By Deeba Ahmed
The vulnerability existed in Jacuzzi Brand LLC’s SmartTub app web interface that could reveal users’ private data to…
This is a post from HackRead.com Read the original post: Flaws in Smart Jacuzzi App Could Be Exploited To Extract Users’ Data

****The vulnerability existed in Jacuzzi Brand LLC’s SmartTub app web interface that could reveal users’ private data to remote malicious attackers.****

Researchers have identified vulnerabilities in Jacuzzi Brand LLC’s SmartTub app web interface that can reveal private data to attackers.

Security researcher and ethical hacker Eaton Zveare (EatonWorks) has identified a security flaw in the SmartTub feature of the app used in the hot tubs manufactured by the world-renowned Jacuzzi Brand.

The flaw exists in the app’s web interface, and as per the researcher, it allows a threat actor to view and abuse the personal data of hot tub users. The issue has been patched now, but Zveare claims he wasn’t notified about the fixes. Moreover, he stated that Jacuzzi didn’t reply to his emails.

**About the SmartTub App**

SmartTub is a Jacuzzi app available for iOS and Android systems. It has a SmartTub feature that users can use to connect to the tub via a module remotely and receive status updates or accepts users’ commands for various tasks. Such as, it can automatically set the water temperature, turn on lights and water jet, etc. It isn’t clear whether the vulnerability impacted these functions.

**Attack Scenario Explained**

According to a blog post, Zveare first accessed the Smarttub.io app’s admin panel using the wrong credentials, which were initially not accepted. He was then redirected to a display page where he could view data from multiple Jacuzzi brands in the US and elsewhere.

> “Right before that message appeared, I saw a header and table briefly flash on my screen. Blink and you’d miss it. I had to use a screen recorder to capture it. I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the US.”
> 
> Eaton Zveare

Furthermore, the app’s single-page-application (SPA) JavaScript bundle showed that usernames and passwords were sent to a third-party verification platform Auth0. Using the Fiddler tool, Zveare modified the HTTP response to masquerade in the admin status and obtain full access to the panel and a vast trove of data.

Hence, the issue identified was a poorly secured admin console in the web interface that allowed bypassing admin credentials.

**What was Data Exposed?**

The researcher claims that the bug could have exposed users’ first and last names, email addresses, and other sensitive data if abused. This issue could have impacted users all over the world.

According to Zveare, he could view details of “every spa,” check its owner, and remove their ownership. Furthermore, he could view user accounts and edit them as well. However, he didn’t test it as he feared the changes would be saved.

The researcher informed Jacuzzi Brands in early December, and the issue was resolved on 4 June.

**More IoT Vulnerability News**

*   Why Internet of Things is the world’s greatest cyber security threat
*   Bluetooth Signals Can Be Abused To Detect and Track Smartphones
*   Hackers attack Casino fish tank thermometer to obtain sensitive data
*   Hackers Can Disable House Arrest Ankle Bracelet without Raising Alert
*   Samsung Smart Refrigerator Hacked, Left Gmail Login Credentials Vulnerable

Flaws in Smart Jacuzzi App Could Be Exploited To Extract Users’ Data

Researchers have discovered that a Kazakhstan government entity deployed sophisticated Italian spyware within its borders.

Researchers have discovered that a Kazakhstan government entity deployed sophisticated Italian spyware within its borders.

An agent of the Kazakhstan government has been using enterprise-grade spyware against domestic targets, according to Lookout research published last week.

The government entity used brand impersonation to trick victims into downloading the malware, dubbed “Hermit.” Hermit is an advanced, modular program developed by RCS Lab, a notorious Italian company that specializes in digital surveillance. It has the power to do all kinds of spying on a target’s phone – not just collect data, but also record and make calls.

The timing of this spying operation holds extra significance. In the first week of 2022, anti-government protests were met with violent crackdowns across Kazakhstan. 227 people died in all, and nearly 10,000 were arrested. Four months later is when researchers discovered the latest samples of Hermit making rounds.

**The Intrusion**

How do you get a target to download their own spyware?

