In this issue, I’ll look at why it may not be a good idea to outsource your trust, as illustrated by “contraband” Huawei certificates discovered in Cisco firmware and Dark Matter’s rejection from Mozilla’s trust store. Then, I’ll take a peek at how outsiders could be using encryption vulnerabilities in your Logitech keyboard to type you a message. And I’ll wrap it up with a look at the ethics of safely encrypting medical-ware and why some folks are suing for the right to use a regular-old door key instead of a run-of-the-mill SSH key.
Cisco put Huawei X.509 certificates and keys into its own switches
Ever look through an old drawer and find something left behind from a past relationship? So did Cisco.
Cisco recently disclosed several vulnerabilities, including a bug labeled 'informational' affecting Cisco Small Business 250 Series Switches, or the ‘House of Keys’. Apparently, researchers were doing a sweep of the firmware and discovered digital certificates (X.509s) and keys issued to Futurewei Technologies, a subsidiary of Huawei.
After banning the telecom giant from US trade last August, it became illegal for US companies to use any Huawei (or subsidiaries') components if you worked with, or planned to work with, the US government.
”We noticed Huawei certificates being used in the firmware. And given the political controversy we didn't want to speculate any further” said Florian Lukavsky, COE of SEC Technologies. SEC Technologies is the IoT division of SEC Consult, the security firm responsible for discovering the foreign certificates.
Find out what the certificates were doing there and how Cisco handled the dilemma. Read the full article.
- Battle of the Backdoors in Networking Infrastructure: Intentional vs. Incidental
- Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates
- 86% of IT Security Professionals Say the World Is in a Cyber War
"Fox in the hen house”: Mozilla boots Dark Matter
No more will Mozilla entertain Dark Matter as a trusted Certificate Authority and has slid them onto their OneCRL blocklist. After plausible allegations of Dark Matter’s involvement in Project Raven, a United Arab Emirates spy ploy targeting human rights activists, enough dirt was stirred around the CA that the Electronic Frontier Foundation (EFF) spoke out against it February of this year.
"Giving DarkMatter a trusted root certificate would be like letting the proverbial fox guard the henhouse," quipped Cooper Quintin, senior staff technologist at the EFF. The EFF had warned Mozilla, Apple, Google and Microsoft.
Dark Matter has been vying to become a root certificate authority for two years. Read the full article.
- Venafi Study Results: Will We See Future Browser Distrust Events?
- Top 6 Reasons to Switch Certificates Authorities—Symantec Isn’t the First and Won’t Be the Last
- Are You Prepared to Find and Replace Your Symantec Certificates?
Logitech wireless USB dongles vulnerable to new hijacking flaws
If you use Logitech Unifying dongles, you may be vulnerable to a man-in-the-middle attack.
Researcher Marcus Mengs recently discovered vulnerabilities in Logitech’s Unifying USB receivers that add a few CVE identifiers to the still open 2016 list.
In one vulnerability, by intercepting the pairing between a Logitech device and Unifying dongle, an attacker can steal the encryption key and “...inject arbitrary keystrokes, as well as … eavesdrop and live decrypt keyboard input remotely,” according to Mengs. This affects all Logitech Unifying USB receivers with keyboard feature.
In a second vulnerability, faulty protections prove a low fence over which attackers can dump stored encryption keys. The attack takes “one second to carry out” and leaves the attacker with the ability to strong-arm remote commands and take control of the user’s system.
Logitech has declined to issue patches for all vulnerabilities. Find out which ones are covered. Read the full article.
- How Criminals Are Leveraging SSL and HTTPS
- What Are Man-in-the-middle Attacks?
- TLS Vulnerability in iOS Apps Opens the Door to Man-in-the-Middle Attacks
Major security vulnerabilities in Smart Home devices could allow hackers to unlock doors
You protect what’s valuable in your home by locking your door. You protect your door by installing a smart-lock. You protect your smart-lock with encrypted SSH keys.
Except when you realize everyone else has been shipped those same SSH keys.
It was discovered that the private SSH key for the ZipaMicro smart-hub was coded into all shipped devices. This made safety a matter of Russian roulette as anyone who knew what they were doing could extract the “root” SSH key and access all devices without even a plain-text password.
“[It’s] like winning an exploit jackpot,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “It can literally provide attackers with the ability to unlock your home.” And the homes of anyone else with a ZipaMicro smart-hub.
Renters are now suing for the right to not use smart-lock doors.
Find out how researchers plumbed the vulnerability and what smart-hub maker Zipato is doing about it. Read the full article.
- Recent SSH Vulnerability Highlights the Importance of Automated Key Management
- SSH Vulnerability Allows Authentication without a Password
- Forget Securing the Backdoor! Security Vulnerability Leaves Commercial Front Doors Easily Unlockable
These hackers made an app that kills to prove a point
A year ago at Black Hat August 2018, two researchers outed a security vulnerability that would leave diabetic MiniMed users open to remote hijack – of their insulin. This type of vulnerability highlights an overall lack of understanding about the importance of protecting the machine identities of IoT devices.
The MiniMed looks like a key fob and allows caretakers to administer automated shots of insulin through a connected device on the patient from several feet away. It’s like a remote control.
Billy Rios and Johnathan Butts discovered that a hacker could easily find the unencrypted radio frequency between the paired devices and reverse engineer a way around the coding to capture the fob’s commands. When the findings were displayed at Black Hat, no one moved. This year, they’ve taken their advice to the next level and made an app that can prove their point.
"We’ve essentially just created a universal remote for every one of these insulin pumps in the world," Rios says.
Find out how maker Medtronic is responding. Read the full article in WIRED.