Tag: vulnerability

By Davey Winder for Forbes

At the start of May, I reported on a critical security vulnerability that could impact every Samsung Galaxy smartphone sold from late 2014 onwards. That zero-click bug scored a perfect 10 on the vulnerability severity scale. The good news was that it had been patched in the Samsung May 2020 security update. Just as Android users were recovering from that security shocker, and some have yet to get that update on their devices, it should be noted, along comes one more.

This time it’s in the form of another critical vulnerability, but rather than applying to Samsung devices only, it’s an issue that exists in almost every version of Android. Only users of Android 10 need have no concern here, all other versions of Android, however, are potentially affected. Given that, in April, Android 10 only accounted for around 16% of users, and Google itself says there are at least 2 billion Android users out there, that’s north of 1 billion Android devices potentially at risk.

The risk being that, if exploited by an attacker, this vulnerability could lead to an elevation of privilege and give that hacker access to bank accounts, cameras, photos, messages and login credentials, according to the researchers who uncovered it. What’s more, it could do this by assuming “the identity of legitimate apps while also remaining completely hidden.”

What is StrandHogg 2.0?
Researchers at a Norwegian security company called Promon discovered CVE-2020-0096, which they called StrandHogg 2.0: the more cunning “evil twin” to the original Android StrandHogg vulnerability it also found last year. “While StrandHogg 2.0 also enables hackers to hijack nearly any app,” the researchers said, “it allows for broader attacks and is much more difficult to detect.”

Rather than exploit the same TaskAffinity control setting as the original StrandHogg vulnerability, StrandHogg 2.0 doesn’t leave behind any markers that can be traced. Instead, it uses a process of “reflection,” which allows it to impersonate a legitimate app by using an overlay into which the user actually enters credentials. But that’s not all; it also remains entirely hidden in the background while hijacking legitimate app permissions to gain access to SMS messages, photos, phone conversations, and even track GPS location details. Using the “correct per-app tailored assets,” the Promon researchers said, StrandHogg 2.0 can “dynamically attack nearly any app on a given device simultaneously at the touch of a button.”

Stealthier than your average StrandHogg
Detection would also appear to be more complicated than the previous StrandHogg vulnerability. “No external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack,” the researchers said, “as code obtained from Google Play will not initially appear suspicious to developers and security teams.”

However, Google told TechCrunch, which broke the StrandHogg 2.0 news, that it had not seen any evidence of the vulnerability being exploited to date. I reached out to Google and a spokesperson told me: “We appreciate the work of the researchers, and have released a fix for the issue they identified. Additionally, Google Play Protect detects and blocks malicious apps, including ones using this technique.” The latter being important as exploitation of the vulnerability requires the device to already be infected by a malicious app.

How can you mitigate this critical Android vulnerability?
It’s not all bad news for Android users, though. Those with devices running Android 10 are not impacted. There’s more good news for those of you who are, however, running Andorid 9 or earlier, as Google included a patch for CVE-2020-0096 in the May 2020 Android security update. It was described there as a critical vulnerability that could enable a local attacker to use a specially crafted file to execute arbitrary code within the context of a privileged process. The usual fractured ecosystem warnings from me have to be flagged up at this point: many users will not see that update rolling out to them immediately, and some may never see it at all if they have an older unsupported device.

Tod Beardsley, research director at Rapid7, said that “since the fix for this bug is part of the core Android operating system, Android users are once again at the mercy of their handset manufacturers and their service providers, who are often slow to act when it comes to distributing security patches. People who are worried about this bug in particular should keep a close eye on when the fix for CVE-2020-0096 hits their particular distribution.”

“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability, and the concern is that when used together, it becomes a powerful attack tool for malicious actors,” Tom Lysemose Hansen, Promon CTO and founder, said. He recommends Android users update to the latest firmware as soon as they can, and advises app developers to “ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild.”

“Android device users need to be cautious of the apps they choose to install. Even as Google works to protect their users, malicious apps will still likely slide past their screening process on occasion,” Boris Cipot, a senior security engineer at Synopsys, said. “One way that users can stay alert and mindful is to do a bit of research on the app developers before downloading a given app. Check where the app comes from and if anything seems off, then think twice before proceeding with installation,” Cipot concluded.

Promon has issued a disclosure timeline, which shows it notified Google of the vulnerability on December 4, 2019, and an ecosystem partner patch was rolled out in April 2020 before the public fix within the latest Android security updates for users.

Wi-Fi is under attack

A huge vulnerability in Wi-Fi that fundamentally breaks the security we use to protect our wireless networks has just been exposed.

The exploit, revealed on Monday, breaches a newly found vulnerability in WPA2, the security protocol used to safeguard all modern Wi-Fi networks, and researchers say it could violate virtually any Wi-Fi network previously thought to be secure.

“The attack works against all modern protected Wi-Fi networks,” explains the security researcher who discovered the vulnerability, Mathy Vanhoef from Belgium’s KU Leuven university.

“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”

By taking advantage of the vulnerability in what is called a key reinstallation attack (KRACK), a hacker could read information supposed to be encrypted on a Wi-Fi network, intercepting potentially sensitive information like credit card numbers, passwords, photos, and messages.

In the worst case, Vanhoef says, it could be possible for someone to use KRACKs to inject and manipulate data on a compromised Wi-Fi network, hijacking devices to inject ransomware or other malware onto systems.

“Wow. Everyone needs to be afraid,” researcher Robert Graham of Errata Security, who wasn’t involved with the discovery, wrote in a blog post.

“It means in practice, attackers can decrypt a lot of Wi-Fi traffic, with varying levels of difficulty depending on your precise network setup.”

The good news in all this is that the hack can’t be executed online: any attacker trying to take advantage of the flaw needs to do so locally, to be within range of the wireless network they’re trying to breach.

That’s because the attack works by fooling a security layer in WPA2 called the four-way handshake, which determines whether devices seeking to join a Wi-Fi network have the right credentials.

When this happens, the handshake is supposed to generate a fresh encryption key to encrypt all subsequent traffic, but KRACKs manage to fool the network into reusing a previously issued encryption key.

“Essentially, to guarantee security, a key should only be installed and used once,” Vanhoef explains.

“Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”

In the researchers’ testing, the attack worked with varying levels of success against client devices running Apple, Windows, Android, and many other operating systems on compromised networks, and while websites and apps using HTTPS encryption were harder to breach, they weren’t always fool-proof.

Fortunately, the code that makes this attack possible hasn’t been publicly released – so it’s unlikely we’ll see a wave of hackers taking advantage of it straight away, because first they’d need to reverse-engineer how it works.

Before that happens, technology companies – who were given fore-warning of the vulnerability – are already busy patching their systems, and some of these patches are already available, which Vanhoef says we should all grab as soon as possible.

“Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack,” he explains in an FAQ about the new attack vector.

“Instead, you should make sure all your devices are updated, and you should also update the firmware of your router.”

Of great ongoing concern are the many ‘Internet of Things’ (IoT) devices and appliances now in use that are difficult to update or go unsupported by their manufacturers. These include things like Wi-Fi enabled home security cameras and televisions.

The vulnerability is detailed in a research paper available online, which is due to be presented at the ACM Conference on Computer and Communications Security in Dallas in November.

By Peter Dockrill for Science Alert

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top