Viry a Červi

Microsoft answered Congress' questions on security. Now the White House needs to act

The Register - Anti-Virus - 15 Červen, 2024 - 03:20
Business as usual needs a real change

Feature  Microsoft president Brad Smith struck a conciliatory tone regarding his IT giant's repeated computer security failings during a congressional hearing on Thursday – while also claiming the Windows maker is above the rule of law, at least in China.…

Kategorie: Viry a Červi

Stanford Internet Observatory wilts under legal pressure during election year

The Register - Anti-Virus - 14 Červen, 2024 - 23:38
Because who needs disinformation research at times like these

The Stanford Internet Observatory (SIO), which for the past five years has been studying and reporting on social media disinformation, is being reimagined with new management and fewer staff following the recent departure of research director Renee DiResta.…

Kategorie: Viry a Červi

Meta won't train AI on Euro posts after all, as watchdogs put their paws down

The Register - Anti-Virus - 14 Červen, 2024 - 22:46
Facebook parent calls step forward for privacy a 'step backwards'

Meta has caved to European regulators, and agreed to pause its plans to train AI models on EU users' Facebook and Instagram users' posts — a move that the social media giant said will delay its plans to launch Meta AI in the economic zone.…

Kategorie: Viry a Červi

Nigerian faces up to 102 years in the slammer for $1.5M phishing scam

The Register - Anti-Virus - 14 Červen, 2024 - 22:15
Crook and his alleged co-conspirators said to have used Discord to coordinate

A Nigerian national has been convicted of participating in a business email compromise (BEC) scam worth $1.5 million after a jury found him guilty on all counts.…

Kategorie: Viry a Červi

Ukraine busts SIM farms targeting soldiers with spyware

The Register - Anti-Virus - 14 Červen, 2024 - 15:22
Russia recruits local residents to support battlefield goals

Infrastructure that enabled two pro-Russia Ukraine residents to break into soldiers' devices and deploy spyware has been dismantled by the Security Service of Ukraine (SSU).…

Kategorie: Viry a Červi

French state bidding for piece of Atos, offers €700M

The Register - Anti-Virus - 14 Červen, 2024 - 13:33
Big data + security division could be owed by the government and its people

The French government has confirmed an offer of €700 million ($748 million) for key assets of ailing IT services giant Atos, following the company’s acceptance of a restructuring deal earlier this week.…

Kategorie: Viry a Červi

Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended

The Register - Anti-Virus - 14 Červen, 2024 - 02:40
'It's not our job to find the culprits – That's what we're paying you for' lawmaker scolds Brad Smith

Lawmakers on Thursday grilled Microsoft president Brad Smith about the Windows giant's businesses dealing in China — and the super-corp's repeated security failings — at a time when Beijing-backed spies are accused of breaking into Microsoft-hosted email accounts of American government officials.…

Kategorie: Viry a Červi

US Space Force wanted $77M to reinforce GPS – and Congress shot it down

The Register - Anti-Virus - 14 Červen, 2024 - 00:42
Can't we do this another way, like without these mini-sats costing $1B over 5 years, House reps wonder

A plan by America's Space Force to harden GPS against spoofing attacks may be going nowhere: A request by the service branch for $77 million of public cash to finish the work is struggling to get approval from Congress.…

Kategorie: Viry a Červi

Oracle Ads have had it: $2B operation shuts down after dwindling to $300M

The Register - Anti-Virus - 13 Červen, 2024 - 21:55
In this slightly more private era, your data ain't as profitable as it once was

Analysis  Oracle Advertising is shutting down, CEO Safra Catz said during the database goliath's fiscal 2024 Q4 earnings call with Wall Street this week.…

Kategorie: Viry a Červi

Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin

The Register - Anti-Virus - 13 Červen, 2024 - 18:27
28-year-old accused of major ransomware attacks across Europe

An alleged cog in the Conti and LockBit ransomware machines is now in handcuffs after Ukrainian police raided his home this week.…

