StarLink, Zoom, GhostTouch - F5 SIRT This Week in Security - August 14th to August 21th 2022

 This Week in Security

August 14th to August 21th 2022 

 

Editor's Introduction

This week's editor is Koichi Toriumi. This is the first time I am writing an edition of This Week in Security, I hope you will like it.

Keeping up to date with new technologies, techniques and information is an important part of our role at F5 SIRT and we share what we see with This Week in Security (TWIS). This week I picked up topics from BlackHat USA (Aug 10-11) and DEFCON (Aug 12-14).

It's also important for us to keep up to date with the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That's why we take the security of your business seriously. When you're under attack, we'll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

 

Hack the SpaceX Starlink Terminal just 25$ - Black Hat USA 2022

At Black Hat USA, "Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal"[1] , Belgian researcher Lennert Wouter presented a demo of hacking the Starlink terminal - a communications service operated by Elon Musk's SpaceX that provides internet access.

Starlink provides internet access anywhere in the world even if there is no internet infrastructure. Recently Ukraine deployed many Starlink terminals in the warzone to secure internet access.

A custom circuit board "Modchip" which costs only $25 is used for this attack. To access the Starlink User Terminal (UT) you need the Starlink antenna and circuit board. Once Wouter's "Modchip" is attached to the Starlink circuit, the "ModChip” can execute a Fault Injection attack (an attack that instantaneously alters the electrical input of the processor) to the Starlink (UT). That attack bypasses user privilege management and the attacker gains root privileges on a system allowing the attacker to execute an arbitrary code.

Wouter demonstrated this attack at Black Hat this year[2].

SpaceX released a six-page PDF that addresses Wouters' attack method, praising Wouters' security research and acknowledging that the attack is possible. However, SpaceX stressed that this is only possible if there is physical access to the dedicated antenna and attach wires and components. SpaceX told that normal Starlink users do not need to worry about the consequences of this attack and do not need to take any countermeasures.

  1. https://www.blackhat.com/us-22/briefings/schedule/index.html#glitched-on-earth-by-humans-a-black-box-security-evaluation-of-the-spacex-starlink-user-terminal-26982
  2. https://twitter.com/LennertWo/status/1527212523182776320

 

Zoom client on MacOS had privilege escalation vulnerability - DEFCON30

Nowadays Zoom is an essential tool for our business. However, The Zoom Client for Meetings for macOS version 5.7.3 and before 5.11.5 contains a vulnerability that a local user with low privileges can get root privileges (CVE-2022-28756)[1]. Its Common Vulnerability Scoring System (CVSS) rating of 8.8 (critical) with a severity rating of "High".

At DEFCON 30 Patrick Wardle, a Hawaii-based security researcher, demonstrated installing a malicious code that can modify, delete, or add files on MacOS, using this vulnerability.

Zoom Video Communications responded and released a security update on August 13 (local time) that fixes this vulnerability (ZSB-22018)[2

Mr. Wardle commended Zoom for their quick response and tweeted, "Mahalo to Zoom for the (wonderfully) quick fix! (Hawaiian word for thank you)"[2].

  1. https://nvd.nist.gov/vuln/detail/CVE-2022-28756
  2. https://explore.zoom.us/en/trust/security/security-bulletin/
  3. https://twitter.com/patrickwardle/status/1558642493272428544 

 

GhostTouch - control a smartphone without touching it.

Zhejiang University in China and Technical University of Darmstadt in Germany had developed Attack method "GhostTouch", which uses electromagnetic waves to remotely control another person's smartphone by exploiting Capacitive touch panels on the smartphone[1].

When a smartphone is placed face-down on a table, the attacker can touch and slide the smartphone without directly touching its screen.

Capacitive touch panels are widely used in smartphones and tablets because of their multi-touch capability, longer life, and cost-effectiveness.

Since the capacitive touch panels can measure small electric fields, they are susceptible to environmental effects such as electromagnetic interference (EMI) and charger noise, which can induce false touches that spoil the user experience and cause unintended device behavior. For example, reports have been cited of touchscreens becoming unresponsive and malfunctioning due to EMI emitted from fluorescent lights and charger malfunctions.

GhostTouch, is an attack that uses this EMI to generate controllable false touches without physical contact to remotely control devices. It does not require physical touch or access to the victim's device.

To execute this attack, the target smartphone must be in close proximity to the EMI generator. The attacker needs to set up the EMI generator under a table or other location, for example, a cafe or a lounge table.

  1. https://www.usenix.org/conference/usenixsecurity22/presentation/wang-kai

Janet Jackson Music Video may crash a NotePC

Microsoft's Raymond Chen reported on April 16 (U.S. time) that some laptops crash when playing Janet Jackson's music video "Rhythm Nation" on Windows XP[1].

He discovered that some NotePC manufacturers were experiencing crashes when playing this music video on certain models. Furthermore, the crash also occurred on another laptop nearby when the music video plays.

Investigation found that the crash is caused by a frequency of spinning of a particular HDD (5,400 rpm) installed in these NotePCs resonating with a certain sound in the song. The manufacturer responded by adding a custom filter to the audio pipeline that detects and removes this frequency during audio playback.

CVE-2022-38392 was issued for this issue as a vulnerability that allows DoS attacks based on resonance frequencies by using the audio signal of music videos [2].

  1. https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=106994
  2. https://nvd.nist.gov/vuln/detail/CVE-2022-38392

 

Published Aug 30, 2022
Version 1.0
No CommentsBe the first to comment