Privacy Implications of Tracking Wireless Access Points

Read Time:1 Minute, 57 Second

Brian Krebs reports on research into geolocating routers:

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geolocate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally—including non-Apple devices like Starlink systems—and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

Really fascinating implications to this research.

Research paper: “Surveilling the Masses with Wi-Fi-Based Positioning Systems:

Abstract: Wi-Fi-based Positioning Systems (WPSes) are used by modern mobile devices to learn their position using nearby Wi-Fi access points as landmarks. In this work, we show that Apple’s WPS can be abused to create a privacy threat on a global scale. We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days. Our attack makes few assumptions, merely exploiting the fact that there are relatively few dense regions of allocated MAC address space. Applying this technique over the course of a year, we learned the precise
locations of over 2 billion BSSIDs around the world.

The privacy implications of such massive datasets become more stark when taken longitudinally, allowing the attacker to track devices’ movements. While most Wi-Fi access points do not move for long periods of time, many devices—like compact travel routers—are specifically designed to be mobile.

We present several case studies that demonstrate the types of attacks on privacy that Apple’s WPS enables: We track devices moving in and out of war zones (specifically Ukraine and Gaza), the effects of natural disasters (specifically the fires in Maui), and the possibility of targeted individual tracking by proxy—all by remotely geolocating wireless access points.

We provide recommendations to WPS operators and Wi-Fi access point manufacturers to enhance the privacy of hundreds of millions of users worldwide. Finally, we detail our efforts at responsibly disclosing this privacy vulnerability, and outline some mitigations that Apple and Wi-Fi access point manufacturers have implemented both independently and as a result of our work.

Read More

Volatile Data Acquisition on Linux Systems Using fmem

Read Time:3 Minute, 30 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Memory forensics is a critical aspect of digital forensics, allowing investigators to analyze the volatile memory of a system to uncover evidence of malicious activity, detect hidden malware, and reconstruct system events. In this blog, we’ll explore the world of memory forensics using two powerful tools: Fmem and LiME. We’ll delve into the basics of memory forensics, explore the features and capabilities of Fmem and LiME, and provide a step-by-step guide on how to use these tools to analyze a memory dump.

What is Memory Forensics?

Memory forensics involves the analysis of a system’s volatile memory to extract valuable information about system state, running processes, and network connections. This type of analysis is crucial in incident response, malware analysis, and digital forensics investigations. By analysing memory, investigators can:

1. Detect Hidden Malware and Rootkits:

Memory forensics enables investigators to uncover hidden malware and rootkits that may be actively running in a system’s memory. Unlike traditional antivirus software that primarily scans the file system, memory forensics tools can identify malicious code and processes that attempt to evade detection by residing solely in memory.

2. Identify Malicious Processes and Network Connections:

By analyzing the contents of a system’s memory, forensic analysts can identify suspicious processes and network connections. This includes processes that may be performing malicious activities such as data exfiltration, privilege escalation, or network reconnaissance. Identifying these malicious entities is crucial for understanding the scope and impact of a security incident.

3. Reconstruct System Events and Timelines:

Memory forensics allows investigators to reconstruct the sequence of events that occurred on a system leading up to and during a security incident. By analyzing memory artifacts such as process creation timestamps, network connection logs, and registry modifications stored in memory, investigators can create a detailed timeline of activities, which aids in understanding the tactics and techniques employed by attackers.

4. Extract Sensitive Data:

Volatile data, such as passwords, encryption keys, and other sensitive information, may be present in a system’s memory during normal operation. Memory forensics tools can extract this data from memory dumps, providing valuable evidence for digital investigations. This information can be crucial for understanding how attackers gained access to sensitive resources and for mitigating potential security risks.

Using fmem for Memory Capture:

fmem is a kernel module that creates a virtual device, /dev/fmem, which allows direct access to the physical memory of a system. This module is particularly useful for acquiring memory dumps of a compromised system, even if the system is protected by Secure Boot or has disabled the ability to read physical memory directly.