Kategorie: Viry a Červi

Google's Privacy Sandbox more like a privacy mirage, campaigners claim

The Register - Anti-Virus - 13 Červen, 2024 - 15:30
Chocolate Factory accused of misleading Chrome browser users

Updated  Privacy campaigner noyb has filed a GDPR complaint regarding Google's Privacy Sandbox, alleging that turning on a "Privacy Feature" in the Chrome browser resulted in unwanted tracking by the US megacorp.…

Kategorie: Viry a Červi

Student's flimsy bin bags blamed for latest NHS data breach

The Register - Anti-Virus - 13 Červen, 2024 - 13:30
Confidential patient information found by member of the public

A data protection gaffe affecting the UK's NHS is being pinned on a medical student who placed too much trust in their bin bags.…

Kategorie: Viry a Červi

Cinterion EHS5 3G UMTS/HSPA Module Research

Kaspersky Securelist - 13 Červen, 2024 - 12:00

Modems play an important role in enabling connectivity for a wide range of devices. This includes not only traditional mobile devices and household appliances, but also telecommunication systems in vehicles, ATMs and Automated Process Control Systems (APCS).

When integrating the modem, many product developers do not think of protecting their device from a potential modem compromise. As one of the main communication channels for the end device, the modem not only has access to the information flow between the device and the outside world, but also may have almost unlimited access to the most critical systems and resources of the end device. Thus, modem security is a significant matter.

To make the problem worse, when a critical vulnerability is discovered in just one modem model and version, significant time may be required to update all the devices in which it is installed. And some of them may even not have a remote modem updating feature at all, such as a car’s Telematic Control Unit (TCU). In such cases, installing the update typically requires additional effort and expense for the manufacturer of the end product to manually address each vulnerable device or vehicle.

For this reason, a particular modem manufactured by Telit Cinterion caught our interest. We decided to perform the security analysis of the modem in course of a bigger project of analyzing security of a popular model of a truck. When we began our assessment, the only known registered vulnerability was CVE-2020-15858, which is described in greater detail elsewhere.

The study focused on the EHS5-E series modem, originally manufactured by Thales before the business unit was acquired by Telit. Several modem models from this vendor share similar software and hardware architectures. Therefore, the findings of this study apply to devices across multiple model series:

  • Cinterion BGS5;
  • Cinterion EHS5/6/7;
  • Cinterion PDS5/6/8;
  • Cinterion ELS61/81;
  • Cinterion PLS62.
Modem software components

According to the software model, the modem consists of four software components:

  • Firmware (FW);
  • Application (App);
  • Java Remote Control (JRC);
  • Service LWM2M Agent (SLAE).

The modem comes along with an SDK for creating software components that execute business logic, known as MIDlets. The firmware (FW) and application (App) components form part of the modem’s low-level code, which includes the operating system and the execution environment for the MIDlets. A MIDlet is a Java application supported by a specialized subsystem, Java ME (Micro Edition), which features a limited set of Java commands. The JRC and SLAE components are special MIDlets developed by the manufacturer.

It is possible to install MIDlets and to configure the security settings for their execution. The following security mechanisms are used for MIDlets:

  • Java bytecode checks during installation (always enabled);
  • MIDlet digital signatures (configured by the end product developer).

By default, only the manufacturer’s certificate is installed on the modem to validate MIDlets with manufacturer-level execution privileges. Installing and configuring certificates for custom MIDlets is the responsibility of the end product developer. This is described in more detail in the EHSx Java User’s Guide.

Types of MIDlets

Based on our analysis, all MIDlets on the modem can be divided into two categories by their privilege level:

  • Manufacturer MIDlets;
  • User MIDlets (signed / unsigned).

Only the JRC and SLAE MIDlets initially belong to the manufacturer level. They have the highest privileges without any code execution restrictions at the Java level.

The second category of privileges is granted to user MIDlets. Their functionality is restricted in relation to file system (FS) operations, GSM module operations, etc. For example, a user MIDlet cannot read the entire modem FS, but the JRC module can.

