Year: 2018

Attackers Cashing In On Cryptocurrency With Increased Scams

Threatpost Security News May 25, 2018 0

As the popularity around cryptocurrency has continued to boom in 2018, it has also tempting target for cash-hungry scammers to launch “cryptocurrency giveaway scams.”

Researchers at Proofpoint this week said they’ve observed a sharp rise in these scams, which target users of Ethereum and Bitcoin and typically request that victims send a small amount of the currency in exchange for a much larger payout in the same cryptocurrency.

The scams, which peaked in April, are an easy way for attackers to prey on the hype around cryptocurrency – with one observed scammer making away with more than $21,000, said Proofpoint.

“The success of this scam shows that threat actors continue to look for new ways to exploit the human factor – and people are inclined to fall for scams that can net them hot commodities like cryptocurrencies,” wrote Proofpoint in a post about the scam on Wednesday.

These scams typically start with a tweet or an email, which entice potential victims to send cryptocurrency to a wallet with the promise that more will be sent back. These tweets may say things like “There’s an ongoing promotion by Ethereum that just started! I also wanted to share this awesome news! I’ve personally received 92 ETH after just sending 9.2 ETH!”

As scammers lay the social engineering groundwork, they will also develop fake Twitter accounts impersonating exchanges, developers, and celebrities to try to further prompt users to click.

When a user clicks the link or enters the URL from the image, they are generally taken to a landing page prompting them to send a certain amount of cryptocurrency to a payment address.

The template attempts to establish legitimacy by showing a number of fake transactions, falsely suggesting that large amounts of coins are being sent back to those who send small amounts of coins to the scammer’s wallet, researchers said.

Interestingly, “In other cases, scammers do not promise rewards but instead emulate crowdfunding models, as in … a page promising to help free Julian Assange,” according to Proofpoint.

The scam is reportedly working. When researchers investigated some of the wallet addresses associated with the scam, they found that “some of them are growing and do not reflect the ‘giveaway’ nature of the intended interaction.” Typically, a scammer will also use a new wallet for each scam – but researchers said they also observed some reuse.

In one case, researchers followed an Ethereum wallet that appeared 10 times in their data. The scammer dumped the wallet on May 5, collecting a fairly hefty amount of $21,700 in earnings.

“Searching through the wallet transactions, it appears that the actors may have better luck phishing with Ethereum as opposed to Bitcoin,” said researchers.

Proofpoint said they would continue to monitor these scams given the rebounding cryptocurrency values. Meanwhile, users should keep a keen eye out for these types of scams.

“As with most of these scams, if it seems to good to be true, it probably is, but the appeal of nearly-free cryptocurrency and new approaches to social engineering, primarily via hijacked conversations on social media platforms, are proving too tempting for many users,” they said.

Millions of IoT Devices Vulnerable to Z-Wave Downgrade Attacks, Researchers Claim

Threatpost Security News May 25, 2018 1

The popular home automation protocol Z-Wave, used by millions of IoT devices, is vulnerable to a downgrade attack that could allow an adversary to take control of targeted devices, according to researchers.

Z-Wave is a wireless protocol used by 2,400 vendors; its wireless chipsets are embedded in an estimated 100 million smart devices ranging from door locks, lighting, heating systems and home alarms, according to Pen Test Partners, who released a report on the vulnerability on Wednesday.

According researchers, today’s Z-Wave systems are configured to support a “strong” S2 Z-Wave pairing security process. However, a proof-of-concept (PoC) attack demonstrates how a hacker could downgrade the higher S2 standard to a weaker S0 pairing standard, which allows an adversary to steal an encryption key and expose a device to compromise.

The PoC attack involved a hacker within RF range at the time a controller pairs with the IoT device.

“Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices (‘nodes’) when the devices are paired. The keys are used to protect the communications and prevent attackers exploiting joined devices,” researchers explained.

A nearly identical pairing issue was identified by researchers at SensePost in 2013 (PDF), prompting Z-Wave owner Silicon Labs to develop the new pairing process S2. The problem with the old mechanism was “the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range,” researchers said.

But since the introduction of S2, a similar attack scenario has been devised by Pen Test Partners. “We have shown that the improved, more secure pairing process (‘S2’) can be downgraded back to S0, negating all improvements,” researchers said.

