Signature Bloatware Updates | TechSNAP 270

Posted on: June 9, 2016

The bloatware shipping on those new computers is way, way worse than you probably thought, Internet exposed printers & the thrilling story of reverse engineering an ATM skimmer. Yes that’s really a thing.

Plus great questions, our answers & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Nice brand new computer you have there, would be a shame if something happened to it

“According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks.”
“OEM PC vendors understandably need a way to maintain and install more of the aforementioned bloatware. The Duo Labs team investigated OEM software update tools spanning five vendors: Acer, Asus, Dell, HP, and Lenovo.”
“Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities.”
“Whether it’s a creep on the coffee shop WiFi or a nation state sitting on all the right trunks, any software that downloads and executes arbitrary binaries is an enticing target to attackers. This is a well-established fact — in 2006, some dude broke Mozilla’s Auto-Update; in 2010, there was Evilgrade; in 2012, Flame malware authors discovered how to man-in-the-middle (MITM) Windows Update; and in January 2016, there was the Sparkle debacle. This shows that targeting the transmission of executable files on the wire is a no-brainer for attackers.”
“The scope of this research paper is limited to OEM updaters, although this wasn’t the only attack surface found on these systems. Basic reverse engineering uncovered flaws that affected every single vendor reviewed, often with a very low barrier to both discovery and exploitation.”
The results:
- Dell — One high-risk vulnerability involving lack of certificate best practices, known as eDellroot
- Hewlett Packard — Two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.
Asus — One high-risk vulnerability that allows for arbitrary code execution, as well as one medium-severity local privilege escalation
Acer — Two high-risk vulnerabilities that allow for arbitrary code execution.
Lenovo — One high-risk vulnerability that allows for arbitrary code execution.
Other Findings:
“Every vendor shipped with a preinstalled updater, that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine”
Every new machine came with crapware, and an auto-updated for the crapware. The auto-updated made the machine less secure, not more secure as it expected. Not to mention they that this report doesn’t actually look at the crapware itself
“There was a very low level of technical sophistication required – that is, it was trivial to exploit most of the vulnerabilities”
They didn’t have to try very hard, some of these updaters run a local http server that anything can connect to
“Vendors often failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents”
This means that a random person at the coffee shop, or the government, can pretend to be your OEMs update server, and feed you malware instead of security fixes
“Vendors sometimes had multiple software updaters for different purposes and different implementations, some more secure than others”
Multiple auto-updaters, that is what everyone wants
“The large attack surface presented by ancillary OEM software components makes updater-specific bugs easier to exploit in practice by providing the missing pieces of the puzzle through other tools bundled with their systems”
If the auto-updater isn’t buggy enough, the crapware provides everything else you need to compromise the system
“Microsoft offers ‘Signature Edition’ systems which are intended to be free of the third-party software that plagues so many OEM systems. However, OEM-supplied software updaters and support packages are often still present on these machines.”
So even if you pay extra for a brand new system free of crapware, it still has the auto-updater that makes the system insecure
Additional Coverage
Additional Coverage: Lenovo tells users to uninstall vulnerable updater

Clinton email server — may have had an internet based printer…

“The Associated Press today points to a remarkable footnote in a recent State Department inspector general report on the Hillary Clinton email scandal: The mail was managed from the vanity domain “clintonemail.com.” But here’s a potentially more explosive finding: A review of the historic domain registration records for that domain indicates that whoever built the private email server for the Clintons also had the not-so-bright idea of connecting it to an Internet-based printer.”
According to historic Internet address maps stored by San Mateo, Calif. based Farsight Security, among the handful of Internet addresses historically assigned to the domain “clintonemail.com” was the numeric address 24.187.234.188. The subdomain attached to that Internet address was….wait for it…. “printer.clintonemail.com”.
“Interestingly, that domain was first noticed by Farsight in March 2015, the same month the scandal broke that during her tenure as United States Secretary of State Mrs. Clinton exclusively used her family’s private email server for official communications.”
“I should emphasize here that it’s unclear whether an Internet-capable printer was ever connected to printer.clintonemail.com. Nevertheless, it appears someone set it up to work that way.”
“More importantly, any emails or other documents that the Clintons decided to print would be sent out over the Internet — however briefly — before going back to the printer. And that data may have been sniffable by other customers of the same ISP”
Not necessarily, it can depend on the setup. The reason you might expose a printer to the internet like that on purpose, is to allow printing while you are away from home, but it isn’t a good idea
“Not just because any idiot on the Internet can just waste all your toner. Some of these printers have simple vulnerabilities that leave them easy to be hacked into.”
That printer can then serve as an ‘island hopping’ beachhead, allowing the attacker to do this from an internal IP address that is likely to be trusted, and allowed through firewalls (you do want to be able to talk to the printer right?)
It does appear the Clintons had an SSL VPN, which is a good sign, although I would expect the printer to have been behind that

Reverse engineering an ATM skimmer

“Brian Krebs has produced numerous articles on ATM skimmers. He has essentially become the “go to” journalist on ATM fraud. From reading his stuff, I have learned how the “bad guys” think when it comes to ATM fraud. In a nutshell, they are after two things:”
They want your card number
They want your PIN number
“To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine”
“The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming””
The post includes a video of a skimmer being installed in just a few seconds
Then it gets interesting, after having read all of Krebs advice, while visiting Indonesia, the author of the post encountered a skimmer
“A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.”
“I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!”
“We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.”
“By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.”
“The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispatched a technician to look at the machine.”
This reaction is very common, and is starting to be troubling
After some deduction, he determined the ports on the side were for a USB cable
“Threading the braided wires into those tiny holes one at a time was an exercise in patience. After 40 minutes or so, I got them all aligned. I had to hold the wires in with my hand while I plugged the USB cable into my computer. I crossed my fingers and…. Skimmer device mounts as an external hard drive!”
“It mounts! I freak-out a little and begin copying the files from the device. There are two folders. One is named “Google Drive” and one is named “VIDEO”. The “Google Drive” folder was empty, but there is over 11GB of video files in the “VIDEO” folder. 45 minutes later, the files are still copying to my machine. The whole time I have to hold the cable and not move lest I break the transfer.”
“After it’s done, I shake out the cramps in my hand and go over the footage. The camera records 30 minute chunks of video whenever it detects movement. Most of the videos are of people typing in their pin numbers [upside down]”
“The device records sound. At first I thought it was a waste of storage to record this, but after looking at the footage, I realized how helpful the sound is. The beeps correspond to actual keypresses, so you can’t fool the skimmer by pretending to touch multiple keys. Also, the sound of money dispensing means that PIN is valid.”
When they tore the device apart, they found a cell phone battery, a control board, and a pinhole camera
“Googling the number from the controller board revealed that it is a commercially available board used in spy camera gear. The board was modified to include an external on/off switch, the stronger Samsung battery, and the aforementioned USB connection.”
“The overall design choices of the skimmer were actually pretty decent. As mentioned, at first I thought sound recording was a waste, but then found it to be useful for decoding PIN numbers as they are typed. I also initially thought that the cell phone battery was a lazy choice, like they just had one laying around. I have come to believe, however, that this is the best choice for a long-lasting and small-profile power source.”
The researcher did not find the actual card skimmer, but suspected that the data was being “network skimmed”
Going back a few days later, they found a fresh pin number camera installed