If a user certificate is installed, only a signed user MIDlet with User Signed privileges will be executed on the modem. In other words, User Signed MIDlets are only used to protect the modem from executing a MIDlet from an illegitimate user, such as an attacker or security researcher.

MIDlet installation

MIDlets can be installed both locally and remotely. Local installation of MIDlets is done through the JRC component. Remote installation is possible via a special OTAP mechanism, or in M2M scenarios, via the SLAE component.

Using the modem in an M2M scenario involves creating a personal user account on the manufacturer’s website. This personal account allows the user to perform standard actions with MIDlets on all paired devices, such as installing and uninstalling MIDlets. In our study, we did not analyze the mechanisms of remote M2M installation of MIDlets.

Local installation via MES

Local installation is performed via the MES (Module Exchange Suite) communication protocol and special AT commands. The interface itself and AT command processing are implemented in the JRC component. The MES protocol enables interaction with the modem’s user FS (hereinafter referred to as the “UFS”), including writing to or deleting files from the UFS.

Upon installing the driver provided with the SDK, the content of the modem’s UFS, which is mounted at the path ‘///a:/’, becomes accessible. The driver functions as a user add-on over the MES protocol. Although MES formally supports working with any path value except for ‘///a:/’, no other internal paths are known, and attempts to read paths starting with a different root result in an error. This is due to the filtering of query parameters in MES, ensuring that everything not belonging to the ‘a://’ root returns an error, even though the UFS has several valid roots.

Local installation of MIDlets is performed in two steps. First, the MIDlet files (.jar and .jad) must be copied to the modem UFS. Next, the MIDlet is installed on the modem using the AT^SJAM=0 AT command. During the execution of this command, the MIDlet files are copied to a part of the modem FS that is inaccessible to the user and are then removed from the UFS. The path to which MIDlets are copied during installation is unknown. This helps ensure the confidentiality of both user and manufacturer MIDlets. An installed MIDlet is launched from its new location in the modem FS. A list of all installed MIDlets can also be extracted using the AT^SJAM command. The image below shows an example of the output of this command.

Example output of the AT^SJAM command

The modem documentation states that the connector used to work with the FS filters requests to files with the .jar extension.

Snippet from the Cinterion documentation

This behavior was confirmed by a simple test: trying to access files with the .jar extension produced an error.

Attempting to access files with the .jar extension

Remote installation via OTAP

In the OTAP protocol, data is transmitted using SMS messages that have special values for the Class and PID fields.

Data transfer in OTAP protocol

OTAP messages are ASCII text contained within the SMS message body. An example of such a message is shown below.

Example of an OTAP message

OTAP support is provided by the App and JRC components. The process of installing and updating user MIDlets via OTAP requires prior activation of OTAP by the user on the modem. The user may specify additional attributes that will be used for OTAP: JAD File URL, HTTP User, HTTP Password, etc. The process of updating via OTAP is described in detail in the EHSx Java User’s Guide.

If OTAP was not activated beforehand by executing the AT^SJOTAP command, then the received message would not be processed. Activation involves creating a special OTAP settings file OTAP_AtParams.bin in the UFS.

OTAP activation check

Part of the file’s contents created during our tests is shown below.

Example of OTAP_AtParams.bin file contents

Debugging MIDlets and modem execution

According to the modem’s official documentation, several interfaces are available to interact with the modem, as shown below.

Available modem interfaces

From a security researcher’s perspective, a few of the hardware interfaces listed above are of a special interest, specifically ASC0/ASC1 and USB, since they can be used to transmit data between the modem and a host (e.g. PC) through the UART protocol. In the case of USB, the UART interface is emulated.

According to the vendor’s documentation, the UART can be used to communicate with the modem via the AT command interface or to perform step-by-step debugging of an executable MIDlet running on the modem. This is done using the MIDlet debugging subsystem. Interaction with the modem in debug mode takes place through a special PPP connection (dial-up modem emulation). The debugging mechanism is described in detail in the manufacturer’s documentation. The USB interface exposes additional functions in addition to the emulated UART interface, such as the MES interface, which can be used to access the modem’s User File System (UFS) though standard Windows OS mechanisms.

