Skip to content

Category: Hackerterrorcybercyber

Android Security Bulletin April 2017 makes Firmware look like WTC after 9/11

The April 2017 Android Security Bulletin is out, and makes Android Qualcomm and Broadcom Firmware look like the WTC straight after 9/11. At this rate we have exhausted the four digit CVE counter for 2017 before Pentecost.

We already know MediaServer is a piece of swiss cheese, but this is about CameraBase, Audioserver, SurfaceFlinger,Telephony, Factory Reset (sic!) and Broadcomm, Qualcomm, NVIDIA, HTC and MediaTek Firmware problems as well.

Much of that is available as binary blob only and never has seen a systematic audit, ever. Hence the CVE list. Multiple Critical, plenty of High.

Your phone does get updates and fixes, does it?


Hacking “Smart” TVs via DVB-T

Ars Technica reports about a possible mass-hack of Smart TVs using the DVB-T signal:

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.

Multimedia Stream decoding is notoriously complicated, and prone to bugs, as Google demonstrated with a whole suite of problems in the Android Stream decoders. There is no reason to assume that it’s easier anywhere else.

The TV sets are being fed the signal with a low-power mobile transmitter, a small fake TV station, and the attack is on the web browser that is running permanently in the background.

Leave a Comment

More Symantec News

Chris Byrne writes on Facebook:

If you purchased a Symantec certificate (or a cert from any of their associated subsidiaries and partners) through a third party, from at least as far back as early 2013 until recently; their third party certificate generation, management, and retrieval API allowed those certificates… including in some cases private keys generated by third parties… to be retrieved without proper authentication, or in some cases any authentication at all.

I think Google has been pretty kind to Symantec with their reaction. This is a complete CA meltdown.

1 Comment

Webservers in a Dishwasher

The Register reports on CVE-2017-7240, Web Server Directory Traversal in the Miele Professional PG 8528 Dishwasher (which is used in medical establishments to clean and properly disinfect laboratory and surgical instruments).

Yes, Dishwashers (and many microwaves and ovens) now come with touch screens, and network ports. Of course, as El Reg puts it

Appliance makers: stop trying to connect to the Internet, you’re no good at it. ®

but in this case the webserver even makes sense. The PG 8528 is a commercial washer and desinfector for hospitals and probably comes with remote service and diagnostics.

That makes it even worse that Miele has no security process for these devices at all:

And because Miele is an appliance company and not a pure-play IT company, it doesn’t have a process for reporting or fixing bugs.

Miele did not respond to the bug report they received in November 2016, ever.


Chrome considers Symantec CA rogue

Ryan Sleevi writes:

Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years. […]

To balance the compatibility risks versus the security risks, we propose a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements. […]

Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status.


10 reasons not to do HTTPS interception

Marnix Dekker has an article on HTTPS interception as it is being done in some workplaces.

He lists:

  • Are you serious? We worked so hard to make the web more secure and you are fucking it up.
  • HSTS, you are breaking it.
  • Blinds the browser and the user, because you re-encrypt with wildcard certs.
  • Disrupts personal use.
  • Breaks pinning and CT.
  • Breaks with consumerization.
  • Disrupts BYOD.
  • Discourages good user practices.
  • Limited benefits.
  • and finally: Hard shell, soft inside is not going to work.



Ubuntu 12.04 LTS expires next month, but there’s the Dodo club

So Precise Pangolin was published as Ubuntu 12.04 LTS on April 26, 2012.

That’s a long time ago. Back then, Battleship, The Avengers (3D) and Cabin In The Woods (3D) were released. Intel released the Ivy Bridge Microarchitecture. The last proper US president campaigned for his second term and the US weren’t a failed state back then. It was a different world.


Magic circles banning autonomous cars

Trapping Autonomous Cars

Somebody sent me a link to Vice withe the comment “A multiple hit in the Venn Diagram of your interests”.

It’s about an artist using technology disguised as ritual magic to trap self-driving cars (and similar shenanigans). The assessent was correct, this is beautiful.

The image from the article shown above shows a self-driving car inside fake street markings. The broken lines allow the cars logic to enter the circle, the unbroken linkes mark a demarcation that must not be crossed, hence the car can never leave.

It ties back to a story my driving instructor told me. He was making a point about “How things are being presented matters”, relating about a beginners driver who had been told to imagine unbroken lines as a “wall that cannot be crossed” and who because of that had problems – sometimes rules must be broken to preserve their meaning and spirit.



MySQL and encrypted connections

2006 slides by Rasmus Lerdorf

Since 5.0, MySQL does allow natively encrypted connections to the database, and supposedly also does support client certs for user authentication. Supposedly, because I never tried.

MySQL as a database performs well with transient connections as they are prevalent in two-tier deployments (mod_php, mod_perl, mod_python to database), in which a database connection is made upon web request, and the connection is torn down at the end of the request. This model does not scale so well with encryption in the mix, as on connection a full TLS/SSL exchange must be made.