SS-NEWS-009: Phone Number Recycling, Malicious O365 Apps and Drone Hacking!

Episode 8 May 09, 2021 00:52:17
SS-NEWS-009: Phone Number Recycling, Malicious O365 Apps and Drone Hacking!
Security Serengeti
SS-NEWS-009: Phone Number Recycling, Malicious O365 Apps and Drone Hacking!

May 09 2021 | 00:52:17

/

Show Notes

In this episode, we deep dive into two articles, with a bonus on hacking from drones where we wildly speculate on hacking attacks from drones.  I don't think we really addressed the article at all.

As a side note, when I was talking with my wife after we finished recording, she pointed out a very good reason for a new number... frequently deals at providers require a "new line of service" to get a discount.  

Article 1 - Your Old Phone Number Can Be Used to Hack You, Study Finds
Supporting Articles:
ORIGINAL PAPER - Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States
Recycled U.S. Phone Numbers Linked to Security Threats

Apple Loses Bid to Move Consumer Privacy Suit to Arbitration
Porting: Keeping Your Phone Number When You Change Providers
Transfer, Park & Keep your Phone Number

Article 2 - Malicious Office 365 Apps Are the Ultimate Insiders
Supporting Articles - TA2552 Uses OAuth Access Token Phishing to Exploit Read-Only Risks

Article 3 - TBONE: for public release on 2021-04-28
Supporting Articles - Tesla Remotely Hacked from a Drone

View Full Transcript

Episode Transcript

[00:00:13] Speaker A: Welcome to the security Serengeti. We're your hosts, David Swineger and Matthew Keener. [00:00:17] Speaker B: We're here to talk about some recent news headlines and hopefully provide some insight, analysis, and practical applications that you can take into the office to help you protect your organization. [00:00:27] Speaker A: And as usual, the views and opinions expressed in this podcast are ours and ours alone and do not reflect the views or opinions of our employers. [00:00:34] Speaker B: A key finding missing from the first article is how often those old phone numbers are used to find Prince Albert in a can. Glaring oversight. [00:00:43] Speaker A: Yeah, it actually makes me skeptical about their research procedures. So, talking about the first article, this comes to us from Vice, which is actually referencing a Princeton University study conducted by Kevin Lee and professor Arvind Nauarian. My pronunciation is terrible. You have to go to the link in the show notes in order to get his name properly identified. [00:01:10] Speaker B: I'm sure people on Twitter will helpfully and politely provide the correct pronunciation. [00:01:15] Speaker A: Well, I certainly hope so. I will desperately need that in the future. All right, so summary about this paper. This article is that they conducted a study of the risk associated with the recycling of mobile phone numbers. So when people, for whatever reason, fail to maintain their phone number, whether they get rid of it because they're no longer using it, or they are moving to a different carrier, or they're trying to prevent someone from contacting them on that number, those numbers end up getting put back into the pool for whichever carrier maintains that block of numbers. So this is based on a survey of 259 numbers that they were able to get from T Mobile and Verizon wireless. So a couple of data points about what they found overall. So it's estimated, based on FCC data, that 35 million numbers in the United States are disconnected annually. So if you estimate population in the United States being roughly 350,000,000. So 10% of all the mobile numbers in the country, or not all the mobile numbers in the country. I mean, 10% of the population has these numbers that end up getting recycled every year. [00:02:47] Speaker B: I find that really interesting. Just speaking for myself, I've kept the same phone number for two decades at this point. Are there people really just abandoning their phone numbers and moving on? [00:03:00] Speaker A: Apparently in the paper, they give a couple of different reasons for that turnover, one of them being that if they change carriers, there seems to be some necessity to change numbers. I've never switched carriers and maintained a number across that. I've been at the same carrier for a long time. So apparently there's a necessity to change numbers when you switch carriers. People are trying to get away from being contacted on that number because someone they no longer want to associate with, for whichever reason, knows that number. So they want to get rid of it, or they're receiving too many other types of solicitations or something else on that number. [00:03:48] Speaker B: But all the phone numbers are known. It's a finite space. It's not like it's a completely. You're not moving to a new country that nobody has ever been to before, right? [00:04:00] Speaker A: But not exactly. And that's one of the things that they talk about in the article, is that when you go and select a phone number from one of these carriers, there's a user interface or a website where you can choose what number you want. And depending on how those numbers are displayed within the UI, gives you