In addition to debugging MIDlets, the modem allows collection of the trace logs of its subsystems, including MIDlets. The AT+TRACE command determines what gets included in the output. An example of a command to enable output of debugging information on the modem is shown below.


The command parameters determine which modem subsystems to collect information from. The list of subsystems from which debugging information can be collected is available in the detailed help for this AT command.

Detailed help output of the AT+TRACE command

Obtaining the modem firmware

We focused on analyzing both MIDlet and OS security. To achieve this, we developed a research device based on a custom printed circuit board.

Research device

After analyzing the modem’s hardware components, we identified a NAND memory chip that contains the modem firmware. The firmware was extracted from the chip using the ChipProg universal programmer.

Hardware components of the modem

There is an additional challenge involved in extracting meaningful data from NAND memory due to its physical structure and wear-leveling algorithms. The data is stored together with the “Spare Area” – special blocks containing error correction codes and other auxiliary information. In addition, a bitwise XOR with a special gamma function may be applied to data to ensure even wear of the memory cells. Refer to the full version of the whitepaper (PDF, 9 MB) for the details regarding the process of reconstructing the NAND flash image.

Thanks to the NAND reconstruction, we were able to identify the UFS and examine its contents. We also succeeded in finding the binary images corresponding to the FW and App software components.


Analyzing the UFS contents

After reviewing the contents of the UFS, we found that it contained files and folders hidden from the user and inaccessible through the MES interface, namely .cinterion.internal and .cinterion.service. Access to them was restricted directly in the JRC MIDlet code, filtered by their name prefix. A code snippet from the JRC module that filters access to these folders is shown below.

Example code from the JRC module

By further examining the contents of these hidden directories, we determined that all MIDlets (both of user and manufacturer categories) are stored at /sys/.cinterion.internal/java. Each MIDlet is stored as a set of four files with .ss, .ii, .ap and .jar extensions.

After analyzing the contents of the folder containing installed MIDlets, we determined that each MIDlet is renamed during the installation process. To allow the user to run MIDlets by their name, the system keeps the mapping between the original name of the MIDlet and its alias in a simple database stored in the _suites.dat file. For example, by analyzing the binary contents of this file, it is clear that the file named 00000003.jar is actually JRC.jar.

Contents of the binary file _suites.dat

The .ap file is a Unicode-converted .jad file. This file contains information about the original name of the MIDlet and the libraries that were used. It may also contain the MIDlet’s digital signature. An example of such a file for a JRC MIDlet is shown below.

Contents of the .ap file for the JRC MIDlet

The .ii file contains information about the MIDlet installation path, the permissions assigned during installation, and other information.

Contents of a file with the .ii extension

Finally, the .ss file contains a description of the Java-level permissions available to this MIDlet. An example of the JRC vendor MIDlet permissions description is shown below.

Example of a JRC vendor MIDlet permissions description

It is important to note that this permission set gives unrestricted access to the Java virtual machine’s system classes. The example shown corresponds to the manufacturer level of privileges. Only two MIDlets have such permissions: JRC and SLAE. Any user MIDlet must list in its manifest the classes and methods it needs to access to at runtime. Part of the manifest for our test MIDlet is shown below.

Example manifest for our test MIDlet

Changing the security domain of a user MIDlet

As mentioned earlier, each installed MIDlet is stored in the modem FS as a set of four files under the path /sys/.cinterion.internal/java. When a MIDlet is started, its security domain is checked using the .ii file. Then, depending on the specified domain, access rights are assigned based on the .ss file. Quite important thing is that there is no verification of the digital signature when launching a MIDlet that has the manufacturer-level security domain.

Since any user MIDlet can use the aforementioned Java class, the MIDlet’s security permissions and security level can be escalated. A user MIDlet can replace its own .ii and .ss files so that it will start executing in the manufacturer security domain.

