Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/31/2009
03:21 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Defcon: New Hack Hijacks Application Updates Via WiFi

Researchers will release a tool that lets attackers replace application updates with malware

DEFCON 17 -- LAS VEGAS, NV -- Researchers here tomorrow will demonstrate a way to hijack the application update process via WiFi and replace the updates with malware.

Itzik Kotler, security operation center team leader for Radware and Tomer Bitton, security researcher for Radware, say that the hack can be used against most of today's client application updates. The researchers, who will present their research at the Defcon17 hacker confab, also will release a tool they developed for the targeted attack that can inject a phony but realistic-looking update alert or hijack an ongoing update session, and lure the user to download malware instead.

"Most applications do simple HTTP transactions that download a file with the newer version ... We can hijack the session and respond ourselves with an 'application update' and it takes place on our malicious Website," Kotler says. "They are then going to download an update, and voila: it's malware."

The so-called Ippon tool, which is Japanese for "game over," can also generate an attack where a victimized user's machine can attack other machines in its proximity on the WiFi network. "You can take it to a self-propagation method and have it do the same to another victim," he says.

Kotler won't reveal the names of the around 100 applications that are vulnerable to the attack, but said they are the "everyday apps" people use, including CD burners, video players, and other popular apps. Microsoft apps are immune to the attack because Microsoft digitally signs its application updates, Kotler says. "If [an application developer] distributes a public key and signs every binary with their own private key, it's safe" from the attack, he says.

The tool can also be used to attack legitimate applications and Websites. "I can do damage and convince it that this application or Website is malicious," he says.

The attack takes advantage of unsecured WiFi as well as the way these apps run their update processes unsecurely, he says. Users running VPN sessions over WiFi are safe from the attack. "If we're in range [on WiFi], we monitor HTTP requests," he says. "The victim either has to be updating, or you can fake them into thinking there's" an update, he says.

Kotler says the attack basically shuts out the real server and "puts it on mute."

"I don't have to supply a binary -- all I have to do is inject a packet for HTTP redirection," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-2486
PUBLISHED: 2021-06-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-0534
PUBLISHED: 2021-06-22
In permission declarations of DeviceAdminReceiver.java, there is a possible lack of broadcast protection due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: Android...
CVE-2021-0535
PUBLISHED: 2021-06-22
In wpas_ctrl_msg_queue_timeout of ctrl_iface_unix.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID...
CVE-2021-0554
PUBLISHED: 2021-06-22
In isBackupServiceActive of BackupManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-158482162
CVE-2021-0555
PUBLISHED: 2021-06-22
In RenderStruct of protostream_objectsource.cc, there is a possible crash due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-1791617...