an indication about whether they're recycled numbers or what the term they use in the paper is fresh numbers, assuming that they haven't been reused so that they are essentially new. So not all phone numbers that can be in use are in use or have been in use. So there is some of that in there. [00:04:44] Speaker B: I just checked and unfortunately 867-5309 is already taken in my area code. I'm very unhappy about this. [00:04:53] Speaker A: I would be very surprised if it's not taken in any area code and is available for any random individual to get because I would speculate that some providers or carriers or whatever have simply banned that number. No one can have it. [00:05:08] Speaker B: That makes sense. [00:05:10] Speaker A: But anyway, of the 259 numbers which were sampled, they found that 171 of those were vulnerable to account hijackings at six popular websites. And they stated that they've chose these based on popularity. And there could be other websites that would give a different number as far as how many are vulnerable to this. But they check Amazon, AOL, Facebook, Google, PayPal and Yahoo and found that those 171 numbers could be used to hijack accounts on those sites. Of those 259, 100 of the numbers were already associated with credential leaks from documented data losses. So known data breaches essentially, and then 10% of those numbers were still receiving privacy or sensitive communications meant for the previous owners. So these numbers are relatively high, at least in my opinion, about the risk posed to the previous owner of those numbers. Once they give up those numbers, I. [00:06:27] Speaker B: Can totally see it. I recently switched phones and while I didn't switch numbers, I remember not having planned to do all my two factor stuff and get that rearranged and I lost most of those and had to go recover all those and just. I'm thinking back to my last pass. I think I checked the other day, I've got like 70 some websites in there, and if my number is in all those, I'm not going to go through and change it in every single one, probably. I mean, I guess I have a last pass. I could go through each one and change it. But if you don't have a list of what websites you're on, it's almost impossible to remember, right? [00:07:01] Speaker A: It probably would be a fairly good idea if you use the password manager, like LastPass, to indicate those sites that do have your phone number and maybe put them in a certain categorization or a tag or whatever within your password manager to say, these are critical sites that I should go back in and do something about relating to my phone number. [00:07:26] Speaker B: Man, what a pain. I mean, it's bad enough that you're changing your phone number and your phone. You got to reinstall everything. You got to redo it. Now you got to go back there and change all your password stuff too. It's a lot of work. [00:07:38] Speaker A: Yeah, I just recently got a new phone as well and had to go through the entire rebuilding of my two factor archive with my authenticator app. And I took a piece of advice from Steve Gibson as part of this process. [00:07:55] Speaker B: Don't mention other say, I didn't say. [00:07:59] Speaker A: He had a podcast. I just said I took Steve Gibson's advice. I didn't say he has a very famous podcast. Know, we will never see those numbers. But anyway, what he recommended was that you print out your QR codes for all your two factors and you store them in a secure location for the recreation of that stuff should something happen to your two factor. So print those out, put them in a fireproof safe and lock those away. I thought that was very sound advice. So next time I switch phones, I won't have to go through the entire rigamarole. And if I'm conscious of that going forward, any additional two factors, print out the QR code at that time and add that to the pile. But what are the real risks here? So they identified eight potential attacks relating to the recycling of the phone numbers. So four of them are risks for the previous owners, and then there's four, which are risks for subsequent owners. The first one, and we'll go through the first four as far as the previous owners, and then we'll talk about the second four for the follow on owners. So the first four are PII indexing, which is basically using the phone number to identify who had that number and look for other vulnerabilities for that individual. So going back to the statement before about those numbers being associated with previous data breaches. So taking that phone number, identifying that number associated with the previous data breach, or if you're talking about the criminal element going into the dark web and seeing if that number is available or associated with anything which can be purchased on the dark web to then attack that individual or purchase that number. It's basically used to identify numbers that they want to acquire for subsequent attacks. And the next one is account hijackings via recovery. So having that phone number associated with performing a recovery action on a different account. So if you need to recover your Amazon