Timesdelhi.com

December 12, 2018
Category archive

computer security

Security flaw in DJI’s website and apps exposed accounts to hackers and drone live feeds

in computer security/Delhi/DJI/Gadgets/hacking/India/internet security/north america/Politics/Security/spokesperson/vulnerability by

It took about six months for popular consumer drone maker DJI to fix a security vulnerability across its website and apps, which if exploited could have given an attacker unfettered access to a drone owner’s account.

The vulnerability, revealed Thursday by researchers at security firm Check Point, would have given an attacker complete access to a DJI users’ cloud stored data, including drone logs, maps, any still or video footage — and live feed footage through FlightHub, the company’s fleet management system — without the user’s knowledge.

Taking advantage of the flaw was surprisingly simple — requiring a victim to click on a specially crafted link. But in practice, Check Point spent considerable time figuring out the precise way to launch a potential attack — and none of them were particularly easy.

For that reason, DJI called the vulnerability “high risk” but “low probability,” given the numerous hoops to jump through first to exploit the flaw.

“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively,” said Oded Vanunu, Check Point’s head of products vulnerability research.

A victim would have had to click on a malicious link from the DJI Forum, where customers and hobbyists talk about their drones and activities. By stealing the user’s account access token, an attacker could have pivoted to access the user’s main account. Clicking the malicious link would exploit a cross-site scripting (XSS) flaw on the forum, essentially taking the user’s account cookie and using it on DJI’s account login page.

The researchers also found flaws in DJI’s apps and its web-based FlightHub site.

By exploiting the vulnerability, the attacker could take over the victim’s account and gain access to all of their synced recorded flights, drone photos, and more. (Image: Check Point)

Check Point reached out in March, at which time DJI fixed the XSS flaw in its site.

“Since then, we’ve gone product-by-product through all the elements in our hardware and software where the login process could have been compromised, to ensure this is no longer an easily replicable hack,” said DJI spokesperson Adam Lisberg.

But it took the company until September to roll out fixes across its apps and FlightHub.

The good news is that it’s unlikely that anyone independently discovered and exploited any of the vulnerabilities, but both Check Point and DJI concede that it would be difficult to know for sure.

“While no one can ever prove a negative, we have seen no evidence that this vulnerability was ever exploited,” said Lisberg.

DJI heralded fixing the vulnerability as a victory for its bug bounty, which it set up a little over a year ago. Its bug bounty had a rocky start, after the company months later threatened a security researcher, who “walked away from $30,000” after revealing a string of emails from the company purportedly threatened him after finding sensitive access keys for the company’s Amazon Web Services instances.

This time around, there was nothing but praise for the bug finders.

“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” DJI’s North America chief Mario Rebello said.

Good to see things have changed.

News Source = techcrunch.com

A pair of new Bluetooth security flaws expose wireless access points to attack

in computer security/Delhi/exploit/hacking/Hardware/Healthcare/India/Politics/Security/wireless by

Security researchers have found two severe vulnerabilities affecting several popular wireless access points, which — if exploited — could allow an attacker to compromise enterprise networks.

The two bugs are found in Bluetooth Low Energy chips built by Texas Instruments, which networking device makers — like Aruba, Cisco and Meraki — use in their line-up of enterprise wireless access points. Although the two bugs are distinctly different and target a range of models, the vulnerabilities can allow an attacker to take over an access point and break into an enterprise network or jump over the virtual walls that separate networks.

Security company Armis calls the vulnerabilities “Bleeding Bit,” because the first bug involves flipping the highest bit in a Bluetooth packet that will cause its memory to overflow — or bleed — which an attacker can then use to run malicious code on an affected Cisco or Meraki hardware.

The second flaw allows an attacker to install a malicious firmware version on one of Aruba’s devices, because the software doesn’t properly check to see if it’s a trusted update or not.

Although the security researchers say the bugs allow remote code execution, the attacks are technically local — in that a would-be attacker can’t exploit the flaws over the internet and would have to be within Bluetooth range. In most cases, that’s about 100 meters or so — longer with a directional antenna — so anyone sitting outside an office building in their car could feasibly target an affected device.

