Security Week 52: Security for Smart Speakers and IP Cameras
As early as October, researchers from SRLabs showed how you can change the behavior of smart speakers Amazon Echo and Google Home to eavesdrop on conversations or even phishing passwords (news, research). For the latter, there is even a special term – vishing, aka voice phishing, that is, phishing, in which the victim shares his secrets with his voice.
For the attack, the standard functionality of the columns was used, namely the ability to install mini-applications (known as skills or actions). Hypothetical app that human voice reads a fresh horoscope aloud, can be modified after a security audit. Using special characters and spoofing technical messages, you can pretend that the application has stopped working, although in fact, all conversations and commands are being recorded, decrypted and sent to the attacker’s server for some time.
Two months later, the researchers reported that the problems were not fixed. During the study, “malicious” applications were uploaded to the “app store” of smart speakers. The results were transferred to Amazon and Google, after which the applications were deleted, but SRLabs easily downloaded them again and they were able to pass the test. The situation is reminiscent of the problem with malicious applications for regular smartphones in the Google Play Store and the Apple App Store: the tactics are the same, just the methods of social engineering are slightly different. In any case, this is an interesting example of the evolution of attacks, taking into account the appearance of devices that constantly eavesdrop and spy on the owners.
The attack, using Amazon Echo as an example, proceeds as follows. A legitimate application is created, which is audited by the manufacturer. After that, the functionality of the application changes, but Amazon does not consider this a reason for re-testing. A welcome message is substituted: at startup, the application tells the user that an error has occurred, for example: "This skill is not available in your country." The victim is sure that the application has finished work, but in fact the app is trying to force the column to pronounce a phrase consisting of special characters (more specifically, from a sequence of U + D801 characters copied many times). The column “pronounces” silence, after which a phishing message is already played: “A system update is available, please tell your password.”
The second variant of the attack also uses special characters, which the column tries to “pronounce”, but instead of phishing there is eavesdropping. In the case of Google Home, the scenario is the same, only there are less restrictions on the duration of eavesdropping.
Obviously, there are two problems. Firstly, a major change in functionality does not require verification, and in general, verification of "skills" of third-party developers is not so strict. Secondly, the column tries to reproduce unreadable characters, although in an ideal situation such functionality should be blocked.
The situation with the ecosystem of applications for smartphones is repeated: at the beginning of the development of the platform, developers are given complete freedom of action, control of application functionality is minimized, and attackers have little interest in attacks on device users. Over time, the number of attacks increases, security mechanisms become more advanced, and the requirements for developers are tightened.
A related topic has recently been widely discussed in the media: there were two cases of unauthorized access to the Amazon Ring IP camera, which, as a rule, are bought just for security purposes. Both cases were most likely due to a hacked user account (unreliable or leaked password, lack of two-factor authentication). No complicated methods of social engineering: woe-crackers did not come up with anything better than trying to talk to the victim through the speaker built into the device. It seems that if there is such an invasion of the privacy of users, then security measures should be steeper. But an example study of SRLabs (and reactions to it) shows that this is not entirely true.
What else happened: Critical vulnerabilities in products Citrix Application Delivery Controller (formerly called NetScaler ADC) and Citrix Gateway (NetScaler Gateway). No details yet, the vulnerability allows remote access to the local network without authorization.
A detailed analysis of a fairly simple fraud with "subscriptions to notifications" in the browser. There is one non-trivial point: for the promotion of malicious sites, Google uses a search on images. The working scheme is as follows: pictures for popular queries are put on one site, get into the search results, from there the user is redirected to another domain, agrees to notifications and forgets about it. After a while, spam begins to pour in the browser notification.
An interesting vulnerability caused by collisions when processing some special characters in Unicode. In Github, it allowed to intercept a message with a link to reset the password. We take the user with the mailing address mike@example.org, register the mailbox mıke@example.org (pay attention to i without a dot). In the “forgot password” form, enter this e-mail with a special character. The system identifies the user mike, but sends a message to the attacker's mailbox. Solved by comparing the two addresses.
The story of the random discovery of a web interface to kiosks in Microsoft offices in the public domain. Such devices are used in the lobby to schedule appointments, print badges and more, and in a normal situation should not be accessible remotely. A cunning search on the Microsoft site produced the desired URL, through which it turned out to request a meeting with the general director of the company. Well, and access internal data, which presents a certain problem.
Not a bug, but a feature. The Citimobil taxi service API works without authorization (and no request limit) and allows you to download data on the location of both all cars and a single car. The first is a business risk for the service itself, as competitors can use the API for intelligence. The second – in theory, allows you to identify both the taxi driver and the passenger, if the coordinates of the departure are known.
Another bug in the Whatsapp messenger: you can drop the program to all chat participants by sending a message with modified metadata. It is solved by reinstalling the messenger and leaving the “affected” chat.