Researchers noted that when a Z-Wave device is using the weaker S0 security (and not the S2 flavor), the S2 controller will notify the user when S0 security is being used, after the fact. “We feel this will be ignored or overlooked,” researchers said.

On Wednesday, Silicon Labs posted a blog addressing the Pen Test Partners research, stating the PoC took advantage of a backwards-compatibility feature that allowed S2 devices to work on S0 networks. It also stated emphatically that this is not a vulnerability.

“It was a conscious choice of the Z-Wave Alliance to discount this non-vulnerability in order to offer partners and customers backwards compatibility so that they didn’t need to replace their gear,” said Lars Lydersen, senior director of product security at Silicon Labs, in an interview with Threatpost.

Lydersen said, an attack is extremely improbable given the requirements of specialized equipment, proximity to the RF network, forcing a controller reset and hacking the pairing session in the 20 milliseconds window it’s vulnerable to attack.

“The smart home controller or gateway will always notify the user if S2 is reverted to S0 during the installation process,” the post states.

How The Attacks Work

The attack exploits the fact that devices supporting the stronger S2 pairing use a type of programming “command class” code. That code is used in the process of communicating between the controller and IoT device during pairing.

“The node info command is entirely unencrypted and unauthenticated. This leads to us being able to spoof it, removing the COMMAND_CLASS_SECURITY_2 command class. The controller then assumes that the device does not support S2, and pairs using S0 security. The attacker can now intercept the key exchange, obtain the network key and then command the device,” researchers described.

In one attack scenario against a Yale Conexis L1 smart lock, researchers were able to use a controller and downgrade the device to the S0 pairing security. The PoC attack then allowed researchers to lock and unlock device at will.

Another attack scenario involves triggering an IoT device to send pairing data by replacing a battery making it possible for an adversary to “to sniff, modify and then send the data on.”

“The third method involves active jamming using an RFCat,” researchers wrote. RFCat is a USB radio dongle capable of transmitting, receiving and snooping radio frequencies. “An attacker can continuously listen for the node info from the genuine node. As soon as the home ID has been obtained, they can actively jam the rest of the packet, preventing the node info from being received.”

Pen Test Partners say the issue is a standards and implementation concern, and are critical of what they say is Silicon Labs lethargic response to securing its platform. “We’re not particularly happy that the Z-Wave Alliance appears to have been aware of the downgrade attack, but hasn’t really addressed it,” researchers wrote.

Despite the fact Silicon Labs doesn’t consider the pairing issue a vulnerability, the company said it plans on taking steps to further ensure its customers make informed decisions when downgrading. Johan Pedersen, product marketing manager, Z-Wave IoT, said it would soon change the way it notified customers that their device was going be downgraded using the S0 pairing method. “Instead of notifying customers that the pairing was going to take place after the fact, we will be notifying them of the pairing beforehand,” he said.

Pet Trackers Open to MITM Attacks, Interception

Threatpost Security News May 25, 2018 1

Family pets are near and dear to us, so smart collars and other devices for animals that track their locations are becoming popular; a world without the need for lost-pet flyers is after all a wonderful thing. The problem, according to researchers, is that these devices can leak sensitive information, like phone numbers, the pet’s location or home network details.

After examining several well-reviewed models, including Kippy Vita, the Nuzzle Pet Activity and GPS Tracker and the Whistle 3 GPS Pet Tracker & Activity Monitor, testers at Kaspersky Lab found several issues that should be of concern for Rover’s owners.

Bluetooth Blues

One common problem found in some of the trackers examined comes down to the use of Bluetooth Low Energy (BLE), which is custom-made for low-power IoT sensor applications. BLE essentially connects the pet-trackers to the owner’s smartphone, but unlike the full implementation of the Bluetooth spec, BLE doesn’t require authentication in order to pair devices.

“Authentication depends entirely on the developers of the device, and experience shows that it is often neglected,” researchers Roman Unuchek and Roland Sako said in a posting outlining their research this week.

For instance, the Nuzzle device uses a SIM card to transmit the pet’s GPS coordinates, directly connecting to a smartphone via BLE – without any authorization or access control. That means that any smartphone can connect to the tracker to control it access the pet’s location, along with device status information like temperature and battery charge (CVE-2018-7043).

