The Issue
This is just mind boggling. I cannot believe how stupid hardware vendors are when writing the firmware for their devices. A recent issue has been reported here: UPnP Enabled Routers Allow Attacks on LANS Where some router manufacturers have allowed the Universal Plug and Play (UPnP) suite of protocols to operate on the WAN interface; that’s the interface that points to the internet. Here is a definition from wiki of UPnP to give a brief introduction for the uninitiated:
Definition of UPnP
Universal Plug and Play (UPnP) is a set of networking protocols for primarily residential networks without enterprise class devices that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment.
The Risks
So without going into all the techie detail, its basically a way for your computers at home to find each other and start talking. That’s great when at home and you want things to just work, but why would you want that functionality available from the internet when anyone could get the same level of access? Well, you don’t. It means that anyone can find your router, start talking to it, and gain some control of the functionality of it and other devices on your network. I can’t think of one valid reason for why anyone would need this; there is the odd reason like remote router administration, but there are far better and more secure methods for achieving the same functionality; VPN for example. Like I said, the mind just boggles. This is known only to be a problem for Edimax, Linksys, Sitecom or Thomson (SpeedTouch) routers at present. An attacker can use this feature to use your internet connection for their own purposes, eg, illegal downloads, anonymous surfing. There is also the added risk that once they’ve found you on the internet they can use the normal suite of attacks against your computers and steal banking logon information, corrupt data or take control of your computers for their own purposes; Attackers rarely use just one technique to achieve their goals.
The Fix
For those routers that allow it, disable UPnP on the WAN interface. For those that don’t, simply disable UPnP altogether and the problem goes away.
Let’s Discuss SSL
Whenever I talk about vulnerabilities with websites to people I always seem to get the same response that everythings okay “because I use SSL”. Formally, Secure Sockets Layer, and now Transport Layer Security, is the cryptographic protocol used by websites to encrypt data between the server and your web browser. Whenever you see the “https” or little padlock symbol it means you are using an encrypted connection to the website. It essentially means that if anyone were to capture the data that you and the server exchange all they get is digital noise. Well, it is certainly true that SSL is a fairly secure means for communicating from your computer to the server. However, there is a common theme I’m finding amongst web users and that is not that they don’t have good practices, like using secure passwords and secure websites, but that they aren’t vigilant in whether the secure connection they think they have is actually really there. This video by Moxie Marlinspike explains why users need to be more aware than every before:
Video Link
http://www.youtube.com/watch?v=fO4obQYEAv8
What are the Risks?
As Moxie explains, he has written a program which, when used in conjunction with already existing techniques, it is possible to filter your secure website traffic through his computer and to remove the encryption. He does this by making the SSL connection to the sever on your behalf and feed you an unsecured version of the site which looks identical, albeit, unsecure. If you weren’t checking for the https and padlock symbol it would be easy to overlook the interception. So how likely are you to be affected? Well, as with all Internet access, the risks are dependent on how you connect to the Internet, the sites you visit and what you do when you get there. With this particular issue its more about being aware of your local network environment and making a conscious assessment of the risks and adapting your behaviour accordingly. In this case, the attacker has to place themselves between you and the Internet. So, if, for example, you are using a wired connection to your home router which doesn’t have wifi enabled and are connecting via your ISP to the Internet then the likelihood of someone being able to logically position themselves between you and the Internet is very very low. If, however, you are using an unsecured wifi access point at a coffee shop or hotel then the risks are far greater. This is when you need to double check that when you connect to a secure site that the site is properly formatted and I would even go so far as to check that the SSL certificate is the correct one for the site I am visiting. You can use certificate patrol to do this automatically for you. I certainly wouldn’t even contemplate attempting to access my online bank or social networking sites via an unsecured access point even if the page looked properly formatted.
A recent report highlighted a new vulnerability in Apple Macbook Pro computers. This time, it’s not a hole in operating system security or a problem with code being automatically executed in skype or even a safari exploit but instead a battery issue. Modern laptop batteries are very different from the normal cell type batteries that we are accustomed to. If you look at a laptop battery connector there isn’t simply 2 connections as you might expect, but there is a whole host of them. This is because in order to obtain the voltages needed to operate, a number of low voltage cells are placed in series. The voltage across each of these cells is added together to give the total voltage of the battery.
The problem with lithium ion cells is that not all cells are created equal, and the power handling capabilities vary from cell to cell. In order for the ‘battery’ to operate each of these cells needs to behave pretty much the same and so a battery controller is used to ensure that all cells perform the same. This battery controller is located in the laptop and not the battery which is why there are so many connections being made to the battery by the computer. Those cells that have more charge are bled more to match the output of the lower performing ones. This process is called cell desynchronisation. The battery controller carefully manages the charge and discharge cycles of all cells to bring the over performing ones down and to preserve the lower performing ones. If a cell drops below about 2v then the controller takes it offline permanently. If enough cells are taken off line then the battery appears dead and there is no way to bring it back.
Charlie Miller of pwn2own hacking fame recently explored the firmware that runs these controllers and found that they are all secured by the same password. This is presumably to allow Apple to update the firmware if they need to, perhaps to optimise battery life in the future. He also found that by updating the firmware himself it was possible to permanently brick the battery making it unusable.
As of writing, there is no known attack circulating in the wild, but the potential is there unless Apple change their battery controller firmware to use more secure protection.
I recently read an article that reported a new vulnerability found in one of the most long lasting and trusted encryption protocols on the internet. It really sent home to me the issues associated with our online activities and I wanted to share those with you. Here is the article:
http://lwn.net/Articles/448699/
This article highlights the main reason I started this site. The technology the internet is based on and the security protocols we place are trust in were first conceived decades ago and were not designed for the web we know today. Security is very much a bolt on to a technology that, even though still revolutionary today, is really not suited, by design, to the intended purpose. All it takes is a very minor omission in a line of code to render that code harmful rather than secure. The difficultly here is that we don’t know how many omissions exist in the software we use today and so we need to be more careful than we might think to ensure we stay safe.
Casting my mind back to those management training courses at work where they roll out the health and safety courses reminds me of the swiss cheese model. This is a very simple model that says there are many barriers that prevent us from getting hurt, but if all the holes in the cheese line up then an accident happens (which is bad). The more barriers between the hazard and the person the better. We need to adopt this same approach when thinking about computers and our online activities. Relying on just one barrier has the potential to allow a flaw in the software code that creates that barrier to harm us. I use the term ‘harm’ exceedingly loosely, but I hope you get the point. We need to ensure we think a little bigger. I will expand on this concept in future blogs as I think this really sows the seeds for responsible online behaviour. By understanding that those things which should be secure are not, allows us to put in contingencies so we have a better chance of not being caught out.
