We often think of SIM cards as simple data storage devices, but in reality a SIM card is a miniature Universal integrated circuit card, or smart card. Subscriber data isn’t a simple text string, but a program running on the smart cards tiny processor, acting as a hardware cryptographic token. The presence of this tiny processor in everyone’s cell phone was eventually put to use in the form of the Sim application ToolKit (STK), which allowed cell phone networks to add services to very basic cell phones, such as mobile banking and account management.
Legacy software running in a place most of us have forgotten about? Sounds like it’s ripe for exploitation. The researchers at Adaptive Mobile Security discovered that exploitation of SMS messages has been happening for quite some time. In an era of complicated and sophisticated attacks, Simjacker seems almost refreshingly simple. An execution environment included on many sim cards, the S@T Browser, can request data from the cell phone’s OS, and even send SMS messages. The attacker simply sends an SMS to this environment containing instructions to request the phones unique identifier and current GPS location, and send that information back in another SMS message.
It’s questionable whether there is actually an exploit here, as it seems the S@T Browser is just insecure by design. Either way, the fact that essentially anyone can track a cell phone simply by sending a special SMS message to that phone is quite a severe problem.
Windows Update Woes
It seems like Microsoft can’t catch a break. In the past month, Windows 10 updates have broken VB6 programs, broken RDP (the black screen bug), caused abnormally high CPU usage by Cortana, and now slowly turn screens red. If I didn’t know how easy buggy code is to write, I’d suspect the good folks at Redmond were toying with us. I’ve been the cause of bizarre bugs myself, so no judgement on that front.
Windows 10 does have an unfortunate feature — cumulative updates. It’s not that I miss the old days of installing hundreds of updates after re-installing Windows, I just miss being able to uninstall the one update causing problems, rather than uninstalling the entire month’s worth of updates.
This month’s Patch Tuesday update includes 80 security fixes, two of which being zero-day privilege elevation vulnerabilities. Go forth and update, and hope nothing else is broken.
Apple Vs Google
Last week we reported on the iOS attack chains reported by Google’s Project Zero. Apple took notice of the Project Zero blog and press coverage, and released their own statement. Apple’s response notably disputes the claim that this was an “en masse” attack, emphasizing that fewer than 12 niche websites were serving the malware. Apple also disputes the timeline, claiming that the websites in question were actively serving malware for only 2 months. Many have called Apple out for their response, disappointed in the defensive stance they chose to take.
Audio Deepfakes
Or neural-network powered text to speech engines. Whatever you prefer to call them, computer generated audio and video has come a long way since Tron and Wargames. While video deepfakes are still not perfect, triggering the uncanny valley reaction for many, the audio only variety are apparently much more convincing. It seems that a new criminal enterprise has been born — using audio deepfakes to perfect the old “boss scam”. In this case, €200,000 was lost before the scam was discovered.
It’s only a matter of time before this technology impacts other arenas. Just recently a certain Canadian psychologist made quite a stir when he discovered a website that allowed anyone to put words into his mouth. At this point it’s a toss-up as to which will happen first, a public figure being disgraced by a faked recording, or claiming “Deepfake!” to cover up a legitimate one.
NetCAT
Look, don’t name your vulnerabilities after Unix command line utilities. We get the joke, but it’s just confusing. NetCAT is a cache timing attack that takes advantage of hardware vulnerabilities. It’s a bit different from the speculative execution attacks, though. This attack specifically targets Intel’s Direct Data I/O (DDIO) technology.
You may be familiar with Direct Memory Access. What could be faster than a network card writing directly to RAM? Writing directly to cache, of course. DDIO allows a connected PCIe device to access level 3 cache directly, rather than pass data through the system RAM first. As that cache fills, data is sent off to RAM, and the researchers at VU Amsterdam realized there was a detectable latency cost when accessing data that had been flushed out of the cache. In short, the timing of data reads leaks information about the state of the system’s L3 cache.
How in the world is that useful? Their PoC used Infiniband PCIe cards and Remote Direct Memory Access (RDMA). RDMA is a protocol managed by the network card itself, where one machine on the network can bypass the CPU and write directly to the RAM of a connected machine. In their demo, they sent multiple packets of RDMA data, enough to fill the DDIO cache, and then probed to see if any of that data had fallen off the cache. This information leak revealed the timing of other incoming packets, specifically an SSH connection. Since SSH sends a packet per keystroke, this gave detailed timing information on the SSH connection. From there, existing timing attack techniques are enough to discern the keystrokes of the SSH session. While it’s a novel attack, the real world ramifications seem quite limited so far. Because it’s all hardware based, however, the only mitigation is to disable DDIO altogether.