In this campaign, the perpetrators use OPPO – Guangdong Oppo Mobile Telecommunications Corp., Ltd – a Chinese mobile and electronics manufacturer – as its ploy to earn trust among targets. According to researchers, agents working on the behalf of the government send SMS messages purporting to come from OPPO, which is actually a maliciously hijacked link to the company’s official Kazakh-language support page: http\[://\]oppo-kz\[.\]custhelp\[.\]com. (At the time of the report’s publication, that support page had gone offline.) In some instances, the attackers also impersonate Samsung and Vivo, according to Lookout.

The intrusion requires the victim to open the SMS message and click the link to the hijacked page. While it’s loaded, the malware downloads simultaneously in the background of the target machine, then connects to a C2 server hosted by a small service provider in Nur-Sultan, the capital of the country.

As Paul Shunk, security researcher at Lookout, wrote in a statement: “The combination of the targeting of Kazakh-speaking users and the location of the backend C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan.” Though the Lookout researchers identified that entity as belonging to the state government, they did not attribute a particular government official or department.

**The Malware**

Hermit isn’t just sophisticated, it’s wholly customizable.

It’s built modularly, meaning that its owners can use or ignore some of its 25 known components, each of which serve a different function. It also means that the deployment of any given instance of Hermit might be different than the next.

Among those many functions are the ability to record audio, make and redirect calls, and collect data on a victim’s smartphone.

Then there are more niche functions. For example, as the researchers noted in their report, “the spyware also attempts to maintain data integrity of collected ‘evidence’ by sending a hash-based message authentication code (HMAC). This allows the actors to authenticate who sent the data as well as ensure the data is unchanged.” Why is this interesting? Because “using this method for data transmission may enable the admissibility of collected evidence.”

“The discovery of Hermit adds another puzzle piece to the picture of the secretive market for ‘lawful intercept’ surveillance tools,” wrote Shunk. “If there is legitimate use of this technology, it certainly requires strict oversight and protections against abuse.”

Kazakh Govt. Used Spyware Against Protesters

An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.
Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front

An enterprise-grade surveillanceware dubbed **Hermit** has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed.

Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022.

Hermit is modular and comes with myriad capabilities that allow it to "exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages," Lookout researchers Justin Albrecht and Paul Shunk said in a new write-up.

The spyware is believed to be distributed via SMS messages that trick users into installing what are seemingly innocuous apps from Samsung, Vivo, and Oppo, which, when opened, loads a website from the impersonated company while stealthily activating the kill chain in the background.

Like other Android malware threats, Hermit is engineered to abuse its access to accessibility services and other core components of the operating system (i.e., contacts, camera, calendar, clipboard, etc.) for most of its malicious activities.

Android devices have been at the receiving end of spyware in the past. In November 2021, the threat actor tracked as APT-C-23 (aka Arid Viper) was linked to a wave of attacks targeting Middle East users with new variants of FrozenCell.

Then last month, Google's Threat Analysis Group (TAG) disclosed that at least government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are buying Android zero-day exploits for covert surveillance campaigns.

"RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher," the researchers noted.

"Collectively branded as 'lawful intercept' companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies. In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials."

The findings come as the Israel-based NSO Group is said to be reportedly in talks to sell off its Pegasus technology to U.S. defense contractor L3Harris, the company that manufactures StingRay cellular phone trackers, prompting concerns that it could open the door for law enforcement's use of the controversial hacking tool.

The German maker behind FinFisher has been courting troubles of its own in the wake of raids conducted by investigating authorities in connection with suspected violations of foreign trading laws by way of selling its spyware in Turkey without obtaining the required license.