account, having some kind of recovery mechanism sent to that SMS in order for you to get that account. Sorry, that one's for the password recovery. So the account hijackings via recovery is for using SMS for your password resets. And the next one is account hijackings without password resets, which is what I meant before, where the account hijackings without password reset is the entire recovery through SMS without having to have the password reset. [00:11:06] Speaker B: Is that the one where they send the link that just when you click on the link, it allows you to log in? [00:11:10] Speaker A: Right. Those are super convenient, especially for attackers. And then the fourth one is the targeted takeover. So basically that one is when you or the attacked individual and that phone number are already known and associated together by the attacker. So that person you're attempting to get away from or that keeps calling you and you want them to stop calling you, they already know you and that number associated together. So they wait for that number to become available and then they acquire that number and use that to do whatever their intent is or how they expect to leverage that number in order to attack that previous owner. So kind of mostly based on what they said in the article that is used for impersonation. And then the second half, the last four are used to attack the new owner of the phone. So phishing, persuasive takeover, spam and denial the service. So phishing is obvious that they are targeting that new individual and sending them a message which leads them to believe that it was meant for the previous recipient and temp send it into something else. [00:12:36] Speaker B: I was going to say, it sounds like the nigerian principal works there. Like, hey, do you have the 5 million for me? [00:12:42] Speaker A: Right. Kind of like that. So assuming familiarity or something with that account. So it kind of goes along the lines of the old con man saying that you can't cheat an honest man. So that's assuming that whoever's got that number is not going to simply ignore it. Or they're going to think that this is going to be something they're going to be able to take advantage of. And then, of course, there's spam and denial of service. Pretty straightforward. [00:13:14] Speaker B: Yeah. The persuasion one actually really interests me because it's something I never thought about, but thinking about it, you could message them, be, you know, this is Facebook. We see you got a new phone number you need to follow our new account. Proceedings are like, oh, well, I have a Facebook and I did just get a new phone number. Definitely you could use that familiarity you mentioned before to really talk somebody into letting you jump into their new account. [00:13:40] Speaker A: Yeah. And of course, Facebook knows everything about everybody, so that wouldn't be that surprising. [00:13:46] Speaker B: It would not. [00:13:48] Speaker A: Okay, so how does an attacker actually get the opportunity to take advantage of this? So I mentioned earlier that the phone companies, at least T Mobile and Verizon, have web interfaces where you can go in and request a new number. So depending on which vendor it is, they may allow you to select the first half or the first six numbers out of the ten and say, I want something with this area code, with this prefix, and then give you a selection of the available numbers which remain with the last four digits. And what they could do is they can do that, put in that request and then take those numbers and see what else they can find out about those numbers, see if they're worth actually acquiring the numbers or not using people search searches so they can get the previous owner's name, address, et cetera, and be able to leverage that in a different context. And possibly even depending on the amount of data available, they could use that for other impersonation activities, applying for a credit card or something like that, maybe. And this has actually come up in court case which will be linked an article in the show notes to this where customers claim that a flaw in the iPhone operating system combined with T Mobile recycling phone numbers gave third parties unauthorized access to the user's communications. Now, how this relates into the way the phone numbers are managed. So the FCC is the one that manages all the phone numbers. So they have guidelines or restrictions, regulations around the management of recycled phone numbers. So there's a minimum aging period of 45 days. So if you give up your phone number for whatever reason, the vendor cannot reissue that phone number for at least 45 days. And generally vendors go between 45 and 90 days when that number will get released back into the wild. And for business numbers, it can expand up to as much as 365 days. And the reason that vendors are more interested in recycling these numbers is that FCC issues blocks of numbers to the carriers in thousand number blocks. So the carriers are avoiding the expense there of acquiring those new 1000 blocks of phone numbers when on average they recycle 35 million. They