The Hacker News — Cyber Security, Hacking, Technology News

Two separate teams of security researchers have published working proof-of-concept exploits for an unpatchable vulnerability in Nvidia's Tegra line of embedded processors that comes on all currently available Nintendo Switch consoles.

Dubbed Fusée Gelée and ShofEL2, the exploits lead to a coldboot execution hack that can be leveraged by device owners to install Linux, run unofficial games, custom firmware, and other unsigned code on Nintendo Switch consoles, which is typically not possible.

Both exploits take advantage of a buffer overflow vulnerability in the USB software stack of read-only boot instruction ROM (IROM/bootROM), allowing unauthenticated arbitrary code execution on the game console before any lock-out operations (that protect the chip's bootROM) take effect.

The buffer overflow vulnerability occurs when a device owner sends an "excessive length" argument to an incorrectly coded USB control procedure, which overflows a crucial direct memory access (DMA) buffer in the bootROM, eventually allowing data to be copied into the protected application stack and giving attackers the ability to execute code of their choice.
In other words, a user can overload a Direct Memory Access (DMA) buffer within the bootROM and then execute it to gain high-level access on the device before the security part of the boot process comes into play.

"This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) application processors at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3)," hardware hacker Katherine Temkin of ReSwitched, who released Fusée Gelée, said.

However, the exploitation requires users to have physical access to the hardware console to force the Switch into USB recovery mode (RCM), which can simply be done by pressing and shorting out certain pins on the right Joy-Con connector, without actually opening the system.

By the way, fail0verflow said a simple piece of wire from the hardware store could be used to bridge Pin 10 and Pin 7 on the console's right Joy-Con connector, while Temkin suggested that simply exposing and bending the pins in question would also work.

Once done, you can connect the Switch to your computer using a cable (USB A → USB C) and then run any of the available exploits.

Fusée Gelée, released by Temkin, allows device owners only to display device data on the screen, while she promised to release more scripts and full technical details about exploiting Fusée Gelée on June 15, 2018, unless someone else made them public.

She is also working on customized Nintendo Switch firmware called Atmosphère, which can be installed via Fusée Gelée.
On the other hand, ShofEL2 exploit released by famous fail0verflow team allows users to install Linux on Nintendo Switches.

"We already caused temporary damage to one LCD panel with bad power sequencing code. Seriously, do not complain if something goes wrong," fail0verflow team warns.

Meanwhile, another team of hardware hackers Team Xecutor is also preparing to sell an easy-to-use consumer version of the exploit, which the team claims, will "work on any Nintendo Switch console regardless of the currently installed firmware, and will be completely future proof."

Nintendo Can't Fix the Vulnerability Using Firmware Update

The vulnerability is not just limited to the Nintendo Switch and affects Nvidia's entire line of Tegra X1 processors, according to Temkin.

"Fusée Gelée was responsibly disclosed to NVIDIA earlier, and forwarded to several vendors (including Nintendo) as a courtesy," Temkin says.

Since the bootROM component comes integrated into Tegra devices to control the device boot-up routine and all happens in Read-Only memory, the vulnerability cannot be patched by Nintendo with a simple software or firmware update.

"Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever," fail0verflow says. "Nintendo can only patch Boot ROM bugs during the manufacturing process."

So, it is possible for the company to address this issue in the future using some hardware modifications, but do not expect any fix for the Switches that you already own.

Dr. Mordechai Guri, the head of R&D team at Israel's Ben Gurion University, who previously demonstrated various methods to steal data from an air-gapped computer, has now published new research named "BeatCoin."

BeatCoin is not a new hacking technique; instead, it's an experiment wherein the researcher demonstrates how all previously discovered out-of-band communication methods can be used to steal private keys for a cryptocurrency wallet installed on cold storage, preferably an air-gapped computer or Raspberry Pi.

For those unaware, keeping your cryptocurrency protected in a wallet on a device which is entirely offline is called cold storage. Since online digital wallets carry different security risks, some people prefer keeping their private keys offline.

Air-gapped computers are those that are isolated from the Internet, local networks, Bluetooth and therefore, are believed to be the most secure devices and are difficult to infiltrate or exfiltrate.