The Whistle 3 meanwhile has BLE connection problems too. The gadget can transfer GPS coordinates via its built-in SIM card, via WiFi to its server (if the owner provides a WiFi network password) or directly to the owner’s smartphone via BLE. On the latter point, the device waits for a certain sequence of actions to be performed before it pairs with a phone, but the sequence is simple for a third party to deduce and reproduce, thus gaining access to the device.

After that, the tracker is ready to receive and execute commands that do not contain a user ID, which means that anyone can send them; a hacker could, for instance, ask for device coordinates.

An exception on the BLE front was the Link AKC tracker. While it monitors the pet’s location via GPS and transfers coordinates via a built-in SIM card to a phone directly via BLE, it makes use of a user ID to verify the rights of the mobile app to interface with the tracker. The tracker also checks the smartphone’s MAC address as another layer of user confirmation.

“The developers did everything right in terms of securing the connection to the smartphone,” the researchers said. “We couldn’t find any major problems, which is rare for devices with BLE support.”

Also, the Kippy Vita device does not interface directly with the smartphone at all, so the BLE issue was not in question, and, uniquely, it uses SSL pinning. Neither Tractive nor the Weenect WE301 communicate directly with a smartphone wither, but rather transfer pet coordinates to the server via a built-in SIM card. This helps the devices’ security postures immensely.

MITM Issues

Beyond the BLE pitfall, some of the trackers have shared flaws stemming from certificate handling and data-transfer mechanisms. Just one of the tested Android apps (the Weenect WE301) verifies the certificate of its server, making the rest vulnerable to man-in-the-middle (MITM) attacks.

On top of not verifying certificates, many of the apps (including Nuzzle, Link AKC and the Whistle 3) the either store unencrypted data, or transfer the unencrypted data to logcat files. That data can include the app’s authorization token, the pet’s location and user registration data (including name and email address). Thus, a hacker mounting a MITM offensive can intercept the data transfers or peer into files.

Kippy Vita’s Android app meanwhile encrypts important data before saving it to its own folder, but it does log the data that is transmitted to the server.

Two of the devices studied managed to avoid being assigned CVEs: Tractive and the Weenect WE301. However, here too, the Android apps don’t verify the server certificate and they store authentication tokens and pet movement data in unencrypted form.

The logging problem is somewhat mitigated given that in Android 4.1 and newer versions, only some system apps or apps with superuser rights can read the logs of other programs.

“It should be noted that this data is not so easy to steal, since other apps cannot read it,” the researchers said. “But there are trojans that can steal data from other apps by exploiting superuser rights.”

Other Problems

Two of the trackers can be disabled or hidden from owners.

For instance, it’s possible to install modified software on the Nuzzle tracker by simply changing the checksum in the DAT file – this can be used to cause the device to stop working. And perhaps worst of all, an attacker can conceal the location of the pet simply by connecting to the tracker using a smartphone.

“To save battery power, the gadget does not transmit coordinates via the mobile network if they have already been sent via BLE,” Unuchek and Saco said.

An attacker can also hide the Whistle 3 from the pet owner; if a hacker continuously transmits a command for the device location, the gadget will not send location data via the SIM card, since it will assume that such data has already been received directly. Also, it transmits data to the server without any authentication, so an attacker could substitute alternate pet coordinates.

Connected things are burrowing further and further into our everyday lives, with everything from thermostats to Amazon Echo to washer/dryer sets and beyond now offering convenience and safety apps for consumers to make their lives easier – and more hackable. The pet-tracker class of connected gadgets adds one more layer of vulnerability to the proceedings, but calling attention to the flaws could be a wake-up call to the manufacturers.

(Image courtesy of Link AKC)

The Apple Store in Atlantic City, New Jersey is closing its doors

Dan Uff May 25, 2018 1

It is very rare to see Apple announcing the closing of one of its stores, but it seems that the company is doing just that.

The Apple Store in Atlantic City, NJ., USA will be shutting its doors for good.

In a statement, an Apple spokesperson told Bloomberg that the closure was due to a "sharp decline in tourism." "We have made the difficult decision not to extend our lease," said the spokesperson.

Apple says that all of the store's employees will be offered other jobs within Apple. "We look forward to serving our Greater Atlantic City customers through our southern New Jersey, Delaware Valley, and Greater Philadelphia area stores," read Apple's statement.

The last store that Apple closed was located in Simi Valley, California, which Apple shut down in September 2017 due to low sales and issues with customer traffic.