don't want to go through the expense of buying additional numbers if they don't have to. And one of the things that the white paper noted, they didn't put the details around why they speculate this, but they believe that the FCC does not put more stringent requirements around this because they only seem to be concerned about robocalls meant for the previous owners and not looking at these phone numbers as an attack vector for other accounts that the previous owner was using. And the estimate within the article about how long it takes a phone number to be recycled is about 1.2 months. So if you give up a number, that number will be back in circulation in less than two months. [00:17:40] Speaker B: That's really quick. [00:17:41] Speaker A: So if you have a lot of things tied to that, you could be targeted. Actually, now that I think about it, the mandated minimum age is 45 days. So if the number gets taken in 1.2 months, then it looks like about the largest gap you're going to have. There is three months between the time you give up your number and the time that that number is almost certainly going to be back in circulation and be usable by someone else. All right, so why is this even important? Obviously, the fact that we mentioned a moment ago that there are some services that some phone numbers are still receiving notifications and sensitive data after it's been recycled, depending on what that sensitive data is, it could be really important that that number not be acquired by a nefarious individual because of the nature of those messages and of the sites that were surveyed within here, they found that 30% offered SMS as a two factor authentication. So if you're using SMS as a two factor authentication, where you log into a site and then they send you a text message to your phone in order to put in the six digit code in order to validate that you are who you say you are, then they can leverage it to attack those accounts like the Google, the Amazon, et cetera, to bypass effectively that two factor authentication. So if you give up your phone number or you exchange your phone number for a new one, you should at least ensure that you go in and change that phone number within there to prevent that SMS being sent over. And one of the other reason that this is important is some phone services have your number tied to you so that when you call them, they do a reverse lookup or they reference that phone number that's dialing in and say, oh, well, this is associated with you. And they bypass some authentication mechanisms within the phone system and automatically provide data based on the fact that that number is tied to an account. And apparently the article mentions that credit cards are particularly vulnerable to this type of attack. So what can be done about this? So they already reached out to Verizon, T Mobile, and this is, this is an issue. You guys should do something to address this. So they did what any normal business would do and updated their documentation, at least make the data available to customers so that they understand this is how it works. And I just have to say that I'm thankful, well, at least this is my hope anyway, is that they don't have an API where this data is accessible. So hopefully it is restricted to that web interface where you can only get five numbers at a time or something. Because I can imagine how dangerous this would be if you were able to link together a couple of APIs and run through that entire 35 million or however many million or thousands that are available at any one instance and compare that with other pieces of information they might be able to. I mean, if you were doing something at that scale, you could probably even identify very lucrative targets via that method. [00:21:32] Speaker B: I can imagine. I'm just thinking people that, like businesses, for example, don't care about continuity of number necessarily. If you're a single person business, yeah, you need that business number to stay the same. But my work phone number, for example, they're going to let that go when I'm gone. And I don't know if I've used that in any corporate, shall we say, authentication mechanisms. That's interesting because especially if you can pull that data set in large quantities and then compare it to things like how sales and marketing people keep track of everybody. You could actually attach numbers to companies and then potentially gain access to companies. It'd be a lot of work, but that's like apt level work, probably. [00:22:16] Speaker A: Actually, I'm wondering if it might not necessarily grant you access directly to that company, but it could grant you access to third party those companies are leveraging. [00:22:24] Speaker B: That's correct. [00:22:26] Speaker A: If you have an employee that's got you issue them a phone and they use that phone to interact with a third party business via sms, and then that phone gives up or is given up or recycled, however you want to put it, then the access to that third party is then at risk. And depending on what that third party is, that could be pretty dangerous for your organization, even though