Running our MIDlet for the first time

Running our MIDlet for the second time

ULP protocol analysis

In addition to the ability to remotely provision and control MIDlets via SMS messages using the OTAP protocol, the modem offers geopositioning feature using SUPL (Secure User Plane Location) subsystem. This subsystem implements the SUPL specification, which facilitates the exchange of special messages between H-SLP (Home SUPL Location Platform) and SET (SUPL Enabled Terminal). The modem itself is a SET object under the specification. An example of such an exchange is shown below.

Interaction via the ULP protocol

Messages are exchanged using the ULP (User-plane Location Protocol) binary protocol. In this protocol, data is transmitted in the GSM network via PUSH messages using the WAP protocol stack. A typical ULP message is illustrated by the SUPL INIT message.

SUPL INIT message

The ULP protocol supports the ability to fragment the transmitted message allowing transmission of large binary messages via SMS at the PUSH layer of WSP messages. On the SET side, the WSP protocol provides indexing for the fragmented SMS message transmission. The first SUPL message contains the total size of the message to be received, whereas subsequent messages contain data fragments to be concatenated. An example of the structure of these SMS messages is shown below.

Example of the first SMS message

Example of subsequent SMS messages

During our analysis of the driver responsible for handling of ULP message fragmentation, we discovered a heap overflow vulnerability.

According to the transmission protocol, the ULPSizeFromPacket (size of the entire ULP packet) and wapTpduLen (size of the received WAP message) variables are calculated independently. That means a received WAP packet of size wapTpduLen will be unconditionally copied to a buffer whose size is ULPSizeFromPacket bytes. This is a classic example of a heap-based buffer overflow.

Heap-based buffer overflow

After crafting an appropriate SMS message, we managed to generate a heap overflow error, resulting in a hard fault and rebooting the modem. To learn the cause of the reboot, we used the previously mentioned AT+XLOG command.

Reason for the reboot

The resulting dump made clear that the R0 register contained data that we controlled. Thus, we confirmed our ability to not only overflow the heap, but also embed our data into executable code.

However, we had no way to get a dump of memory at the moment of the crash. To understand whether the discovered vulnerability is serious or just another non-exploitable BoF, we had to solve the problems of reading/writing the RAM, code execution, and OTAP activation. For details, please refer to the full white paper.

After overcoming many technical difficulties, which are described in detail in the full version of the article, by sending just a few specially-crafted SMS messages, we were able to launch the driver we developed on the modem OS, allowing us to:

  • Allocate memory (malloc);
  • Release memory (free);
  • Open / create a file in the UFS (createFile).

Using this driver, we managed to create the files needed for OTAP activation, install our own MIDlet on the modem, and assign it maximum manufacturer privileges.

Installing our own MIDlet


Though being a special-purpose device, a modern modem implements numerous features and potential user scenarios. In fact, it is a complicated system, both from an architecture and implementation point of view. Due to performance requirements, most of the key features are implemented in low-level languages such as С and Assembler and therefore lack built-in safeguards mitigating potential developers’ mistakes.

In the course of the modem security analysis, we found seven locally exploited vulnerabilities and one remotely exploited vulnerability. The combination of these vulnerabilities could allow an attacker to completely get control over the modem. In our truck’s security audit project, having control of the modem we were able to get our foothold in the telecommunication unit embedding it, and further, to propagate to other truck ECUs ending with getting control over the main vehicle systems, such as the engine, the gearbox, the suspension, the breaks, etc., therefore being able to totally compromise the vehicle safety from remote.

All discovered vulnerabilities have been reported to the vendor. Some of them have not been addressed by the vendor so far as the product support discontinued. And even if the vendor fixed all the vulnerabilities, as we stated at the beginning of the report, in some cases, the modem is integrated in such a way that applying updates would be difficult.

