Research

SOHOpelessly Broken 2.0

Internet of Things (IoT) devices have always been vulnerable to a variety of security issues. In 2013, Independent Security Evaluators (ISE) performed research on IoT devices that showed how rich feature sets could be leveraged to compromise devices. Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices.

Ethercombing: Finding Secrets in Popular Places

Blockchains are public ledgers of transactions verified through the use of public and private keys to sign and prove ownership of transaction data. Popular blockchains have hundreds of millions of transactions which include some of the most popular — Bitcoin, Waves, Ripple, ZCash, Monero and Ethereum. Currently, on the Ethereum blockchain there are 345 million transactions [1] across 47 million [2] key pairs. The chance of generating a private key already used on the blockchain is around 1 in 2256 – all but impossible.

Password Managers: Under the Hood of Secrets Management

Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose security guarantees password managers should offer and examine the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7 [1], 1Password 4 [1], Dashlane [2], KeePass [3], and LastPass [4].

Securing Hospitals: A research study and blueprint

The research results from our assessment of 12 healthcare facilities, 2 healthcare data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report. To understand these ecosystems, a two year study was performed from January, 2014 through January, 2016 of critical elements within these facilities as they relate to securing patient health. Our goal was to create a blueprint --a step-by-step action plan-- that all medical facilities can follow as the foundational element in reaching full security readiness. The research was driven by a handson analysis of various healthcare systems, applications, and budgets, interviews with hospital, data center, and medical device manufacturer employees, and sourcing industry knowledge from thought leaders on our advisory board. The findings show an industry in turmoil: lack of executive support, insufficient talent, improper implementations of technology, outdated understanding of adversaries, lack of leadership, and a misguided reliance upon compliance.

Exploiting RFIDs

The Texas Instruments DST tag is a cryptographically enabled RFID transponder used in several wide-scale systems including vehicle immobilizers and the ExxonMobil SpeedPass system. This page serves as an overview of our successful attacks on DST enabled systems.

Exploiting the iPhone

ISE security researchers successfully discovered a vulnerability in the iPhone, developed a toolchain for working with the iPhone’s architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user’s iPhone to a remote attacker.

Exploiting Age of Conan & Anarchy Online

Security researchers at Independent Security Evaluators uncovered two security vulnerabilities present in the popular new and entertaining online game, Age of Conan, produced by Funcom. These vulnerabilities allow an attacker to read arbitrary files off of a victim’s computer, crash the games during online play, and in the case of Anarchy Online, fully compromise a victim’s machine giving the attacker full control of the targeted computer.

Exploiting SecondLife

ISE and outside researchers discovered an exploit for Second Life that grants control of one character to a malicious character. This allows the adversary to perform actions that may have real-world consequences such as stealing the in-game currency known as Linden dollars, or controlling the player’s machine.

Exploiting Android

Analysts at ISE have identified and exploited a security vulnerability in the Android operating system allowing a remote adversary to gain control on the device with the same permissions as the web browser application. A successful attacker will have access to information such as cookies used for accessing sites, information put into web application form fields, and saved passwords, and can alter the way in which the browser works, potentially tricking the user into entering sensitive information.

Industry-Wide Misunderstandings of HTTPS

ISE identified 21 (70% of sites tested) financial, healthcare, insurance and utility account sites that failed to forbid browsers from storing cached content on disk, and as a result, after visiting these sites, unencrypted sensitive content is left behind on end-users’ machines.

Fighting Back Against SSL Inspection, or How SSL Should Work

ISE security analysts considered the increasing prevalence of SSL inspection on corporate networks, threats to the certificate authority model that could allow SSL inspection to spread to other types of networks in the future, and how built-in browser key generation capabilities could be leveraged to achieve mutual authentication and greatly frustrate, if not prevent, mass-scale, automated SSL inspection.