it is the third party, because they'll be doing things on your behalf or impersonating you or your organization. So one of the recommendations in the article, and I didn't even realize this was a thing, was that you can park a phone number like you can park a domain name, so you can basically maintain ownership, if you will, of that number and set it aside but not use it. And this is possible under the FCC local number portability rules. And there are services out there that you can leverage in order to park numbers, and you can even transfer this number to an Internet voice service like Google Voice also. So you could even continue to leverage that number and have a new number at the same time. And there's a lot of features in those Internet voice services like Google to block numbers, auto reply, things that can continue to make that phone number useful and yet maybe minimize the risks or the reason that you don't use that number as your primary any longer. And of course, if you have the option to use an authenticator app versus SMS for two factor authentication, certainly choose that instead of SMS. And also consider whether or using a different account recovery mechanism than SMS as well to eliminate the ability for that account to be recovered via the phone number once you give it up. And we'll have links in the show notes to several articles that talk about this, as well as the white paper. And one of these number parking services which are mentioned within the report as well. [00:25:03] Speaker B: Article number two we have is from Krebson Security, and there's actually a related proof point article that will be in the show notes as well. This is on Office 365 apps or the ultimate insiders, and the summary is that attackers are pivoting to a new method of gaining access to accounts. It was always creds, creds, creds, creds. How do we get more creds? What they figured out last year is they can get you to authorize an application which can then access your account. The common permissions asked for by these applications is to read your email, read your contact list, read your recent communications. But other permissions can include sending email as you access to other communications such as Teams or Skype, access to all your files, pretty much access to anything that you do in SharePoint or the Office 365 tenant. Then after the application is authorized or not, the attackers can then redirect you. It's included in the URL to Microsoft, so you can actually parse it out if you wanted to look at it and see where they're sending you. But depending on what they want to do. They may send you to a benign page or they may send you to an actual credential phishing site so that they have both the app and they have your credentials. Or I guess they could send you to a malware site too. They can send you anywhere. So Microsoft is aware, and last year they did restrict the app publishing to verified publishers only. So it is no longer the Wild west there. But now attackers are themselves pivoting as well, and they're using compromised credentials to create apps in those verified publishers. So it's still not quite as safe as maybe we hoped. [00:26:43] Speaker A: But if they're sending you to a potential malware site or a credential harvesting site, if you're using defense in depth and a proxy, that still should provide a certain level of protection against that, right? [00:26:56] Speaker B: Yeah. And that's one of the things that I had a little down here is that it's still a phishing attack. It still uses a malicious like, there's definitely some similar things to catching and stopping these. It's just a little bit different. So for example, it doesn't send you directly to the Microsoft site, it has to send you to an external URL first, which then redirects you to the Microsoft site and requests those application still. But I guess they can direct you something that's not directly phishing related because I know that's definitely one quick and easy way to spot a credential fish, right? Is it looks like Microsoft but it's not actually Microsoft, whereas this can purport to be something completely different. My personal thought though is that they're turning to this method because so many companies are doing MFA these days. It's been really pushed over the last couple of years and it pretty effective at stopping the normal credential phishing attacks. You may still have to reset passwords, but the attackers can't get in, right? [00:27:56] Speaker A: Because they don't get actually access to your account, they just kind of get permission to act on behalf of your account. Yes. [00:28:05] Speaker B: And that is the second discussion point, which is you're probably not looking at this compromise vector. If you're looking for phishing emails, I mean, you're still looking for the phishing emails. But if you are examining for compromise in your accounts, if you're doing any hunting around there, you're probably looking for weird logins, you're probably looking for new inbox rules, you're probably looking for strange emails being sent out from an account. And well, other than the