Thus, to counter the threats posed by the found vulnerabilities, Kaspersky recommends:

  • Contact the mobile operator to disable the sending of SMS messages to the device.
  • Use private APN with carefully configured security settings to limit the impact of any potential exploit.
  • Enforce application signature verification to prohibit the installation of untrusted MIDlets on the device.
  • Control physical access to the device at all stages of supplying to protect against the embedding of backdoors.
  • When developing a new product consider remote modem compromise as a high potential risk and restrict accordingly access from the modem (or the unit embedding it) to other products’ mission-critical components.

As for the vendors of the modems and similar devices, to mitigate potential risks at the design stage, Kaspersky recommends:

  • Introduce additional memory access restrictions in the ThreadX operating system, such as using the MCU or Modules
  • Use static code analysis tools to determine if there are any errors in logic or pointer arithmetic.
  • Perform fuzz testing (“fuzzing”) for the application to find implementation bugs using malformed/semi-malformed data injection in an automated fashion.
  • Perform code walk-through audits to look for confusing logic and other errors.
  • Select the development tool stack enforcing security domain separation and promoting a Secure by Design approach such as the one advocated by the Kaspersky OS developers.

Time to zero in on Zero Trust?

The Register - Anti-Virus - 13 Červen, 2024 - 05:12
Recently discovered vulnerabilities in VPN services should push ASEAN organizations to rethink their perimeter security approach

Sponsored Post  Companies the ASEAN region have long relied on a virtual private network (VPN) to help encrypt their Internet traffic and protect users' online identities.…

Kategorie: Viry a Červi

Crooks crack customer info at tracking device vendor Tile, issue 'extortion' demands

The Register - Anti-Virus - 13 Červen, 2024 - 03:15
Who tracks the trackers?

Life360, purveyor of "Tile" Bluetooth tracking devices and developer of associated apps, has revealed it is dealing with a "criminal extortion attempt" after unknown miscreants contacted it with an allegation they had customer data in their possession.…

Kategorie: Viry a Červi

Ransomware crew may have exploited Windows make-me-admin bug as a zero-day

The Register - Anti-Virus - 13 Červen, 2024 - 00:10
Symantec suggests Black Basta crew beat Microsoft to the patch

The Black Basta ransomware gang may have exploited a now-patched Windows privilege escalation bug as a zero-day, according to Symantec's threat hunters.…

Kategorie: Viry a Červi

White House report dishes deets on all 11 major government breaches from 2023

The Register - Anti-Virus - 12 Červen, 2024 - 18:15
The MOVEit breach and ransomware weren’t kind to the Feds last year

The number of cybersecurity incidents reported by US federal agencies rose 9.9 percent year-on-year (YoY) in 2023 to a total of 32,211, per a new White House report, which also spilled the details on the most serious incidents suffered across the government.…

Kategorie: Viry a Červi

China's FortiGate attacks more extensive than first thought

The Register - Anti-Virus - 12 Červen, 2024 - 16:00
Dutch intelligence says at least 20,000 firewalls pwned in just a few months

The Netherlands' cybersecurity agency (NCSC) says the previously reported attack on the country's Ministry of Defense (MoD) was far more extensive than previously thought.…

Kategorie: Viry a Červi

Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows

The Register - Anti-Virus - 12 Červen, 2024 - 02:29
Redmond splats dozens of bugs as does Adobe while Arm drivers and PHP under active attack

Patch Tuesday  Microsoft kicked off our summer season with a relatively light June Patch Tuesday, releasing updates for 49 CVE-tagged security flaws in its products – including one bug deemed critical, a fairly terrifying one in wireless networking, and one listed as publicly disclosed.…

Kategorie: Viry a Červi

Pure Storage pwned, claims data plundered by crims who broke into Snowflake workspace

The Register - Anti-Virus - 11 Červen, 2024 - 20:01
Secure storage company hasn't spilled details on how they got in

Pure Storage is the latest company to confirm it's a victim of mounting Snowflake-related data breaches.…

Kategorie: Viry a Červi
Syndikovat obsah