image of breaking badness
Breaking Badness
Breaking Badness

Breaking Badness Cybersecurity Podcast - 189. Malware the Wild Things Are

Coming up this week on Breaking Badness: 5G Whiz, I’ve Had My Polyfill, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

5G Whiz

  • Researchers from Penn State University describe how hackers can go beyond monitoring your Internet traffic by literally providing your Internet connection to you, leaving you open to phishing, spying, and more
  • There are two steps to this process:
    • One: It turns out there are more than one technology that allow people to imitate cell towers for different reasons
      • The one that a lot of people have probably heard of is the infamous StingRay, which is the contraption that police use and it’s controversial. But they use these to intercept and basically proxy phone calls
      • You configure this tower to send out little plaintext messages called “sib1” messages, which basically are a cell tower’s way of saying, “hey, I’m here, anyone want to connect?”
      • They initiate something called Authentication and Key Agreement, aka AKA. We’ll come back to that in a moment, because you all probably think that it involves something that it does not actually involve. OOoooh, INTRIGUE!
      • Now, for a variety of reasons, phones want to connect to the tower with the strongest signal. If you’re close enough to your target(s) and if you have an effective antenna, your little phony base station can have a stronger signal, and thus be more appealing to the target phones than a real cell tower
      • What’s your little faux tower made of? Basically an SDR, a power supply, an antenna, and a source of data to be sent over the SDR and to complete the AKA handshake and route the calls
    • Step Two:
      • Even though the AKA occurs in plain text—and does not involve public key infrastructure, as one might have thought from that word “Key,” why not go ahead and bypass it entirely?
      • Turns out that’s quite doable too, thanks to a mishandled security header that an attacker could use to bypass the AKA process entirely
      • Fortunately, the mobile processors that have this vulnerability aren’t widespread. No, actually, they are used by two of the largest smartphone manufacturers. Sad trombone
  • How have mobile vendors responded to the reporting of these vulnerabilities?
    • The good news is that the vendors that they contacted, which is, I assume, all of the major ones, have issued patches
    • No specifics that we’re aware of regarding exactly how the patches work, but it sounds like they do. A more permanent fix would be ideal, one that would in fact rely on PKI
  • Where can our audience learn more about this research?
    • Black Hat! 
    • Look for the Penn State team’s presentation – our guess is that it will be one of the most popular talks 

I’ve Had My Polyfill

  • The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites
  • What is Polyfill?
    • Back in the day, we had many browser options that supported different things in Javascript 
    • Polyfill existed as a concept to say, “hey, I don’t really know what kind of browser might visit my site, but I want to provide the same level of functionality for each of those users. So I’ll just tap in a little shim here when it detects a browser that doesn’t support what everyone else supports.”
    • This was a service that a fellow by the name of John Neal wrote
      • He took to writing a lot of these Polyfills and built a service around these that you could include in your code that would allow you to solve this problem without solving it for yourself
    • And so, this is kind of variation on a theme of open source projects, vulnerabilities, not necessarily being at the code level, became ubiquitous
      • It became a service that was used in many places – it became its own CDN of sorts 
    • At some point in late last year/early this year, the Polyfill service, which had been synonymous with the Polyfill project up until that point, was bought in the GitHub repo ownership by a company called Funnel, which was a company that had been around for a number of years out of China and was a CDN itself
    • At the time, maybe it made sense for the maintainer to sell to these folks
      • But really what they did was get control of the GitHub repo and the name servers for their CDN. They basically used it to start redirecting folks who were using this Polyfill service (malware for lack of a better term)
      • in this particular instance they were caught serving up malware to some users 
  • How did Polyfill end up changing hands?
    • It’s just one of these things where there are huge chunks of infrastructure and the elements we rely on and take for granted go bouncing around the web
      • They are the projects that are owned by single singular people or small groups of people where at one point in time were designed to solve a problem people were having. Folks pick these things up and start using them, but the incentives for maintaining things properly are not always there
      • It’s just an existential problem relating to open source projects and leaves a lot of opportunity for malicious activity 
  • Are there protections against detection in this case?
    • When the sale occurred, people definitely noticed something was different 
    • The original creator of the project actually said folks should stop using it, but no one listened (there’s a lot of inertia behind using something that’s been in place for over a decade) 
    • But these malware instances weren’t occurring for everyone – it doesn’t activate for everyone on an admin account 
  • What are the recommendations coming out of this instance?
    • There are a lot of folks that have essentially allowed this domain to load JavaScript and run it, and they need to stop 
    • The folks at Sansec who discovered this (they are a supply chain security company) put out a scanner you can use to look through any sites you own to see if you have any surface area for this

Additional References:

This Week’s Hoodie Scale

5G Whiz

[Tim]: 5/10 Hoodies
[Taylor]: 4.63/10 Hoodies

I’ve Had My Polyfill

[Tim]: 4/10 Hoodies
[Taylor]: 7.5/10 Goodies

That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!