Exploiting SOHO Routers

ISE researchers discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. These vulnerabilities allow a remote attacker to take full control of the router’s configuration settings; some allow a local attacker to bypass authentication directly and take control. This control allows an attacker to intercept and modify network traffic as it enters and leaves the network.

Whitepapers

The Not-So-Same-Origin Policy: Bypassing Web Security through Server Misconfiguration

The same-origin policy remains one of the most important security mechanisms of the web, protecting servers against malicious pages interacting with their APIs through cross-site requests. However, the subtle details of the policy can be overlooked, so we aim to show how limitations in the application of the same-origin policy can undermine security. We explain in depth how the same-origin policy works and how some web technologies can introduce loopholes that expose applications to cross-site attacks. Such misconfigurations may exist in policies utilized by Java, Flash, and Silverlight applications, and Cross-Origin Resource Sharing (CORS) headers utilized by web applications.

From FAR and NEAR: Exploiting Overflows on Windows 3.x

In a way, Windows 3.x provided Data Execution Prevention and a crude form of Address Space Layout Randomization—security measures far beyond the expectations of any early-1990s enterprise. The segmented memorymodel that made 16-bit x86 code difficult to program also complicates building an exploit. This paper demonstrates what may be the first public writeup of a buffer overflow exploit targeting a Windows 3.x application, complete with ROP chain and shellcode.

Demystifying Full-Disk Encryption

Transparent full-disk encryption uses techniques found almost nowhere else in cryptography, such as ESSIV and XTS- AES. Why must designers resort to building a custom cryptosystem rather than relying on standard techniques with typical security guarantees? This paper explores the constraints under which a full-disk encryption must operate, questioning the performance reasons for avoiding more standard cryptography yet finding them to hold. I introduce the reader familiar with cryptography but not the operation of disks to this problem, explain the high-level workings of ESSIV and XTS-AES, and review the attacks and limitations that these approaches face.

Reverse Engineering iOS Apps

Mobile applications are a part of nearly everyone’s life, and most use multiple mobile applications on a day-to-day basis. Mobile applications are widespread and have a plethora of purposes—including, but not limited to, banking and budgeting, social media, sending money, and playing games. With all of these capabilities, one must ponder whether or not these applications are securing sensitive user information at rest, as well as in transit. While Apple provides an API for developers to secure data, developers may not be utilizing these controls in a secure manner. This paper describes common mistake security developers make, methods to test for those mistakes, and problems encountered when testing for them. We will also explore reverse engineering techniques to analyze iPhone operating system (iOS) applications.

The Enemy You Know

Many organizations are already cognizant of the fact that there are security threats originating from the inside, beginning with their own trusted employees and partners. However, many organizations do not necessarily differentiate between the various types of internal adversaries, and may also be unaware that a uniform defense posture is not effective, as different defense strategies are required to thwart each type of adversary. This article will analyze the different types of internal threat actors,and discuss how each is defended against. It will consider both technology and psychology solutions, and aim to do so in a way that is immediately actionable for organizations of all types.

Our Link-Clicking CSRF Victim Robot

Over the past year, ISE has brought our SOHOpelessly Broken router hacking contest to DEF CON, DerbyCon, Toorcon, and BSides DC. ISE started the contest to shine light on the need for manufacturers to better secure small office/home office (SOHO) devices; our thought was that by demonstrating the vulnerabilities first-hand, we could help manufacturers recognize that SOHO devices are highly vulnerable to malicious compromise, thus inspiring action and change. Among the contest’s tracks is a live capture-the-flag competition, in which contestants research known vulnerabilities and use them to attack real routers running on a test network. Cross-site request forgery (CSRF) is a common attack against the web interfaces of embedded devices. CSRF occurs when an adversary tricks the victim into clicking a link that leads to an attack page while simultaneously logged in to the vulnerable device. The attack page generates and sends malicious HTTP requests to the device, reconfiguring it without the victim’s knowledge or authorization. For the contest to be successful, we needed to automate the process of tricking a user into becoming a victim of a CSRF attack; the result is our link-clicking CSRF victim robot. This white paper describes the design and implementation of the resulting software.

