The Weekly Ink #33
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at labs@duosecurity.com.
RSAC 2015!
We're doing a slightly shorter Weekly Ink this week in deference to a little security-industry event called the RSA Conference, and the media deluge that's come with it. You can rest assured that Duo will be blogging extensively about the conference in the coming days, though!
It's Just Plane Wrong...
At least one RSAC presenter - a security researcher named Chris Roberts - almost didn't make it to California. Roberts, who has been talking about aviation security issues for years, tweeted - via the in-flight WiFi on a United Airlines flight - a suggestion that he could hack into the plane's control systems and deploy the oxygen masks. When he landed, he was detained for several hours by the FBI. A few days later, he tried to board another United flight to San Francisco, only to find that the airline had completely banned him.
Over the years, Chris Roberts has made some pretty outlandish boasts about (nominally hypothetical) plane-hacking escapades. I was in the audience for a talk he delivered at GrrCon 2013, and from what I remember of that talk, I can find myself the tiniest bit sympathetic to United's reasoning:
Given Mr. Roberts' claims that he has manipulated aircraft systems while inflight, a clear violation of United policy, we’ve decided it’s in the best interest of our customers and crew members that he not be allowed to fly United.
That said, it also reminds me a lot of Richard Feynman's experiences cracking safes (as a hobby) during his time working on the Manhattan Project: In short, he discovered - and eventually reported - a serious weakness in the safe design used throughout the offices at Los Alamos and Oak Ridge. The "solution"? Feynman was no longer allowed near any of the safes! Of course, this did nothing to address the very real security concerns that he raised.
Whether or not we believe Roberts' claims, his tweet - the one that got him barred from United - actually came in response to a Government Accountability Office (GAO) report raising some rather similar concerns. In particular, the GAO is worried about the fact that - on some airplane models - passenger Wi-Fi runs on the same network infrastructure as critical avionics systems. This is a disturbing trend, and one that's much bigger than the airline industry: security experts have made some very similar observations about cars. Designers of massive, dangerous metal vehicles need to get it through their heads that entertainment systems should be isolated from systems critical to maintaining passenger safety.
Hide Yo Kids, Hide Yo WiFi!
Last week, we learned about some bad vulnerabilities in the Wi-Fi stacks on both iOS and Android. These sorts of attacks are particularly scary because, in both cases, the vulnerabilities could allow attackers to do evil things even if you're only in range of a malicious device. From Skycure's report on the iOS vulnerability:
Combining techniques such as WiFiGate or Karma attacks with this new discovery can allow an attacker to form a "No iOS Zone". Envision a small device, which automatically captures any iOS device in range and gets it to join a fake network. Then, it issues the attack and crashes attacked iOS devices again and again. Victims in range cannot do anything about it. Think about the impact of launching such an attack on Wall Street, or maybe at the world’s busiest airports, or at large utility plants. The results would be catastrophic.
Meanwhile, the Android vulnerability (which also affects many other Linux-based systems) is only exploitable on devices with Wi-Fi Direct support enabled, but - worse than just causing a crash - could permit remote code execution! In contrast to a previously-reported Android Wi-Fi Direct issue, this one sounds kinda serious, so let's hope Google pushes a fix out ASAP.