Earlier this March, it shut down its operations and filed for insolvency, Netzpolitik and Bloomberg reported, adding, "the office has been dissolved, the employees have been laid off, and business operations have ceased."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy

In multiple functions of AvatarPhotoController.java, there is a possible access to content owned by system content providers due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-250637906

_Published December 5, 2022_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2022-12-05 or later from the December 2022 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The most severe of these issues is a high security vulnerability in the Platform Apps component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the December 2022 Android Security Bulletin, the December 2022 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2022-12-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-12-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Platform Apps**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-0481

A-172939189

EoP

High

10, 11

CVE-2021-39706

A-200164168

EoP

High

10, 11

CVE-2021-39707

A-200688991

EoP

High

10, 11

CVE-2022-20144

A-250637906

EoP

High

10, 11

CVE-2022-20223

A-223578534

EoP

High

10, 11

CVE-2022-20348

A-250910523

EoP

High

10, 11

CVE-2021-39631

A-193890833

ID

High

10, 11, 12, 12L, 13

**System**

The vulnerability in this section could lead to local escalation of privilege with User execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-0954

A-143559931

EoP

High

11, 12, 12L, 13

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2022-12-01 or later address all issues associated with the 2022-12-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-12-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-12-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions****Versions**

  

Version

Date

Notes

1.0

December 5, 2022

Bulletin Published

CVE-2022-20144: Android Automotive OS Update Bulletin—December 2022

In onCreateContextMenu of NetworkProviderSettings.java, there is a possible way for non-owner users to change WiFi settings due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-206986392

_Published June 6, 2022 | Updated June 7, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-06-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-06-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-06-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39691

A-157929241

EoP

High

10, 11, 12

CVE-2022-20006

A-151095871

EoP

High

10, 11, 12, 12L

CVE-2022-20125

A-194402515

EoP

High

10, 11, 12, 12L

CVE-2022-20138

A-210469972 \[2\]

EoP

High

10, 11, 12, 12L

CVE-2021-39624

A-67862680

DoS

High

10, 11, 12, 12L

**Media Framework**

The vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20130

A-224314979

RCE

Critical

10, 11, 12, 12L

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20127

A-221862119

RCE

Critical

10, 11, 12, 12L

CVE-2022-20140

A-227618988

EoP

Critical

12, 12L

CVE-2022-20145

A-201660636

EoP

Critical

11

CVE-2022-20124

A-170646036

EoP

High

10, 11, 12, 12L

CVE-2022-20126

A-203431023

EoP

High

10, 11, 12, 12L

CVE-2022-20133

A-206807679

EoP

High

10, 11, 12, 12L

CVE-2022-20134

A-218341397 \[2\]

EoP

High

10, 11, 12, 12L

CVE-2022-20135

A-220303465

EoP

High

10, 11, 12, 12L

CVE-2022-20137

A-206986392

EoP

High

12, 12L

CVE-2022-20142

A-216631962

EoP

High

10, 11, 12, 12L

CVE-2022-20144

A-187702830 \[2\]

EoP

High

10, 11, 12, 12L

CVE-2022-20147

A-221216105

EoP

High

10, 11, 12, 12L

CVE-2022-20123

A-221852424

ID

High

10, 11, 12, 12L

CVE-2022-20131

A-221856662

ID

High

10, 11, 12, 12L

CVE-2022-20129

A-217934478 \[2\]

DoS

High

10, 11, 12, 12L

CVE-2022-20143

A-220735360

DoS

High

10, 11, 12, 12L

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Media Codecs

CVE-2022-20130

**2022-06-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-06-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel components**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2021-4154

A-218836280  
Upstream kernel

EoP

High

Kernel

CVE-2022-20141

A-112551163  
Upstream kernel

EoP

High

Inet sockets

CVE-2022-24958

A-220261709  
Upstream kernel \[2\] \[3\] \[4\]

EoP

High

USB

CVE-2022-25258

A-222023189  
Upstream kernel \[2\]

EoP

High

USB

CVE-2022-20132

A-188677105  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\]

ID

High

USB HID

CVE-2022-25375

A-162326603  
Upstream kernel

ID

High

RNDIS driver

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-21745  

A-228972609  
M-ALPS06468872\*

High

WIFI Firmware

**Unisoc components**

This vulnerability affects Unisoc components and further details are available directly from Unisoc. The severity assessment of this issue is provided directly by Unisoc.

