Large Scale Broadpwn Vulnerability in Android and iOS Wi-Fi Connections

Definition

Billions of smartphones, both Android and iOS have the same Wi-Fi chipset from Broadcom (BCM43xx family). A recent study presented at Black Hat conference has revealed a major vulnerability in that chipset that opens the smartphone to attacks via Wi-Fi connection. The vulnerability is open on all devices before the versions iOS 10.3.3 (released 20 July) or the July security update for Android, which contains fixes for the flaw. The vulnerability allows an attacker to gain access at the chip level and write programs that can be running on that chip. The targeted phone or user does nothing additional nor does the user notice that device has been exploited.


This vulnerability is first of this kind of exposure (all iOS devices after iPhone 5; all Samsung Galaxy from S3 through S8, inclusive; all Samsung Notes 3; all Nexus versions 5 – 6P), exploiting peripherals not core, does not need any action from user and can be used as a network for worm.

Brief Description

The resourceful attacker develops a worm that exploits the vulnerabilities of the BCM 43xx chips. The attacker presents himself in some event that has many high-ranking officers attending. The attacker infiltrates few of the smartphones (requires only activated Wi-Fi) and installs the worm. When officers return to their command posts and headquarters, their smartphones start to infect other devices within the Wi-Fi range. After few days, the higher commanders and their staffs’ smartphones are prepared for the next phase. 


The attacker, depending on the situation, can exploit the remotely controllable botnet (networks of remotely controlled robots) either collecting all information achievable through microphones and sessions or, in the brink of attack, suppress all smartphone usage of affected officers. This may delay or disable to the reaction of the higher-ranking officers enough to gain the advantage on ground, air or sea (recall the reason for slow German response to the invasion of Normandy).

Recommendation

End-users and administrators:

• Update all possible Smart devices with:
• Android: 2017-07-05 security patch
• iOS: 10.3.3

Military system architects:

• Broadpwn is a textbook example of using a large surface with a small but innovative effort to tap sensitive information or suppress main information flows. 
• Military architects should always provide strategic variety for critical information flows and mitigate the single points of failure.

Military Chief Information Officers:

• No one mean of communications of information processing can be reliable enough. 
• Always require parallel, independent options for business continuity.

References:

1. https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/
2. https://www.theguardian.com/technology/2017/jul/27/broadpwn-smartphone-malware-bug-iphone-samsung-google
3. https://blog.exodusintel.com/2017/07/26/broadpwn/

Watch you Bluetooth usage!

There are BlueBorne vulnerabilities in Bluetooth connections

Definition

Bluetooth technology has been in use since early 2000, and over 8.2 Billion devices are using Bluetooth. Some of the older versions of Android, iOS, Windows, and Linux implementations have a vulnerability that enables remote commands on the target device. There are together eight vulnerabilities that are called BlueBorne. These vulnerabilities were found during Spring 2017, communicated to responsible manufacturers and have been patched in the latest revisions.

Brief Description

The attacker approaches the proximity of the Bluetooth device and connects through Bluetooth wireless connection using buffer copy, buffer overflow, integer underflow or Man-in-the-Middle attack to gain access to the target device, injects malicious software or captures user information.


Worst case is when an advanced attacker reconnoitres the target infrastructure and deploys a worm that uses BlueBorne vulnerabilities to spread over-the-air. Especially, air-gap isolated systems are vulnerable if the Bluetooth is not disabled.

What to do:

The following measures are recommended to mitigate the BlueBorne exploitation: 
1. Update all possible versions concerning the found vulnerability in:

• Android: Before September 2017 updates
• Windows: Before September 2017 updates
• iOS: Pre-version 10
• Apple TV: Pre-version 7.2.2
• Linux: Before September 2017 updates

2. If the update is not available or not possible to upload, user should consider disabling the Bluetooth

3. There is a possibility that Bluetooth has other unrevealed vulnerabilities, so the professional organisation should control the proximity of their systems.

References

1. www.kb.cert.org/vuls/id/240311

2. www.armis.com/blueborne/

How military defend against commercial drones?

Threat of drones

Within a few past years, there has been a rise in the number of incidents involving small unmanned aerial vehicles (UAV, i.e., Drones). Insurgent forces in Syria and Iraq together with regular armies in Ukraine have used commercial drones to reconnoiter or strike targets. The defence industry is introducing various means to counter the UAV’s using force, signal hijacking, directional RF interference, directed energy, or other drones.