If you are new to this topic, we recommend reading our previous articles, detailing how highly-motivated attackers can use specially designed malware to exfiltrate data from an air-gapped computer via light, sound, heat, electromagnetic, magnetic, infrared, and ultrasonic waves.
For BeatCoin experiment, Dr. Guri deployed malware on an air-gapped computer that runs a Bitcoin wallet application and then performed each attack vector one-by-one to transmit the wallet keys to a nearby device over covert channels.

"In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code," the paper [PDF] reads. "The malware can be pre-installed or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet’s computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade."

Results shown in the above chart suggests AirHopper, MOSQUITO, and Ultrasonic techniques are the fastest way to transmit a 256-bit private key to a remote receiver, whereas, Diskfiltration and Fansmitter methods take minutes.

Guri has also shared two videos. The first one demonstrates exfiltration of private keys from an air-gapped computer, which hardly took a few seconds to transmit data to a nearby smartphone using ultrasonic waves.
In the second video, the researcher transmitted private keys stored on a Raspberry Pi device to the nearby smartphone using the RadIoT attack—a technique to exfiltrate data from air-gapped internet-of-things (IoT) and embedded devices via radio signals.

"The radio signals - generated from various buses and general-purpose input/output (GPIO) pins of the embedded devices - can be modulated with binary data. In this case, the transmissions can be received by an AM or FM receiver located nearby the device."

In the last research published earlier this month, Guri’s team also demonstrated how hackers could use power fluctuations in the current flow "propagated through the power lines" to covertly exfiltrate highly sensitive data out of an air gapped-computer.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Security researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage.

Dubbed "Orangeworm," the hacking group has been found installing a wormable trojan on machines hosting software used for controlling high-tech imaging devices, such as X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms.

According to a new report published by Symantec on Monday, the Orangeworm hacking group has been active since early 2015 and targeting systems of major international corporations based in the United States, Europe, and Asia with a primary focus on the healthcare sector.

"We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare," Symantec said.

After getting into the victim's network, attackers install a trojan, dubbed Kwampirs, which opens a backdoor on the compromised computers, allowing attackers to remotely access equipment and steal sensitive data.

While decrypting, the Kwampirs malware inserts a randomly generated string into its main DLL payload in an attempt to evade hash-based detection. The malware also starts a service on the compromised systems to persist and restart after the system reboots.

Kwampirs then collects some basic information about the compromised computers and send it to the attackers to a remote command-and-control server, using which the group determines whether the hacked system is used by a researcher or a high-value target.
If the victim is of interest, the malware then "aggressively" spread itself across open network shares to infect other computers within the same organisation.

To gather additional information about the victim's network and compromised systems, the malware uses system's built-in commands, instead of using third-party reconnaissance and enumeration tools.

Above shown list of commands help attackers to steal information including, "any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer."

Besides health-care providers and pharmaceutical companies that account for nearly 40% of targets, Orangeworm has also launched attacks against other industries including information technology and manufacturing sectors, agriculture, and logistics.

However, these industries also somehow work for healthcare, like manufacturers that make medical devices, technology companies that offer services to clinics, and logistics firms that deliver healthcare products.
Although the exact motive of Orangeworm is not clear and there's no information that could help determine the group's origins, Symantec believes the group is likely conducting espionage for commercial purposes and there's no evidence that it's backed by a nation-state.

"Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking," Symantec said. "Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack."

The highest percentage of victims has been detected in the United States, followed by Saudi Arabia, India, Philippines, Hungary, United Kingdom, Turkey, Germany, Poland, Hong Kong, Sweden, Canada, France, and several other countries across the globe.

Not just Facebook, a new vulnerability discovered in Linkedin's popular AutoFill functionality found leaking its users' sensitive information to third party websites without the user even knowing about it.

LinkedIn provides an AutoFill plugin for a long time that other websites can use to let LinkedIn users quickly fill in profile data, including their full name, phone number, email address, ZIP code, company and job title, with a single click.

In general, the AutoFill button only works on specifically "whitelisted websites," but 18-year-old security researcher Jack Cable of Lightning Security said it is not just the case.

Cable discovered that the feature was plagued with a simple yet important security vulnerability that potentially enabled any website (scrapers) secretly harvest user profile data and the user would not even realize of the event.

A legitimate website would likely place a AutoFill button near the fields the button can fill, but according to Cable, an attacker could secretly use the AutoFill feature on his website by changing its properties to spread the button across the entire web page and then make it invisible.

