Starbucks Had An XSS Issue, Z-Wave Locks Got Popped

Roundup While this week was dominated by news of a new Spectre variant, the VPNFilter botnet, and TalkTalk’s badbad routersrouters, plenty of other stories popped up.

Here are a handful of security happenings that you may have missed.

Wireless Z-Wave smart-locks, home IoT devices menaced

Wireless gadgets, such as home smart locks, using Z-Wave to communicate via radio can be potentially hijacked over the air by nearby miscreants, according to infosec biz Pen Test Partners.

Once upon a time, Z-Wave had a pairing mode called S0 that was used to connect a device, such as a lightbulb or lock, to a controller, such as a home IoT hub. In 2013, that mode was found to be insecure, so today Z-Wave-compatible devices use a stronger pairing method called S2.

However, Pen Test Partners said this week it has found a way to downgrade communications between gizmos to S0 mode from S2 during pairing, thus opening up more than 100 million Z-Wave-compatible things to potential attack. If you can get near a gizmo while it is in pairing mode, such as during its initial setup, you can potentially push it down to S0 and attempt to commandeer it.

Here’s a video demonstrating the flaw:

Youtube Video

Z-Wave overseers Silicon Labs said devices already paired cannot be forced down to S0 from S2, adding: “We are updating the specification to ensure that any user will not only get a warning during a downgrade to S0 but will have to acknowledge the warning and accept it to continue inclusion.”

Starbucks brews double-whip grande mocha pwnage

Researcher Martin Bajanik discovered a cross site scripting bug that was present on the Starbucks UK website. The now-patched bug would have allowed an attacker to inject malicious JavaScript into the browsers of people visiting the cafe chain’s online store, though Bajanik says an actual exploit would have been hard to pull off.

“The underlying issue was a simple HTML injection with extremely low, even none, security impact. Due to existing code, however, I was able to achieve arbitrary JavaScript execution under certain, fairly obscure, circumstances,” Bajanik told The Register.

“Exploitation would have been rather unlikely as the attack could only work if the potential victims would had followed a malicious link created by the attacker (it was reflected XSS).”

Speaking of bug bounties, researcher Ryan Stevenson banked $1,000 after discovering in April a T-Mobile US server used by staff to look up customers’ names, addresses and account numbers using their cellphone numbers, which was not secured and open to all who could find it. It’s since been fixed.

If you’ve found any security vulnerabilities, and want to share details, please do let us know or chat to us anonymously on Ricochet at ricochet:qk724lftsymjcwlq

Quick links

  • A remote code execution vulnerability found in a Google App Engine system earned an 18-year-old whizkid a $36,000 reward.
  • Avast has found ad-slinging malware dubbed Cosiloon shipping in more than 140 models of cheap Android devices – a list of allegedly affected models is here.
  • SecureList has published details of the EXIF-based command-and-control mechanisms used by the VPNFilter home router malware.
  • Dmitry Bogatov, 26, has been cleared of wrongdoing in Russia after the Tor exit node he administrated was used by someone else to incite terrorism online.
  • Mobile app TeenSafe, installed by parents on their kids’ phones to monitor their messages and keep tabs on them, was found leaking data – such as the children’s Apple ID email addresses and plaintext passwords – in a poorly secured Amazon AWS S3 storage silo. The two databases, one containing test data, the other what appeared to be a few thousand real records, have been pulled offline.

IRS warns beancounters over phishing scams

US tax officials are sounding an alert over a wave of spear phishing attacks targeting professional accountants.

The campaigns go after the high-value target in tax scams: the pros who would handle dozens of personal and corporate tax filings.

“Cybercriminals specifically targeted tax professionals in Iowa, Illinois, New Jersey and North Carolina. The IRS also received reports about a Canadian accounting association,” the IRS explained

“The awkwardly worded phishing email states: ‘We kindly request that you follow this link HERE and sign in with your email to view this information from (name of accounting association) to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server’.”

Needless to say, accountants and the IT staff and admins who work with them should be on the lookout for this scam.

Comcast site spaffs Wi-Fi keys

US cable giant Comcast has confirmed reports that its Xfinity home site was leaking some customer information including Wi-Fi passwords. The bug, spotted in the customer portal, would have allowed an attacker with an account number to obtain the person’s home address, Wi-Fi network name, and password.

“There’s nothing more important than our customers’ security. Within hours of learning of this issue, we shut it down. At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed,” Comcast told The Register.

“We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”

I wish I knew how to quit you Eugene

Weeks after supposedly banning all Kaspersky Lab software from government sysytem, the US Department of Homeland Security is said to still be running the security vendor’s code on many of its computers. The problem is that a number of routers, firewalls, and other equipment rely on Kaspersky products for their security, we’re told.

“It’s messy, and it’s going to take way longer than a year,” one official was quoted as saying. “Congress didn’t give anyone money to replace these devices, and the budget had no wiggle-room to begin with.”

D-Link routers leave the back door open

Stop us if you’ve heard this one before: a home router vendor has left serious security vulnerabilities wide open in its devices.

This time, it’s D-Link who have messed up by using a bug-riddled firmware that contains no fewer than four serious remotely exploitable vulnerabilities, including data disclosure and remote code execution.

According to Kaspersky Lab, the routers are largely concentrated to a few ISPs in Russia, but may also be in use by customers in other parts of the world.

“The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords,” says the security vendor.

“The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).”

Mac Monero malware menaces millions

Lest you thought rogue coin creators were only a problem for the Windows world (and we have no idea why you would think that), here is a new piece of Mac malware that turns your beloved iThing into a coin-generating machine for hackers.

Malwarebytes has an analysis of a piece of malware spotted by a number of Mac users that hijacks CPU time to run XMRig, a Monero-mining tool. They’re not sure how the malware is being installed, but it’s likely not anything more sophisticated than a dodgy download site.

Fortunately, all this malware seems to do is waste your CPU cycles.

“This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating,” Malwarebytes explains.

Russia breaks up malware bank heist

Earlier this week, members of Russia’s Group-IB announced the arrest of a 32-year-old man they believe to be behind a massive malware operation.

According to the group’s release, the unnamed man had used a set of Android malware packages to lift the bank account credentials of people in Russia and send them to a command server. From there, withdrawals were made from the accounts, with the same malware infections intercepting SMS notifications on the victims’ phones.

The Group-IB statement indicates the man had been acting as part of a larger operation.

“The investigation by authorities identified a member of the criminal group, who was responsible for transferring money from user accounts to attacker’s cards, a 32 year old unemployed Russian national who had previous convictions connected to arms trafficking,” Group-IB said.

“During the suspects arrest in May 2018, authorities identified SIM cards and fraudulent bank cards to which stolen funds were transferred. The suspect has confessed to his actions and the investigation/prosecution continues.”

What time is it? Xenotime

Security company Dragos says it has found what it thinks is “easily the most dangerous threat activity publicly known” in a piece of industrial malware it has dubbed “Xenotime”.

The malware, according to Dragos, is highly sophisticated and it spreads through both industrial controllers and Windows systems alike. The ultimate target of the worm appears to be safety control systems. Were it to live, Dragos warns, the malware could cause serious physical danger.

Fortunately, it looks like at least one major attack from the malware’s controllers has already failed.

“The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly,” Dragos said.

“As Xenotime matures, it is less likely that the group will make this mistake in the future.”

Now there’s happy note to enjoy the long weekend on. Stay safe people. ®

Sponsored: Minds Mastering Machines – Call for papers now open