“In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation,” Armis said in a technical write-up.

Ben Seri, vice president of research at Armis, said that the exploit process is “relatively straight forward.” Although the company isn’t releasing exploit code, Seri said that all an attacker needs is “any laptop or smartphone that has built-in Bluetooth in it.”

But he warned that the Bluetooth-based attack can be just one part of a wider exploit process.

“Once the attacker gains control over an access point through one of these vulnerabilities, he can establish an outbound connection over the internet to a command and control server he controls, and continue the attack from a more remote location,” he said. That would give an attacker persistence on the network, making it easier to conduct surveillance or steal data once the attackers drive away.

“Bleeding Bit” allows an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread malware, and move laterally across network segments. (Image: Asrmis/supplied)

Armis doesn’t know how many devices are affected, but warned that the vulnerabilities are found in range of other devices with Bluetooth Low Energy chips.

“This exposure goes beyond access points, as these chips are used in many other types of devices and equipment,” said Seri. “They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more.”

Seri said that the vulnerabilities aren’t within the Bluetooth protocol, but with the manufacturer — in this case, the Bluetooth chip itself. As an open standard, device makers are largely left to decide for themselves how to implement the protocol. Critics have long argued that the Bluetooth specifications leave too much room for interpretation, and that can lead to security issues.

For its part, Texas Instruments confirmed the bugs and issued several patches, but attacked Armis’ findings, calling its report “factually unsubstantiated and potentially misleading,” said spokesperson Nicole Bernard.

After Armis privately disclosed the bugs in July, the three affected device makers have also released patches.

Aruba said it was “aware” of the vulnerability and warned customers in an advisory on October 18, but noted that its devices are only affected if a user enables Bluetooth — which Aruba says is disabled by default. Cisco, which also owns the Meraki brand, said some of its devices are vulnerable but they too have Bluetooth disabled by default. Fixes are already available and the company has a list of vulnerable devices noted in its support advisory. A Cisco spokesperson said that the company “isn’t aware” of anyone maliciously exploiting the vulnerability.

Carnegie Mellon University’s public vulnerability database, CERT, also has an advisory out for any other devices that might be affected.

News Source = techcrunch.com

DoorDash customers say their accounts have been hacked

in computer security/credential stuffing/data breach/data security/Delhi/DoorDash/Food/Hack/India/multi-factor authentication/new york city/Payments/Politics/Security by

Food delivery startup DoorDash has received dozens of complaints from customers who say their accounts have been hacked.

Dozens of people have tweeted at @DoorDash with complaints that their accounts had been improperly accessed and had fraudulent food deliveries charged to their account. In many cases, the hackers changed their email addresses so that the user could not regain access to their account until they contacted customer services. Yet, many said that they never got a response from DoorDash, or if they did, there was no resolution.

Several Reddit threads also point to similar complaints.

DoorDash is now a $4 billion company after raising $250 million last month, and serves more than 1,000 cities across the U.S. and Canada.

After receiving a tip, TechCrunch contacted some of the affected customers.

Four people we spoke to who had tweeted or commented that their accounts had been hacked said that they had used their DoorDash password on other sites. Three people said they weren’t sure if they used their DoorDash password elsewhere.

But six people we spoke to said that their password was unique to DoorDash, and three confirmed they used a complicated password generated by a password manager.

DoorDash said that there has been no data breach and that the likely culprit was credential stuffing, in which hackers take lists of stolen usernames and passwords and try them on other sites that may use the same credentials.

Yet, when asked, DoorDash could not explain how six accounts with unique passwords were breached.

“We do not have any information to suggest that DoorDash has suffered a data breach,” said spokesperson Becky Sosnov in an email to TechCrunch. “To the contrary, based on the information available to us, including internal investigations, we have determined that the fraudulent activity reported by consumers resulted from credential stuffing.”

The victims that we spoke to said they used either the app or the website, or in some cases both. Some were only alerted when their credit cards contacted them about possible fraud.

“Simply makes no sense that so many people randomly had their accounts infiltrated for so much money at the same time,” said one victim.