Since the AutoFill button is invisible, users clicking anywhere on the website would trigger AutoFill, eventually sending all of their public as well as private data requested to the malicious website, Cable explains.

Here's How attackers can exploit the LinkedIn Flaw:

• User visits the malicious website, which loads the LinkedIn AutoFill button iframe.
• The iframe is styled in a way that it takes up the entire page and is invisible to the user.
• The user then clicks anywhere on that page, and LinkedIn interprets this as the AutoFill button being pressed and sends the users' data via postMessage to the malicious site.

Cable discovered the vulnerability on April 9th and immediately disclosed it to LinkedIn. The company issued a temporary fix the next day without informing the public of the issue.

The fix only restricted the use of LinkedIn's AutoFill feature to whitelisted websites only who pay LinkedIn to host their advertisements, but Cable argued that the patch was incomplete and still left the feature open to abuse as whitelisted sites still could have collected user data.

Besides this, if any of the sites whitelisted by LinkedIn gets compromised, the AutoFill feature could be abused to send the collected data to malicious third-parties.

To demonstrate the issue, Cable also built a proof-of-concept test page, which shows how a website can grab your first and last name, email address, employer, and location.

Since a complete fix for the vulnerability was rolled out by LinkedIn on April 19, the above demo page might not work for you now.

"We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases, and it will be in place shortly," the company said in a statement. 

"While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsible reporting this, and our security team will continue to stay in touch with them."

Although the vulnerability is not at all a sophisticated or critical one, given the recent Cambridge Analytica scandal wherein data of over 87 million Facebook users was exposed, such security loopholes can pose a serious threat not only to the customers but also the company itself.

The British teenager who managed to hack into the online accounts of several high-profile US government employees sentenced to two years in prison on Friday.

Kane Gamble, now 18, hacked into email accounts of former CIA director John Brennan, former Director of National Intelligence James Clapper, former FBI Deputy Director Mark Giuliano, and other senior FBI officials—all from his parent's home in Leicestershire.

Gamble, who went by the online alias Cracka, was just 15 at the time of carrying out those attacks and was the alleged founder of a hacking group calling themselves Crackas With Attitude (CWA).

The notorious pro-Palestinian hacking group carried out a series of embarrassing attacks against U.S. intelligence officials and leaked personal details of 20,000 FBI agents, 9,000 officers from Department of Homeland Security, and some number of DoJ staffers in 2015.

The teenager was arrested in February 2016 at his home in Coalville and pleaded guilty to 8 charges last October of "performing a function with intent to secure unauthorised access" and 2 charges of "unauthorised modification of computer material."

On Friday afternoon in the Old Bailey central criminal court in London, Gamble was finally sentenced after his first sentencing hearing in January was postponed, and the judge ruled that he'll have to serve 2 years at a youth detention center, BBC reported.

While Gamble's defence said he was "naive" and never meant to "harm" any individuals during the court hearing, the judge said he carried out "an extremely nasty campaign of politically-motivated cyber terrorism."

Between June 2015 and February 2016, Gamble posed as Brennan and tricked call center and helpline staff into giving away broadband and cable passwords, using which his team also gained access to extremely sensitive documents for intelligence operations in Afghanistan and Iran.

Besides hacking into their networks, Gamble also taunted his victims and their families, bombarded them with calls and messages, released their personal details, downloaded and installed porn onto their computers and took control of their iPads and TV screens.

Gamble even made hoax calls to Brennan's home and took control of his wife's iPad. At one point, he also sent DHS secretary Johnson a photograph of his daughter and said he would f*** her.

Gamble also phoned Mr. Johnson's wife, leaving a disturbing voicemail message which said: "Hi Spooky, am I scaring you?," and even managed to display the message "I own you" on the couple's home television.

Gamble said he targeted the US government because he was "getting more and more annoyed about how corrupt and cold-blooded the US Government" was and "decided to do something about it."

According to previous reports, Gamble is suffering from an autistic spectrum disorder, and at the time of his offending, he had the mental development of a 12 or 13-year-old.

Gamble's defence had argued court on Friday for a suspended sentence, so he can sit his GCSEs in June and read computer science studies at university to pursue a "useful" career.

Two other members of Crackas With Attitude—Andrew Otto Boggs and Justin Gray Liverman—were arrested by FBI in September 2016 and had already been sentenced to two and five years in federal prison respectively.