Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/31/2009
03:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Defcon: New Hack Hijacks Application Updates Via WiFi

Researchers will release a tool that lets attackers replace application updates with malware

DEFCON 17 -- LAS VEGAS, NV -- Researchers here tomorrow will demonstrate a way to hijack the application update process via WiFi and replace the updates with malware.

Itzik Kotler, security operation center team leader for Radware and Tomer Bitton, security researcher for Radware, say that the hack can be used against most of today's client application updates. The researchers, who will present their research at the Defcon17 hacker confab, also will release a tool they developed for the targeted attack that can inject a phony but realistic-looking update alert or hijack an ongoing update session, and lure the user to download malware instead.

"Most applications do simple HTTP transactions that download a file with the newer version ... We can hijack the session and respond ourselves with an 'application update' and it takes place on our malicious Website," Kotler says. "They are then going to download an update, and voila: it's malware."

The so-called Ippon tool, which is Japanese for "game over," can also generate an attack where a victimized user's machine can attack other machines in its proximity on the WiFi network. "You can take it to a self-propagation method and have it do the same to another victim," he says.

Kotler won't reveal the names of the around 100 applications that are vulnerable to the attack, but said they are the "everyday apps" people use, including CD burners, video players, and other popular apps. Microsoft apps are immune to the attack because Microsoft digitally signs its application updates, Kotler says. "If [an application developer] distributes a public key and signs every binary with their own private key, it's safe" from the attack, he says.

The tool can also be used to attack legitimate applications and Websites. "I can do damage and convince it that this application or Website is malicious," he says.

The attack takes advantage of unsecured WiFi as well as the way these apps run their update processes unsecurely, he says. Users running VPN sessions over WiFi are safe from the attack. "If we're in range [on WiFi], we monitor HTTP requests," he says. "The victim either has to be updating, or you can fake them into thinking there's" an update, he says.

Kotler says the attack basically shuts out the real server and "puts it on mute."

"I don't have to supply a binary -- all I have to do is inject a packet for HTTP redirection," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: He still insists that security by obscurity is the way to go.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9681
PUBLISHED: 2019-09-17
Online upgrade information in some firmware packages of Dahua products is not encrypted. Attackers can obtain this information by analyzing firmware packages by specific means. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X...
CVE-2019-9009
PUBLISHED: 2019-09-17
An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.
CVE-2018-20336
PUBLISHED: 2019-09-17
An issue was discovered in Asuswrt-Merlin 384.6. There is a stack-based buffer overflow issue in parse_req_queries function in wanduck.c via a long string over UDP, which may lead to an information leak.
CVE-2019-12755
PUBLISHED: 2019-09-17
Norton Password Manager, prior to 6.5.0.2104, may be susceptible to an information disclosure issue, which is a type of vulnerability whereby there is an unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
CVE-2019-14826
PUBLISHED: 2019-09-17
A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.