   

CVE

References

Severity

Component

CVE-2022-20210  

A-228868888  
U-1770644\*

Critical

Modem

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-35083  

A-209481130\*

High

Closed-source component

CVE-2021-35102  

A-209469926\*

High

Closed-source component

CVE-2021-35111  

A-209469960\*

High

Closed-source component

CVE-2022-22082

A-223211217\*

High

Closed-source component

CVE-2022-22083

A-223210917\*

High

Closed-source component

CVE-2022-22084  

A-223209816 \*

High

Closed-source component

CVE-2022-22085

A-223209306\*

High

Closed-source component

CVE-2022-22086

A-223211218\*

High

Closed-source component

CVE-2022-22087

A-223209610\*

High

Closed-source component

CVE-2022-22090

A-223210918\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-06-01 or later address all issues associated with the 2022-06-01 security patch level.
*   Security patch levels of 2022-06-05 or later address all issues associated with the 2022-06-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-06-01\]
*   \[ro.build.version.security\_patch\]:\[2022-06-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-06-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-06-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-06-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

June 6, 2022

Bulletin Published

1.1

June 7, 2022

Bulletin revised to include AOSP links

CVE-2022-20137: Android Security Bulletin—June 2022  |  Android Open Source Project

Researchers at MIT have published details about an attack that uses a flaw in the M1 security feature pointer authentication codes. 
The post Don’t panic! “Unpatchable” Mac vulnerability discovered appeared first on Malwarebytes Labs.

Researchers at MIT’s Computer Science & Artificial Intelligence Lab (CSAIL) found an attack surface in a hardware-level security mechanism utilized in Apple M1 chips. The flaw is unpatchable, but attackers would need to chain it with other vulnerabilities to make use of the attack method.

The hardware attack can bypass Pointer Authentication (PAC) on the Apple M1 CPU. The researchers gave a brief description on a dedicated site and will present full details on June 18, 2022 at the International Symposium on Computer Architecture.

**The M1 chip**

Until the recently announced M2, the M1 chip was the most powerful chip that Apple had created. The Apple M1 series of ARM-based system-on-a-chip (SoC) works as a central processing unit (CPU) and graphics processing unit (GPU) for Apple’s Macintosh desktops and notebooks, as well as the iPad Pro and iPad Air tablets.

Macs and PCs normally incorporate several chips for their Central Processing Unit (CPU), Input/Output (I/O), and security. The M1 was the first SoC for Macs that combined these technologies, which led to better integration and improved performance and power usage.

**Security**

The researchers have dubbed it PACMAN, a vulnerability in what they call the last line of security for the M1 chip. The flaw could theoretically give threat actors a door to gain full access to the core operating system kernel.

Both the researchers and Apple stated there is no cause for immediate alarm, since the system under attack needs to have an existing memory corruption bug to exploit the vulnerability.

**PAC**

The PAC in PACMAN is short for pointer authentication codes. The PAC is a cryptographic signature that confirms that an app wasn’t maliciously altered. With pointer authentication enabled, bugs that could normally compromise a system or leak private information are stopped dead in their tracks.

This feature makes it much harder for an attacker to inject malicious code into a device’s memory and provides a level of defense against buffer overflow exploits. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

The researchers found a vulnerability which allows PACMAN to find out the PAC. To understand how they pulled this off we need to understand speculative execution. The computer processor guesses several directions a computation may go in by using a technique called speculative execution. To use an analogy, they do this to have the answers ready for several following questions.

**How it fails**

The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. But the researchers found that the number of possible PACs has its limits and by using speculative execution they could use a trial and error method without causing any crashes. This allowed them to brute-force the PAC value without triggering any alams.

Another advantage that speculative execution provides an attacker with is that there is no known way of finding out whether your system is or has been the victim of such an attack.   

**More targets**

The PACMAN attack combines a software attack with a hardware attack to exploit a flaw in a security feature. The researchers expressed that they expect to see more attacks of this type in the future. This particular attack, while it was only tested against the M1 chip, is expected to work in a similar way on every architecture that uses PAC.

Apple has implemented pointer authentication on all of its custom ARM-based silicon so far, including the M1, M1 Pro and M1 Max, and a number of other chip manufacturers, including Qualcomm and Samsung, have either announced or expect to ship new processors supporting the PAC security feature.