Scanning IPS-Protected Networks with Nessus

A Nessus vulnerability scan is one component of an overall network-level security assessment. Frequently, networks are protected by an intrusion prevention system (IPS). IPS rules may block traffic when throughput, packet counts, or connection counts cross a predefined threshold, or when packets are sent to blacklisted ports. Nessus provides neither a facility to restrict the scan rate, nor any reliable method to restrict the TCP and UDP ports to which it sends traffic. This paper describes the difficulties encountered in controlling these aspects of Nessus scans and a workaround ISE developed using virtualization, packet filters, and traffic control.

Industry-wide Misunderstandings of HTTPS

Most web browsers, historically, were cautious about caching content delivered over an HTTPS connection to disk–to a greater degree than required by the HTTP standard. In recent years, in response to the increased use of HTTPS for non-sensitive data, and the proliferation of bandwidth-hungry AJAX and Web 2.0 sites, some browsers have been changed to strictly follow the standard, and cache HTTPS content far more aggressively than before. HTTPS web servers must explicitly include a response header to block standards-compliant browsers from caching the response to disk–and not all web developers have caught up to the new browser behavior. ISE identified 21 (70% of sites tested) financial, healthcare, insurance and utility account sites that failed to forbid browsers from storing cached content on disk, and as a result, after visiting these sites, unencrypted sensitive content is left behind on end-users’ machines.

Exploiting SOHO Routers

Small office/home office (SOHO) routers are a staple networking appliance for millions of consumers. They are often the single point of ingress and egress from a SOHO network, manage domain name resolution, firewall protections, dynamic addressing, wireless connectivity, and of course, routing. Their heavy use in the consumer market and targeted demographic of non-computer savvy users has not surprisingly led to very easy-to-use, nearly turnkey solutions. As they’ve developed over the past decade, new and more features have been added to these devices that make each router one step above its previous iteration, and the competition – or so one would believe. Through our research, we discovered 55 previously unpublished security vulnerabilities in SOHO devices that demonstrate how the rich service and feature sets (e.g., SMB, NetBIOS, HTTP(S), FTP, UPnP, Telnet, etc.) implemented in these routers come at a significant cost to security. The incorporation of additional services within these SOHO routers expose attack surfaces that a malicious adversary can leverage to compromise the router core, and gain a foothold in the victim network.

Perspective Matters

To improve the security posture of digital systems, progressive organizations engage third party security experts to assess risk and provide hardening guidance. The most suitable approach for most industries is white box vulnerability assessment. However, confusion about different security approaches has led IT executives to commonly request the notably ineffective approach of black box penetration testing. Most executives may be surprised to discover that this approach actually undermines the very risk assessment objectives they seek to achieve. This article will analyze trends, contrast different tests and methodologies, and outline best practices; it has been presented at a multiple of security conferences by Ted Harrington.

The Apple Sandbox

Despite the never ending proclamations of the end of memory corruption vulnerabilities, modern software continues to fall to exploits taking advantage of these bugs. Current operating systems incorporate a battery of exploit mitigations making life significantly more complex for attackers turning these bugs into attacks. Additionally, developers are becoming increasingly aware of the security implications of previously idiomatic code. Leading software publishers are teaching defensive coding techniques and have adopted an offensive mindset for product testing. And yet, a single vulnerability can still provide the attacker the leverage needed to gain entry. Security researchers have disclosed multiple ways to render the mitigations ineffective – imagine what techniques are not public. Oftentimes, one bug can still “ruin your day”.

Reducing the Attack Surface in MMORPGs

As online games become increasingly complex and popular, malware authors could start targeting these virtual worlds to launch attacks. Two case studies show how an attacker can leverage various features of online games to take over players’ computers.

Additional Publications