last one, which you may still find with this, none of those are going to detect this type of compromise. But good news, like I said, a lot of the same protections work here. You can still look for large amounts of emails being sent out which will help you find a compromised account, although it'll be a little late at that point. You can still rely on humans to notify you if there's wire transfer, fraud or other business email compromised stuff going on. You can still use vendors like proofpoint, which will come up because they made the article here to try and find those incoming malicious links. You can still use your proxy to find the links going out. They still have to register and use an external website and infrastructure of some kind. So this is not a completely new, this is just a twist on an. [00:29:13] Speaker A: Old standard and it's clear in the M 365 logs that this is taking place. So you could monitor for this with your sim. [00:29:24] Speaker B: Yeah, I took a look at the office 365 log examples they provided and it looks like there's an operation having to do with consent on application. I don't know exactly how it looks like in your sim, I don't know exactly what the log looks like, but if you do a search you should be able to find it. You may find things like LinkedIn, you may find other adobe, there's other applications that are in Office 365 that are totally legitimate. You'll definitely want to go into your logs. You'll want to look, see if you can find that specific consent to application or consent on application and figure out what you have registered and maybe take a look at, I don't know, whitelisting the ones you know you should have registered, alerting on new ones, doing a periodic review, however you want to handle that. [00:30:12] Speaker A: Now, would it be clear or relevant to do some correlation monitoring here to look for referrals from a site to Microsoft and then a subsequent log identifying that this permission has been granted. [00:30:35] Speaker B: That would work out, I think. So right after I had said that, I was sitting here thinking about it. I was like, well, you know, they could call the application probably whatever they want. So depending on how sneaky they're being, you might not be able to find them just looking at the name of the application. But the links like you were talking about, they have the Microsoft links in the article. I think it's in the proofpoint article, not the Krebs article. They do show a structured link there where it has the sid of the client id, then it has the redirect UI and it has the scope which will include the permissions requested and it's login. Microsoftonline.com common two v, two authorized question mark. And that should be the same every time. So you could take a look through proxy logs. If you've got a complete set of those and look at what people are requesting and look at the redirect URI to see if it goes to a legitimate one. And look at the scope and look at which permissions are requested. So for example, if you're adding LinkedIn, it requests permission to access your calendar, it requests permission to access your list of most common people you interact with, which is probably bad. You probably shouldn't let LinkedIn get access to that. But you could go and I mean, you could do this both in the office 365 logs and the proxy logs, look for weird or excessive permissions like sending email, and then maybe focus your checking on those. [00:32:09] Speaker A: Yeah, you might even want to talk to your governance or your policy people about what is going to be approved within your policy to what your employees are going to be allowed to do and what they're not, and then create alerts or events around excessive granting of these types of permissions within your SIM. [00:32:31] Speaker B: Then yeah, you can block these applications from being added for sure. The question is how much of a pain is that going to be to kind of get one by one approval? And that would be an excellent case for you to go into the sim and just check how often it occurs and then make a decision. Do we want to block it or do we want to check it after the fact? [00:32:54] Speaker A: Yeah, and I don't think organizations are thinking about their policy in regard of these types of capabilities when they're doing these migrations to SaaS and cloud services, that these are entirely different things which weren't present on Prem, that you didn't have to have a policy around how your employees are going to interact with these services that need to be considered now. [00:33:18] Speaker B: Yeah, I don't know enough about any of those services, but how often can you do this with any number of other services that just use an OAuth two token? [00:33:29] Speaker A: Well, that's the thing, is that if you have it down in policy, you may not necessarily need to do it on a service by service basis, but just on a permissions by permissions basis, saying that anything that uses this type of capability, you may only grant this, this and this or something like that, or you require this level of approval or some kind of structure around