03:21 PM
Connect Directly

Defcon: New Hack Hijacks Application Updates Via WiFi

Researchers will release a tool that lets attackers replace application updates with malware

DEFCON 17 -- LAS VEGAS, NV -- Researchers here tomorrow will demonstrate a way to hijack the application update process via WiFi and replace the updates with malware.

Itzik Kotler, security operation center team leader for Radware and Tomer Bitton, security researcher for Radware, say that the hack can be used against most of today's client application updates. The researchers, who will present their research at the Defcon17 hacker confab, also will release a tool they developed for the targeted attack that can inject a phony but realistic-looking update alert or hijack an ongoing update session, and lure the user to download malware instead.

"Most applications do simple HTTP transactions that download a file with the newer version ... We can hijack the session and respond ourselves with an 'application update' and it takes place on our malicious Website," Kotler says. "They are then going to download an update, and voila: it's malware."

The so-called Ippon tool, which is Japanese for "game over," can also generate an attack where a victimized user's machine can attack other machines in its proximity on the WiFi network. "You can take it to a self-propagation method and have it do the same to another victim," he says.

Kotler won't reveal the names of the around 100 applications that are vulnerable to the attack, but said they are the "everyday apps" people use, including CD burners, video players, and other popular apps. Microsoft apps are immune to the attack because Microsoft digitally signs its application updates, Kotler says. "If [an application developer] distributes a public key and signs every binary with their own private key, it's safe" from the attack, he says.

The tool can also be used to attack legitimate applications and Websites. "I can do damage and convince it that this application or Website is malicious," he says.

The attack takes advantage of unsecured WiFi as well as the way these apps run their update processes unsecurely, he says. Users running VPN sessions over WiFi are safe from the attack. "If we're in range [on WiFi], we monitor HTTP requests," he says. "The victim either has to be updating, or you can fake them into thinking there's" an update, he says.

Kotler says the attack basically shuts out the real server and "puts it on mute."

"I don't have to supply a binary -- all I have to do is inject a packet for HTTP redirection," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to execute arbitrary PHP code via the host parameter to the install/ URI.
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via the admin/login.php guanliyuan parameter.
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_hy.php?riqi=0&i=0 attack to reset the admin password, even if install.txt exists.
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI.
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.