If, as DoorDash claims, credential stuffing is the culprit, we asked if the company would improve its password policy, which currently only requires a minimum of eight characters. We found in our testing that a new user could enter “password” or “12345678” as their password — which have for years ranked in the top five worst passwords.

The company also would not say if it plans to roll out countermeasures to prevent credential stuffing, like two-factor authentication.

News Source = techcrunch.com

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

in computer security/Delhi/exploits/India/NVR/Politics/privacy/Security/surveillance/TC/video surveillance/vulnerability by

In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage.

The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks, and schools around the globe.

The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device.

“This is particularly devastating because not only is an attacker able to control the NVR [camera] but the credentials for all the cameras connected to the NVR are stored in plaintext on disk,” Tenable writes.

Tenable provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices on its Github page. One exploit “grabs the credentials to the cameras that are connected to the NVR, creates a hidden admin user, and disconnects any cameras that are currently connected to the NVR.” Not great.

Tenable set its disclosure to NUUO in motion on June 1. NUUO committed to a September 13 patch date to fix the issue but the date was later pushed to September 18, when anyone with affected equipment can expect to see firmware version 3.9.0.1. Organizations that might be vulnerable can use a plugin from the researchers to determine if they’re at risk or contact the manufacturer directly. TechCrunch reached out to NUUO about its plans to push a patch and notify affected users.

What what makes matters worse with this vulnerability is that NUUO actually licenses its software out to at least 100 other brands and 2,500 camera models. Tenable estimates that the vulnerability could put hundreds of thousands of networked surveillance cameras at risk around the world and many of the groups that operate those devices might have no idea that the risk is even relevant to the systems they rely on.

News Source = techcrunch.com

Weak passwords let a hacker access internal Sprint staff portal

in computer security/Delhi/e-commerce/India/mobile phone/multi-factor authentication/Politics/Security/security breaches/sprint by

It’s not been a great week for cell carriers. EE was hit with two security bugs and T-Mobile admitted a data breach. Now, Sprint is the latest phone giant to admit a security lapse, TechCrunch has learned.

Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher — who did not want to be named — navigated to pages that could have allowed access customer account data.

Sprint is the fourth largest US cell network with 55 million customers.

TechCrunch passed on details and screenshots of the issue to Sprint, which confirmed the findings in an email.

“After looking into this, we do not believe customer information can be obtained without successful authentication to the site,” said a Sprint spokesperson.

“Based on the information and screenshots provided, legitimate credentials were utilized to access the site. Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts,” the spokesperson said.

We’re not disclosing the passwords, but suffice to say they were not difficult to guess.

The first set of credentials let the researcher into a prepaid Sprint employee portal that gave staff access to Sprint customer data — as well as Boost Mobile and Virgin Mobile, which are Sprint subsidiaries. The researcher used another set of credentials to gain access to a part of the website, which he said gave him access to a portal for customer account data.

A screenshot shared with TechCrunch showed that anyone with access to this portal allowed the user to conduct a device swap, change plans and add-ons, replenish a customer’s account, check activation status and view customer account information.

A screenshot showing an internal customer portal.

All a user would need is a customer’s mobile phone number and a four-digit PIN number, which could be bypassed by cycling through every possible combination.

The researcher said there were no limits on the number of PIN attempts.

Account PIN numbers are highly sensitive as they can be used to transfer ownership from one person to another. That gives hackers an easier route to carry out a “SIM swapping” attack, which target and hijack cell phone numbers. Hackers use a mix of techniques — such as calling up customer service and impersonating a customer, all the way to recruiting telecom employees to hijack SIM cards from the inside. In hijacking phone numbers, hackers can break into online accounts to steal vanity Instagram usernames, and intercept codes for two-factor authentication to steal the contents of cryptocurrency wallets.

SIM swapping is becoming a big, albeit illegal business. An investigation by Motherboard revealed that hundreds of people across the US have had their cellphone number stolen over the past few years. TechCrunch’s John Biggs was one such victim.

But the authorities are catching up to the growing threat of SIM swapping. Three SIM swappers have been arrested in the past few weeks alone.

News Source = techcrunch.com

1 2 3 5
Go to Top