Follow these steps to capture memory using fmem: Download the fmem source code from the official repository or package manager. The same can be found here.

Once cloned into the repository, change directory to fmem using cd command. You can use ls command to list the contents of the directory.

Compile and install fmem on the target Linux system:

Once you are in fmem directory, use command “sudo make” to build all the necessary libraries associated with fmem from the source code.

Check if the /dev/fmem device has been created using the following command: ls -l /dev/fmem

You should see something like this:

Now, to install fmem, we have to run the bash script in fmem directory. To use the same you can use sudo bash run.sh or sudo ./run.sh

Now to acquire the memory dump, you can use a tool like dd. Use the following command: sudo dd if=/dev/fmem of=memdump.raw

Once executed, it may take some time to complete the acquisition of memory depending on RAM size. After the completion it shall show you a dialog box like this. You can also use other commands specifying buffersize, dd if=/dev/fmem of=/home/”username”/memdump.dd bs=1MB

Once you have acquired the memory dump, you can analyze it using LiME or other memory forensics tools. In our next blog, we’ll explore how to analyze the memory dump using LiME.

Read More

USN-6797-1: Intel Microcode vulnerabilities

Read Time:2 Minute, 0 Second

It was discovered that some 3rd and 4th Generation Intel® Xeon® Processors
did not properly restrict access to certain hardware features when using
Intel® SGX or Intel® TDX. This may allow a privileged local user to
potentially further escalate their privileges on the system. This issue only
affected Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and
Ubuntu 16.04 LTS. (CVE-2023-22655)

It was discovered that some Intel® Atom® Processors did not properly clear
register state when performing various operations. A local attacker could
use this to obtain sensitive information via a transient execution attack.
This issue only affected Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS,
Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. (CVE-2023-28746)

It was discovered that some Intel® Processors did not properly clear the
state of various hardware structures when switching execution contexts. A
local attacker could use this to access privileged information. This issue only
affected Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and
Ubuntu 16.04 LTS. (CVE-2023-38575)

It was discovered that some Intel® Processors did not properly enforce bus
lock regulator protections. A remote attacker could use this to cause a
denial of service. This issue only affected Ubuntu 23.10, Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. (CVE-2023-39368)

It was discovered that some Intel® Xeon® D Processors did not properly
calculate the SGX base key when using Intel® SGX. A privileged local
attacker could use this to obtain sensitive information. This issue only
affected Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and
Ubuntu 16.04 LTS. (CVE-2023-43490)

It was discovered that some Intel® Processors did not properly protect against
concurrent accesses. A local attacker could use this to obtain sensitive
information. (CVE-2023-45733)

It was discovered that some Intel® Processors TDX module software did not
properly validate input. A privileged local attacker could use this information
to potentially further escalate their privileges on the system.
(CVE-2023-45745, CVE-2023-47855)

It was discovered that some Intel® Core™ Ultra processors did not properly
handle particular instruction sequences. A local attacker could use this
issue to cause a denial of service. (CVE-2023-46103)

Read More

ZDI-24-519: (Pwn2Own) Phoenix Contact CHARX SEC-3100 Untrusted Search Path Local Privilege Escalation Vulnerability

Read Time:18 Second

This vulnerability allows local attackers to escalate privileges on affected installations of Phoenix Contact CHARX SEC-3100 devices. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-28133.

Read More

ZDI-24-522: (Pwn2Own) Phoenix Contact CHARX SEC-3100 Filename Command Injection Remote Code Execution Vulnerability

Read Time:16 Second

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Phoenix Contact CHARX SEC-3100 devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 6.8. The following CVEs are assigned: CVE-2024-28136.

Read More

ZDI-24-523: Phoenix Contact CHARX SEC-3100 Link Following Local Privilege Escalation Vulnerability

Read Time:18 Second

This vulnerability allows local attackers to escalate privileges on affected installations of Phoenix Contact CHARX SEC-3100 charging controllers. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-28137.

Read More