the ability for employees to use this. In the Krebs article they talk about when he mentioned or when this came up, I think last year he wrote an associated article with this, Microsoft was saying that oh well, you can't just disable it for everybody because it's too much of an impact on inhibiting your employees ability to get their job done. [00:34:16] Speaker B: I don't think it's that much of an impact. [00:34:19] Speaker A: Yeah, and you can also gather some statistics around it maybe to use that in order to attempt to form your policy if you don't already have one in place for M 365 or other services of that type. [00:34:32] Speaker B: But yeah, you can definitely check your SEM logs like I said and see how often it happens. And you got to make that decision. But at the very least you should be able to see if there's any kind of large scale installations happening where we've got, oh we've got a couple of hundred people that need this. And then I don't know if it allows whitelisting by application, but if it does that would be great. I don't know if they said if it allowed whitelisting or not. So either way you need to have the security logging turned on. Looks like you have to create an OAuth app policy and there's a link in the Krebs article to how to do it. So definitely go take a look at that. [00:35:10] Speaker A: It'd be nice if Microsoft or other vendors that provide this would include some kind of workflow for the approval of this. Almost like a Pam like Cybrark privilege access management solution. Say well yeah, I can check out this credential, but I need someone else to sign off on it. If Microsoft would build something into that to say oh sure you can install one of these, but it requires your immediate manager's approval or something like that. Put some gates around these new capabilities and saying oh well here it is and just let everybody run wild on it. [00:35:55] Speaker B: I'll tell you what joins me about Microsoft right this second. They have so many kind of security capabilities that they don't enable out of the box and or even the ones that are enabled out of the box, they're in a whole bunch of different places in their environment. Like right now. I just followed that link from that Krebs article and I'm looking about the OAuth app anomaly detection policies. I thought this was just to turn on the logging, but no, this is actually anomaly based detections of potentially malicious Oauth apps. And I'm sitting here thinking like I know that I've never seen this before and I feel like that a lot with Microsoft. A lot of the time I get kind of blindsided by someone ask oh, are we reviewing this or, oh, are you taking a look at this? And I'm like, I've never heard of this before. [00:36:40] Speaker A: Well, my gut feeling on that is that something like M 365 is so huge, and they have so many different teams working on different aspects of it. There isn't a central clearinghouse for everything here. Each team is kind of doing its own thing and then throwing up there and there's nobody hurting those cats. Put that into a central place. [00:37:06] Speaker B: I think it's like security, Microsoft.com. There is a central dashboard that has a lot of alerts, although it doesn't have all of them, because I've also seen the cloud app security portal has some different alerts, but they have to be turned on in different places as well. So, yeah, it's definitely frustrating trying to go through and look in your sim and be like, oh, we've got this, this and this, or where. You see alerts in one portal, and then you go into your sim, but not all the alerts made it into the sim. So obviously something had to be turned on somewhere else. It's definitely confusing, or maybe I'm dumb. That's always a possibility. We have one more article, bonus article, kind of a fun one. This was from Kunamon IO via Schneier on security, where researchers found a remote no click vulnerability in Tesla cars, allowing them to do everything in the car you can do in the console except drive. So. But the fun thing here is not that they found a vulnerability. Whatever. People find vulnerabilities all the time. They apparently used a drone to do it. And I was like, oh, man. I have not included drones in my threat models. And so I thought it might be fun to kind of discuss how maybe we could be integrating drones into our threat models going forward. My first thought is, people always talk about, if you have physical access to a box, all security controls are bypassed. You can't trust the box anymore. But the downside to that is you had to go to wherever the system was. Now, with a drone, you can get a lot closer than you could. You don't have to jump the fence anymore. You can fly your quadcopter in and hover outside the window. I don't know how much good that gets you because you're still not at the system, but now you're within Wi Fi range of it. [00:38:47] Speaker A: And actually, this was a Wi Fi attack from the drone. So what I was actually thinking is that if you put an AP on a drone and fly it in and have it with a similar SSID as. [00:39:05] Speaker B: The legitimate