TechSploits

Now this is some good ol' hacking just for fun

It could be worse i guess... I could be the admin of a Sharepoint instance...

Researchers at penetration testing and threat intelligence firm PCA Cyber Security (formerly PCAutomotive) have discovered that critical vulnerabilities affecting a widely used Bluetooth stack could be exploited to remotely hack millions of cars.

The researchers conducted an analysis of the BlueSDK Bluetooth framework developed by OpenSynergy and found several vulnerabilities, including ones that enable remote code execution, bypassing security mechanisms, and information leaks.

They demonstrated how some of these flaws could be chained in what they named a PerfektBlue attack to remotely hack into a car’s infotainment system. From there the attacker can track the vehicle’s location, record audio from inside the car, and obtain the victim’s phonebook data.

The attacker may also be able to move laterally to other systems and potentially take control of functions such as the steering, horn and wipers. While this has not been demonstrated, previous research showed that it is possible for a hacker to move from a car’s infotainment to more critical systems.

The PerfektBlue hack has been demonstrated against recent infotainment models shipped with Mercedes-Benz, Skoda, and Volkswagen cars, as well as products made by another, unnamed OEM that was only recently made aware of the findings.

BlueSDK is present in millions of devices. The list includes not only vehicles, but also mobile phones and other portable gadgets made by dozens of major tech companies.

In order to conduct an attack, the hacker needs to be in range and able to pair their laptop with the targeted infotainment system over Bluetooth. In some cases pairing is possible without any user interaction, while in others pairing requires user confirmation, or it may not be possible at all.

“Essentially, PerfektBlue requires at most 1-click from a user to be exploited over-the-air by an attacker,” PCA Cyber Security explained.

The PerfektBlue vulnerabilities were reported to OpenSynergy back in May 2024 and were assigned the CVE identifiers CVE-2024-45434, CVE-2024-45431, CVE-2024-45432 and CVE-2024-45433.

Patches were created and distributed to customers starting in September 2024, but PCA Cyber Security waited until now to disclose them to ensure that the fixes would be widely deployed.

Earlier this year, PCA Cyber Security disclosed a series of vulnerabilities that could be exploited to remotely hack a Nissan Leaf electric vehicle, including for spying and the physical takeover of several functions.

I'm classing this as an exploit because it sounds like backblaze exploited their shareholders!

We (Reddthat) were going to use them as our object storage provider when we started. Luckily we didn't! It would make me want to migrate asap!

I nice write up on the #TikTok VM

We regularly see this on Reddthat's and my own personal services too.

Could be worse, I could be using parquet...

A nice in-depth article on game hacking

My talk explores the trajectory of iOS spyware from the initial discovery of Pegasus in 2016 to the latest cases in 2024.

The talk will start with an analysis how exploits, infection vectors and methods of commercial spyware on iOS have changed over time.

The second section of the talk is all about advances in detection methods and the forensic sources which are available to discover commercial spyware. This talk will also include a Case Study about the discovery and analysis of BlastPass (one of the latest NSO Exploits).

The third part will discuss technical challenges and limitations of the detections methods and data sources.

Finally, I will conclude the talk with open research topics and suggestions what Apple or we could technically do to make the detection of commercial spyware better.

The commercial spyware landscape on iOS has evolved significantly since the discovery of Pegasus in 2016. In this talk, we’ll explore that evolution through four main areas:

1. Spyware Evolution (2016-2024): By analyzing key exploits, tactics, techniques, and procedures (TTPs), infection vectors, and indicators of compromise (IOCs), we’ll trace how spyware has advanced in sophistication, highlighting changes that have led to today’s complex threats.
2. Advancements in Detection: As spyware has grown more sophisticated, so too have detection capabilities. We’ll review the main actors, public organizations and tools that have shaped spyware detection. This part will also include a case study on my discovery and analysis of a sample NSO‘s BlastPass Exploit chain.
3. Current and Future Challenges: Looking forward, we’ll examine the pressing challenges in spyware detection and speculate on how commercial spyware might evolve in response to new security measures and technologies.
4. Recommendations for Research and Detections: Finally, I’ll offer recommendations for advancing research and detection methods and capabilities to combat commercial spyware.

Attendees will gain a comprehensive view of the past, present, and future of spyware on iOS, along with actionable strategies for future research and collaboration.

Licensed to the public under http://creativecommons.org/licenses/by/4.0

We present fatal security flaws in the HALFLOOP-24 encryption algorithm, which is used by the US military and NATO. HALFLOOP-24 was meant to safeguard the automatic link establishment protocol in high frequency radio, but our research demonstrates that merely two hours of intercepted radio traffic are sufficient to recover the secret key. In the talk, we start with the fundamentals of symmetric key cryptography before going into the details of high frequency radio, HALFLOOP-24, and the foundation of our attack.

High frequency (HF) radio, also known as shortwave radio, is commonly used by the military, other government agencies and industries that need highly robust long-distance communication without any external infrastructures. HF radio uses frequencies between 3 and 30 MHz. These frequencies enable skywave propagation, where the radio signals are reflected by electrically charged particles in the upper atmosphere. While this effect enables communication across very large distances, historically, it required trained and experienced operators to establish a radio link.

This dependence on operators was reduced by the introduction of the automatic link establishment (ALE) protocol. In a nutshell, an ALE-enabled radio establishes a link to another radio by selecting a suitable frequency according to a propagation model and then transmitting a call frame. If the frequency is good, the other radio receives the frame and the two radios perform a handshake to set up a link. The encryption of these ALE frames is known as linking protection. It is primarily meant to protect unauthorized users from establishing links with radios in a network or interfering with established links. Additionally, encryption of ALE frames also protects the network from certain types of traffic analysis, which is the analysis of operating data such as network structure, frequencies, callsigns and schedules. The first ALE standard did not specify a cipher, but specified how to integrate a stream cipher with ALE. Later standards introduced the 56-bit key Lattice/SoDark cipher, which is now recommended to be replaced with HALFLOOP whenever possible.

HALFLOOP, which is standardized in US standard MIL-STD-188-14D since 2017, is essentially a downscaled version of the Advanced Encryption Standard (AES), which effectively is the most used encryption algorithm today. While this downscaling led to many strong components in HALFLOOP, a fatal flaw in the handling of the so-called tweak enables devastating attacks. In a nutshell, by applying a technique known as differential cryptanalysis, an attacker can skip large parts of the encryption process. In turn, this makes it possible to extract the used secret key and hence enables an attacker to break the confidentiality of the ALE handshake messages and also makes an efficient denial-of-service attack possible.

These attacks are described in the two research papers, Breaking HALFLOOP-24 and Destroying HALFLOOP-24. They were initiated by the presentation of the Cryptanalysis of the SoDark Cipher, the predecessor of HALFLOOP.

Licensed to the public under http://creativecommons.org/licenses/by/4.0

Read the whole thread, great look at the original Pentium and some pretty pictures to match!

A nice in-depth post on the hardware too!

when someone opens up the hard drive of a redbox unit, they can pull a file which has a complete list of titles ever rented, and the email addresses of the people who rented them, and where and when