core telecoms networks on the black market and exploit either existing flaws, or new ones.  Once inside, all that is needed  is a phone number (MSISDN) of your target or targets, be it a person or a fleet of connected cars, to manipulate the commands accordingly.  The move towards new protocols will only present new opportunities for bad actors, who are notoriously creative and persistent.

There are also weaknesses from a radio frequency point of view, as vulnerabilities exist in the vast majority of communication protocols and their implementation. Again, as we saw at our expert’s dinner, armed with just a Raspberry Pi, a chipboard bought for a few dollars and some Python script, data can be sniffed, intercepted, even decrypted on the fly and altered to carry out the whim of the attacker.  Whilst we demonstrated some of this on a toy drone, it is important to note that the same protocols are used in the delivery of the entire gamut of ‘things’ connected by mobile networks.  This means everything from industrial control systems to cars.

This is not intended to be a doomsday rant.  These are points we believe, as a research based security company, are important to be on the mind of the mobile industry.  Many believe we are on the edge of a new industrial revolution. If this is true, then the old mantra that security needs to be built into the heart of things is never truer than right now.  We look forward to spending time making sure the brave new world the mobile industry is creating, is kept safe and can flourish for everyone’s benefit.

February 8, 2017

Web application attack trends: government, e-commerce, and finance in the spotlight

Positive Technologies has revealed how hackers attacked web applications throughout 2016. The aim of our research was two-fold: to determine which attacks are most commonly used by hackers in the wild, and to find out which industries are being targeted and how. With this data, organizations can be more aware of digital threats and protect themselves accordingly.

January 17, 2017

Intel debugger interface open to hacking via USB

New Intel processors contain a debugging interface accessible via USB 3.0 ports that can be used to obtain full control over a system and perform attacks that are undetectable by current security tools.

A talk on the mechanisms needed for such attacks and ways to protect against them was given by Positive Technologies experts Maxim Goryachy and Mark Ermolov at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany.