Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi

That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network). For example, one can do RCE in just powered-on Samsung Chromebook. So just to summarize:

  1. It doesn’t require any user interaction.
  2. It can be triggered every 5 minutes in case of GNU/Linux operating system.
  3. It doesn’t require the knowledge of a Wi-Fi network name or passphrase/key.
  4. It can be triggered even when a device isn’t connected to any Wi-Fi network, just powered on.

Source: Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE – Embedi

In this research, I used ALFA networks wireless adapter in the monitor mode, which is based on Realtek 8187 wireless chipset. The exploit can be implemented with python Scapy framework. For some reason, Ubuntu GNU/Linux distrubution isn’t good enough to inject Wi-Fi frames fast, so it is better to use Kali.

Wi-Fi Alliance® introduces low power, long range Wi-Fi HaLow™

Wi-Fi HaLow extends Wi-Fi into the 900 MHz band, enabling the low power connectivity necessary for applications including sensor and wearables. Wi-Fi HaLow’s range is nearly twice that of today’s Wi-Fi, and will not only be capable of transmitting signals further, but also providing a more robust connection in challenging environments where the ability to more easily penetrate walls or other barriers is an important consideration.

Source: Wi-Fi Alliance® introduces low power, long range Wi-Fi HaLow™ | Wi-Fi Alliance

Innovation boosts Wi-Fi bandwidth tenfold

Experts say that recent advances in LED technology have made it possible to modulate the LED light more rapidly, opening the possibility of using light for wireless transmission in a “free space” optical communication system.

“In addition to improving the experience for users, the two big advantages of this system are that it uses inexpensive components, and it integrates with existing WiFi systems,” said Thinh Nguyen, an OSU associate professor of electrical and computer engineering. Nguyen worked with Alan Wang, an assistant professor of electrical and computer engineering, to build the first prototype.

via Innovation boosts Wi-Fi bandwidth tenfold.

The electromagnetic spectrum with wifi can be flakey and interconnecting access points using this spectrum can fail frequently and cause significant bandwidth problems.  Integrating led tech into devices may take time to develop some kind of standard but using this for point to point wireless communication could prove very useful in certain use cases.

Decertifying the worst voting machine in the US

I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me – as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse. And the WinVote system was so fragile that it hardly took any effort. While the report does not state how much effort went into the investigation, my estimation based on the description is that it was less than a person week.

via Decertifying the worst voting machine in the US.

So how would someone use these vulnerabilities to change an election?

  1. Take your laptop to a polling place, and sit outside in the parking lot.
  2. Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
  3. Connect to the voting machine over WiFi.
  4. If asked for a password, the administrator password is “admin” (VITA provided that).
  5. Download the Microsoft Access database using Windows Explorer.
  6. Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
  7. Use Microsoft Access to add, delete, or change any of the votes in the database.
  8. Upload the modified copy of the Microsoft Access database back to the voting machine.
  9. Wait for the election results to be published.

The freedom to tinker blog has been doing research on voting machines for a very long time although in this case they are reporting the results of research done by Virginia IT people in their decertification. In the past most vulnerabilities uncovered required physical access to a voting machine and a bit of skullduggery making it difficult to change votes on a large scale. I simply cannot comprehend for what purpose these voting devices needed to be on a wifi network other than someone thought it was “cool.” This entire report is mind boggling and makes me wonder how many more areas of the country are doing this now.

Root command execution bug found across wireless router range

The vulnerability that Drake outlines rises from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr, Drake explains, runs with root privileges and contains an unauthenticated command execution vulnerability. In turn this permits anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router.

via Root command execution bug found across wireless router range.

This seems more like a designed in feature not implemented correctly.  Transferring config information on an unsecure network is difficult to implement without some kind of flaw.

This kind of hack is well above the capability of your average hacker.  Very unlikely they could do much more than Man In the Middle which they could do anyway without hacking the router.  I do not chase updates on SOHO routers because it’s pointless, a waste of time that possibly introduces different bugs.

