DEAD DROP 17 / SECURE ENCLAVE KEY, DEFCON VIDS, CAN VULNERABILITY, SMART LOCK FAIL
--

Welcome to Dead Drop number 17, your look at what's happening in the worlds of computer security, and digital freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

VULNERABILITIES

Researchers at Ben-Gurion University have shown that regularly replaced smartphone components like touchscreens, and their controller boards can be modified with malicious chips for man in the middle attacks. These can then be used to exfiltrate unlock screen patterns, take photos, replace URLs with phishing ones, and more.

https://iss.oy.ne.ro/Shattered
https://www.youtube.com/watch?v=Vo13LKjpvS4

The decryption key for Apple's Secure Enclave Processor was also leaked by a hacker this week, allowing anyone to unlock the firmware of the security system. Although it doesn't expose user phone data, it does allow other researchers to poke around in the firmware, and possibly find more vulnerabilities.

https://threatpost.com/hacker-publishes-ios-secure-enclave-firmware-decryption-key/127524/
https://threatpost.com/its-not-exactly-open-season-on-the-ios-secure-enclave/127533/

Recently a bunch of Chrome extensions have been hijacked, and updated with malicious code to do things like inject advertising, or steal user data. Many of the devs for these extensions have been targeted with phishing scams, allowing attackers to gain access to their Google accounts and update their software. Keep an eye out for this, especially if your browser is set to auto-update.

https://thehackernews.com/2017/08/chrome-extension-hacking.html
https://threatpost.com/seven-more-chrome-extensions-compromised/127458/

Two separate zero-day exploits have recently been found in the Foxit PDF reader. If users have turned off 'Safe Reading Mode', then specially crafted PDFs can execute arbitrary code when opened.

https://thehackernews.com/2017/08/two-critical-zero-day-flaws-disclosed.html
https://www.youtube.com/watch?v=tTIKJwDah_s

DEFCON

Defcon 25 wrapped up a few weeks ago, and new videos are starting to pop up from the event. Definitely check out the official youtube page if you want to see some talks from the con.

https://www.youtube.com/user/DEFCONConference/videos

The always great Hak5 also released a new video detailing their experiences from DefCon, including this crazy 50 channel wifi data capture backpack.

https://www.youtube.com/watch?v=HkDQiauIKX0

VEHICLE HACKING

Researchers at Trend Micro recently came across a potentially massive vulnerability in modern car design. They found that the controller area network, which is the protocol used to connect different functions of cars together, like anti-lock braking, power steering, airbags, parking sensors and more, can be shut down locally or potentially remotely via a denial of service attack.

The attacker just needs to send faulty frames to the system, and if too many errors are sent, the particular section, say the airbags automatically shut off. This effects pretty much every modern car, and since this is a problem at the protocol level, the only fix would be for the automative industry to redesign their standards.

http://blog.trendmicro.com/trendlabs-security-intelligence/connected-car-hack/
https://www.youtube.com/watch?v=oajtDFw_t3Q
https://thehackernews.com/2017/08/car-safety-hacking.html
https://www.wired.com/story/car-hack-shut-down-safety-features

Speaking of car hacks, Keen Lab are back again with a new Tesla video, this time taking control of the Model X. Can you imagine how mad things are going to get when more cars are fully computerized?

https://www.youtube.com/watch?v=1e3dsJExIYk

IOActive also recently uploaded a video showing off vulnerabilities in the Segway miniPRO hoverboard things. They found that a bunch of problems, like the device not checking the authenticity of firmware, or the same PIN code being used on different Segways, allowed them to fully take control of the vehicles.

https://www.youtube.com/watch?v=lq3EPiG5guk

INTERNET OF FAILS

A recent auto-firmware update for the LockState RemoteLock 6i internet-connected lock has rendered hundreds of the $500 devices completely useless. Not good. According to the company, the devices were accidentally sent the firmware of another model, which in turn bricked the lock, making remote fixing impossible.

https://thehackernews.com/2017/08/firmware-smart-locks.html
https://www.youtube.com/watch?v=Xt_NWh61FlI

PRIVACY

And finally, the CEO of iRobot, the company which makes the Roomba robotic vacuums has said in an interview that the companies future lies in collecting data, by mapping out the inside of peoples houses, and selling it to third parties. He frames it as a way to improve the smart home, but I don't like where this is going.

Anyways, on that note, that's it for this week. I just wanted to say thanks for watching, and I'll see you in the next video.

https://www.reuters.com/article/us-irobot-strategy-idUSKBN1A91A5
https://www.youtube.com/watch?v=tZ0bq-jIg-o

--
BY NODE