**Mitigation**

Current users of M1 based systems don’t need to take immediate action at this point.

Apple thanked the researchers for their work and for sharing their findings. Apple gave the following comment:

> “Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”

Since the PACMAN attack only works when chained with an existing bug and exploits the hardware architecture there is not much a user can do but be vigilant. Since the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be, so those are the ones to look out for.

Don’t panic! “Unpatchable” Mac vulnerability discovered

Improper authorization in Samsung Pass prior to 1.0.00.33 allows physical attackers to acess account list without authentication.

CVE-2022-30730

With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.

**BIAS: Bluetooth Impersonation AttackS**

**About the BIAS attack**

TL;DR: The Bluetooth standard provides authentication mechanisms based on a long term pairing key, which are designed to protect against impersonation attacks. The BIAS attacks from our new paper demonstrate that those mechanisms are broken, and that an attacker can exploit them to impersonate any Bluetooth master or slave device. Our attacks are standard-compliant, and can be combined with other attacks, including the KNOB attack. In the paper, we also describe a low cost implementation of the attacks and our evaluation results on 30 unique Bluetooth devices using 28 unique Bluetooth chips.

**Details**

Bluetooth Classic (also called Bluetooth BR/EDR) is a wireless communication protocol commonly used between low power devices to transfer data, e.g., between a wireless headset and a phone, or between two laptops. Bluetooth communications might contain private and/or sensitive data, and the Bluetooth standard provides security features to protect against someone who wants to eavesdrop and/or manipulate your information. We found and exploited a severe vulnerability in the Bluetooth BR/EDR specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker can impersonate a device towards the host after both have previously been successfully paired in absence of the attacker.

We call our attack Bluetooth Impersonation AttackS (BIAS). Because this attack affects basically all devices that “speak Bluetooth”, we performed a responsible disclosure with the Bluetooth Special Interest Group (Bluetooth SIG) - the standards organisation that oversees the development of Bluetooth standards - in December 2019 to ensure that workarounds could be put in place.

**Are My Devices Vulnerable?**

The BIAS attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking 30 different devices). At the time of writing, we were able to test chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack.

After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices. So the short answer is: if your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed.

**Team**

**Daniele Antonioli****Postdoc at the EPFL**

Cyber-Physical Systems Security, Network Security, Wireless Security, Embedded Systems Security, Applied Cryptography, SoCurity

**Kasper Rasmussen****Faculty**

Security of Wireless Networks, Protocol design, Applied Cryptography, Security of embedded systems, Cyber-physical systems

**Nils Ole Tippenhauer****Faculty**

Security of Cyber-Physical Systems, Security of Physical-Layer Wireless, IoT Security

**Related Publications**

**Recent & Upcoming Talks**

**Media Coverage**

*   social
    
    *   Reddit Thread
*   CERT
    
    *   CVE-2020-10135
    *   https://www.kb.cert.org/vuls/id/647177/
*   Bluetooth SIG
    
    *   2020/05/18 “Bluetooth SIG Statement Regarding the Bluetooth Impersonation Attacks (BIAS) Security Vulnerability” by the Blueooth SIG
*   Selected EN press
    
    *   2020/05/19: MSN, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by Catalin Cimpanu
    *   2020/05/21: TimesNowNews, “Smartphones, laptops, IoT devices from Apple, Intel, Samsung vulnerable to new BIAS Bluetooth attack” by Krishna SinhaChaudhury
    *   2020/05/19: SecurityAffairs, “Boffins disclosed a security flaw in Bluetooth, dubbed BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device” by Pierluigi Paganini
    *   2020/05/19: WeLiveSecurity, “Bluetooth flaw exposes countless devices to BIAS attacks” by Amer Owaida
    *   2020/05/19: forklog, “Hackers Can Impersonate Bluetooth Devices to Steal Users’ Personal Data: Is This a Threat to You?" by Ana Alexandre
    *   2020/05/19: The Hacker News, “New Bluetooth Vulnerability Exposes Billions of Devices to Hackers” by Ravie Lakshmanan
    *   2020/05/18: ZDNet, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by Catalin Cimpanu
    *   2020/05/19: CISO Mag, “New BIAS Vulnerability Affects All Modern Bluetooth Devices” by CISOMAG
    *   2020/05/18: ThreatsHub, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by TH Author
    *   2020/05/18: ROOTDAEMON.com, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by ROOTDAEMON
    *   2020/05/19: ITPro, “Bluetooth pairing flaw exposes devices to BIAS attacks” by Keumars Afifi-Sabet
    *   2020/05/19: MyBroadband, “New security flaw affects almost all Bluetooth devices” by Bradley Prior
*   Selected ES press
    