Hotel group asks FCC for permission to block some outside Wi-Fi

However, the FCC did act in October, slapping Marriott with the fine after customers complained about the practice. In their complaint, customers alleged that employees of Marriott’s Gaylord Opryland Hotel and Convention Center in Nashville used signal-blocking features of a Wi-Fi monitoring system to prevent customers from connecting to the Internet through their personal Wi-Fi hotspots. The hotel charged customers and exhibitors $250 to $1,000 per device to access Marriott’s Wi-Fi network.

via Hotel group asks FCC for permission to block some outside Wi-Fi | Network World.

Upgrade to LTE Will Let Phones Talk without Cell Towers, Allowing New Forms of Social Apps and Advertising

Facebook is exploring how the technology could be used with its mobile app. “LTE Direct would allow us to create user experiences around serendipitous interactions with a local business or a friend nearby,” said Jay Parikh, Facebook’s vice president of infrastructure engineering. “You could find out about events or do impromptu meet-ups.”

via Upgrade to LTE Will Let Phones Talk without Cell Towers, Allowing New Forms of Social Apps and Advertising | MIT Technology Review.

However, carriers will control which devices on their networks can use LTE Direct because it uses the same radio spectrum as conventional cellular links. Wireless carriers might even gain a new stream of revenue by charging companies that want to offer services or apps using the technology, Qualcomm says.

Heatmiser WiFi thermostat vulnerabilities

Scanning for Heatmiser thermostats on port 8068 really just requires a quick check for port 8068 being open – we can be fairly confident that anything with this port open is one of their devices.  We can then make detailed check on port 80.
nmap -p 8068 -Pn -T 5 --open 78.12.1-254.1-254
nmap can easily do this scan. If you want to scan large blocks of addresses though, masscan is much faster.

via » Heatmiser WiFi thermostat vulnerabilities.

You need to forward ports at your local router so if you try and access this thermostat from the Internet and you come in on (per above example) port 8068 that the router knows to forward all that traffic to whatever IP it has associated with that port.  This allows users to access things inside their local network from anywhere on the Internet.  It also allows anyone on the Internet to access that internal device.

Here is my opinion on this matter.  As the world moves towards self driving cars and self driving planes, extremely complicated devices that you would think need human intervention, the world is also moving to take very simple devices, like household appliances and making them so they need human intervention.  A thermostat should be set and forget.  It should have simple intelligence to figure out what temperature to set a room.  If a human must get involved in messing with a thermostat then perhaps something went wrong but it’s not an emergency like this:

Should Airplanes Be Flying Themselves? | Vanity Fair.

A thermostat can certainly wait until you get home to physically figure out the problem and put it back on auto.  The Internet of Things can certainly be useful for read only, like buzzing your phone when the dishes or laundry finishes.  You can’t load laundry or dishes into these devices via the Internet so how do benefits from controlling them remotely, especially from remote Internet locations, outweigh the risks from allowing bad guys get into your local network.

Finally, here’s a link to a site that does port scanning on the Internet for you.  Seems like a useful resource to know.

Plugging this into Shodan we get over 7000 results. That’s quite a lot. (note, you might need to register to use filters like this).

Offline attack shows Wi-Fi routers still vulnerable

The research, originally demonstrated at the PasswordsCon Las Vegas 2014 conference in early August, builds on previous work published by Stefan Viehböck in late 2011. Viehböck found a number of design flaws in Wi-Fi Protected Setup, but most significantly, he found that the PIN needed to complete the setup of a wireless router could be broken into smaller parts and each part attacked separately. By breaking down the key, the number of attempts an attacker would have to try before finding the key shrunk from an untenable 100 million down to a paltry 11,000—a significant flaw for any access-control technology.

via Offline attack shows Wi-Fi routers still vulnerable | Ars Technica.

Apple and IBM Team Up to Push iOS in the Enterprise

Apple and IBM will collaborate on building a new class of applications specifically tailored for certain industries, including retail, health care, banking, travel and transportation. The first of those applications will be available in the fall and will be released into next year.

via Apple and IBM Team Up to Push iOS in the Enterprise | Re/code.