A Ukrainian serviceman operates a drone during a training session outside Kiev, November 6, 2014. © REUTERS

Iraqi troops are showing commercial drones used by ISIS in Mosul. © CENTCOM

Blunt force

A basic and low-tech solution is to knock out the drone with another object. SkyWall100 system from OpenWorks Engineering is a man-portable compressed air launcher that fires a 22-pound net to capture the drone and parachuting it down.

Signal hijacking

A more delicate countermeasure is to infiltrate and seize the command channel between the remote controller and the drone. The captured drone can then be guided to land in the safe zone. MESMER from Department 13 and UAV D04JA Jammer from Chinese Hikvision are systems that can take over the control of a UAV and direct it to safety.

RF interference

The more longer-range situation requires a system capable of detection, tracking, and disruption. A British made AUDS can detect a drone from 8 km away, track it and disrupt its flight by using radio frequency jamming. A French BOREADES system is an integrated system that uses radars, day-night optronics and UHD video to detect the drone and intercepts it by jamming or luring the navigation system onboard.

Directed energy

In a situation of multiple drones approaching the target at the same time, a straightforward countermeasure is to shoot them down with directed energy weapons. USS Ponce is already hosting the Laser Weapon System (LaWS) to counter threats from small boats to drones. Rheinmetall has laser-based products to counter both commercial and military drones. Chinese researchers have demonstrated a system in 2017 Black Hat conference that uses audible sound and ultrasound emitters to disrupt the microelectromechanical systems as accelerometers and gyroscopes on board a drone.

Other drones

There are several solutions of using other drones to capture hostile drones. One of them is the Drone Interceptor MP200 from Malou Tech that uses a net to capture the approaching vehicle.

Geofencing or electronic wall

The drone manufacturers program their drones not to enter denied areas.  The global positioning signals can be jammed to keep the drones entering denied areas.

Rules of Engagement

US DoD has issued a policy to military bases that they have full legal rights to shoot down private or commercial drones seemed to be a threat. This may apply to other separated military zones, but amongst the people and in public sites, the less violent measures need to be available.

RGP armed drone shot down by Syrian troops © ThinkDefence.co.uk

All US Army troops in operation develop a sensor plan that deploys both passive and active countermeasures against hostile drones. The action is straight forward: "Units must attempt to engage and destroy the UAV using any organic means available, typically small arms fires organic to the unit while simultaneously relocating the unit."
Some airports in Ireland have established a “no drone zone” which is a control measure to ensure there are no drones around departure or approach routes. If a drone is sighted, aircraft is put on hold to clear the path.
Police officers in the UK can only instruct the drone operators to land if they approach sensitive sites or become a safety issue.
Israel Defence Forces do shoot down Hezbollah drones violating Israeli airspace.

References:

Pomerlau, Mark: Army releases counter-drone training document. C4ISRNET. 25. April 2017. http://www.c4isrnet.com/unmanned/uas/2017/04/25/army-releases-counter-drone-training-document/
Defence IQ press: A timeline of the rising small UAS threat. Defence IQ 10.2.2017
https://www.defenceiq.com/defence-technology/articles/a-timeline-of-the-rising-small-uas-threat
Dutta, Sumit: This is how militaries can defend against drones. Defence IQ 14.8.2017 https://www.defenceiq.com/news/this-is-how-militaries-can-defend-against-drones
Goarant, Barbara: CS presents BOREADES. CS official pages. http://www.c-s.fr/CS-presente-BOREADES-son-systeme-de-lutte-anti-drone-a-l-occasion-de-la-demonstration-dynamique-organisee-par-le-SGDSN_a765.html
Silva, Richard De: No Drone Zone. Defence IQ September 2016. https://plsadaptive.s3.amazonaws.com/gfiles/_nilr3emag_-_countering-drones_-_defence_iq_-_oct_2016.pdf?response-content-type=application/pdf&AWSAccessKeyId=AKIAICW5IOYOPOZOU3TQ&Expires=1505470510&Signature=9HweRD7Pn612TpoQ1Dn54DhID6U%3D
Pavluk, Joshua: Four counter-drone technologies we need now. TechCrunch, 23. February 2016. https://techcrunch.com/2016/02/23/four-counter-drone-technologies-we-need-now/