    *   2020/05/19: El Español, “Bluetooth es un peligro: descubren que es posible engañar a tu móvil” by Adrián Raya
*   Selected IT press
    
    *   2020/05/19: PuntoInformatico, “BIAS: nuova vulnerabilità nel Bluetooth” by Giacomo Dotta
*   Selected DE press
    
    *   2020/05/21: Heise.de, “Bluetooth-Sicherheitslücke ermöglicht unerkannte Angriffe”

CVE-2022-1789: BIAS

Mohit Tiwari, CEO of Symmetry Systems, explores Zero Trust, data objects and the NIST framework for cloud and on-prem environments.

Mohit Tiwari, CEO of Symmetry Systems, explores Zero Trust, data objects and the NIST framework for cloud and on-prem environments.

AUTHOR: Mohit Tiwari, CEO and Co-Founder, Symmetry Systems

Compromised credentials and identities, third-party breaches, API attacks, and application exploits are all foundational entry points for today’s hackers.

Recent months have brought many high-profile breaches from Samsung and Nvidia to Okta and the continued aftermath of Log4j. Still, ultimately, these attacks are all symptoms of the same problem: organizations do not have visibility into how their data objects are protected and used.

Until security teams can answer in real-time what data they have, who has access to it, and how it is being used, organizations will continue to fail in rapidly communicating the extent of breaches within the cloud.

When Samsung confirmed the Lapsus$ hacking group had obtained and leaked almost 200 gigabytes of confidential data, the first question for customers was whether or not their customers’ data was a part of that statistic or if Samsung had safeguards in place to protect them.

Fortunately, Samsung said that no customers’ personal information was compromised. However, when Okta was breached by the same hacking group just a few weeks later, their security team had difficulty communicating the blast radius because they could not seamlessly pinpoint the location and privileges of all the data within their ecosystem. This kind of delay can lead to growing distrust within the broader enterprise community as security teams scramble to identify the full scope of the breach.

With so much at stake, an increasing number of organizations are choosing the Zero Trust Security model, which assumes that untrusted users exist on both sides of an organization’s computing perimeter.

Zero Trust principles – whether applied to identities, network, or data objects – help organizations systematically improve security risks throughout each of visibility, detection, response, and protection. However, in the modern enterprise, implementing Zero Trust for data without breaking business logic is a new direction that requires a careful shift from Posture Management to Detection-Response to Protection to avoid creating business risk or outage.

As the concept of Zero Trust continues to evolve, there are a few practical ways that organizations can begin eliminating risk once they have improved visibility and found a solution that works within their cloud or on-prem environment. The United States’ National Institute of Regulations and Technology (NIST), which has released a number of cloud security standards that take into account overlapping federal regulations, including HIPAA and the Federal Information Security Management Act (FISMA), is also a great reference point. It provides supplemental materials and details that update organizations about how the controls coincide and collaborate with other widely accepted standards and frameworks. The NIST model incorporates the following framework:

****Visibility into Security Posture:** **

When companies have visibility into their data security posture, they are able to determine and set policies for enhanced data protection across cloud-based organizations to help them better determine how data objects should be treated. Data Security Posture Management (DSPM) tools are a good starting point for your Zero Trust journey.

****Detection-Response:****

Many critical identities and service roles necessarily need permissions to large swaths of data to do their job – privileged identities, applications that are fronts for databases or data lakes, and even CI/CD etc. supply chain software are all examples of these. Placing detection and response seat-belts around crown jewel data objects protects them from such identities being mis-used through phishing or app-sec faults.

****Protection:****

Organizations should create permissions and entitlements, issue cleanup campaigns, and set up governance models to be set up to proactively prepare to respond to detected cybersecurity incidents. These are longer term campaigns with major strategic value and hence are informed by the fine-grained visibility into how data objects are used across different business functions.

Simply put, data is valuable and an organization’s most persistent asset. It is critical for organizations to completely understand where their secrets (IP) lie across their entire cloud and on-prem environment. Where is your data? Who has access to it, and is this access monitored? Does your organization maintain authority over this data so excessive or dormant privileges can be revoked when necessary?

Answering these questions is foundational to a modern cloud data security strategy, especially when faced with the challenge of operationalizing access control or data security without breaking business logic. If left unanswered, organizations will continue to invest time and resources in tangential protections around networks and applications that leave significant gaps for data to be exploited or taken for ransom.

**Infosec Insiders columnist Mohit Tiwari is the CEO and Co-Founder of Symmetry Systems.** 

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Zero Trust for Data Helps Enterprises Detect, Respond and Recover from Breaches

By Deeba Ahmed
Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and…
This is a post from HackRead.com Read the original post: Predator Spyware Using Zero-day to Target Android Devices

Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and Chrome.

On Thursday, May 19th, Google’s Threat Analysis Group (TAG) reported that spyware developer/vendor Cytrox had developed exploits against five zero-day vulnerabilities to target Android users with spyware.

According to the details shared by TAG, threat actors are using the infamous Predator spyware in three different campaigns. Predator was previously analyzed in a report from the University of Toronto’s Citizen Lab.

**0-days used with n-days to Deploy Spyware**

The exploits are developed for four Chrome 0-days and one Android 0-day flaw. In their blog post, TAG researchers Clement Lecigne and Christian Resell explained that the 0-days are used in conjunction with n-day exploits.

Moreover, the attackers are trying to benefit from the time difference between the patching of some critical bugs, which weren’t declared severe security issues, and “when these patches were fully deployed across the Android ecosystem.”

**Spyware Details**

According to Google, the North Macedonian-based commercial surveillance firm Cytrox has packaged and sold the exploits to different state-backed threat actors in Greece, Egypt, Serbia, Madagascar, Indonesia, Spain, Côte d’Ivoire, and Armenia.

It is alleged that the buyers have used these bugs in at least three campaigns so far. The Predator spyware is similar to NSO Group’s Pegasus spyware, allowing threat actors to penetrate Android and iOS devices.

**About the Three Campaigns using Predator**

TAG examined three campaigns and concluded that attackers send one-time URLs to Android users through spear-phishing emails. These links are shortened using a common use URL shortener while the attackers target only a handful of victims. When users click on this malicious URL, they are redirected to a malicious webpage that automatically deploys the exploits and redirects them to a legitimate website.

Once there, the attackers deploy Alien Android malware that loads Cytrox’s Predator. In case the shortened link doesn’t work, the victim is directly taken to the legit website.

**List of Exploits**

Here’s the list of the 0-day flaws exploited by attackers in Chrome and Android:

*   CVE-2021-1048
*   CVE-2021-37973
*   CVE-2021-37976
*   CVE-2021-38000
*   CVE-2021-38003

The primary aim of attackers behind this operation is distributing Alien malware that is a precursor for deploying Predator spyware onto infected devices. It receives commands from Predator through an IPC (inter-process communication) mechanism and can record audio, hide apps, and add CA certificates to evade detection.

The first campaign was launched in August last year on Google Chrome, targeting the Samsung Galaxy S21 device. One month later, the second campaign targeted an updated Samsung Galaxy S10, while the third was detected in October 2021.

**More Android Spyware News**

1.  Fake Android Banking Apps Stealing Credentials Via Malware
2.  BRATA Android malware factory resets phones after stealing funds
3.  TangleBot Android malware hijacks phone to steal login credentials
4.  New Android malware TeaBot found stealing data, intercepting SMS
5.  New Russian Android Malware Tracks GPS Location and Spies on Victims

Tag

#samsung