one, people automatically connect. Right. You can man in the middle. Yeah, that's even better. [00:39:13] Speaker A: And if you work for an organization that has a large campus where that's not something you're overly concerned about, because if you work in a downtown metro area, you're going to get wifi signals all over the place. And it's really challenging to isolate your own corporate wifi in an environment that large, trying to disassociate users and stuff like that with attacking aps. But if your organization has a large campus and you don't get that number of other wifi signals in close proximity, that might not be something that you're considering in your attack model, and someone throws it ap on a drone and flies it in, then all of a sudden, there it is. And it may or may not be prepared for and could cause you some challenges there. [00:40:22] Speaker B: Yeah, I was thinking about the city thing, how you could. People think they're up on the 50th floor and they're pretty safe, but you could fly a drone up alongside the building, shoulder surf their passwords from outside the window. [00:40:37] Speaker A: You have one of those laser mics that watch the vibration in the glass. [00:40:42] Speaker B: Yeah. Technically you could do that from another building too. [00:40:45] Speaker A: Well, if it's 50 stories up, depends on the line of sight at that point. [00:40:50] Speaker B: Yeah, they could add little darts in there to put the security guards to sleep and just sneak it into the building. [00:40:59] Speaker A: Well, imagine if you get a Wifi quadcopter that's big enough to lift 150 pounds. Then you just have it pull someone up to the roof. [00:41:08] Speaker B: Yeah, you don't have to try and halo down and hit the roof, you just have it carry you. Although at that point, you might as well look at a jetpack. I guess. So back to the Teslas and drones. So my first thought, and I read the article and unfortunately can't do this, but I was thinking about like, what happens if you fly a drone over a section of highway in ten or 20 years, when all the cars are networked and you just grab all the cars in the area, everybody within 500ft or so, and now you've got a swarm of cars. What do you do with that? How do you stop that? [00:41:39] Speaker A: Oh, I was thinking about if you're the attacker, what do you do with that? Is you rent out the ability to drive those other cars. [00:41:51] Speaker B: You turn them into ubers for yourself for a little while. [00:41:54] Speaker A: Well, I was thinking more like bumper cars. But if you were going to do the Uber thing, I'd wait till the car is parked and just do as an autonomous rental. [00:42:08] Speaker B: Oh, no, you're right. Yeah. They may take them days to find it. Well, probably. Actually, at that point, once everything's networked, it'll probably be pretty quick to find, but they just won't notice it's gone until they come back to it. [00:42:19] Speaker A: Well, I mean, if you've gotten a good tax software though, you're going to be able to disable the GPS. Hopefully quality attacks here. Oh, that might mess up the autonomous driving, though. You're right. [00:42:31] Speaker B: It, depending on how it does it, I don't know if it would use combination of GPS and Lidar and all that sort of having. We were sitting down earlier and talking about the fact that Amazon and these packaging companies are talking about using drones to deliver, and David suggested a fun new variant of ransomware. Would you like to discuss that? [00:42:55] Speaker A: Sure. So the idea is that what you do is you ransom the packages, so you take over the drone and you don't release the package to the recipient until they pay a fee, depending on. And my guess is that what you'd want to do is you'd want to scale that based on package weight because you don't want to charge a $5 ransom fee for a $2 item because no one's going to pay that. So you need to figure out a way to scale that. You don't know what's in the package necessarily, unless you've already got, also had a compromised Amazon supply chain. You know what's in there via the barcode that's on it. But that's a little bit, let's say that's expansive. So then you just hold that package for ransom and don't deliver it until they pay. If they don't pay, you drop it in the river. [00:43:47] Speaker B: I can just see the drone like hovering like 20ft up and it's right there. And you get a text message on your phone that says, text one bitcoin to this address to get your package right. [00:43:59] Speaker A: They could tease you. [00:44:01] Speaker B: It drops a little bit and you're like, yes, jump. And then you grab it and the drone flies off with you hanging off of it. So other wildly improbable stunts that we discussed was hijacking all the drones coming out of a warehouse and having them dive bomb people and dropping packages on their head. That's more of the cyber anarchists, the anti capitalist probably response there, stealing all the packages from the drone. But as David mentioned, that's a crapshoot. Maybe they bought a whole bunch of stuff you don't want. How do you turn that into cash? [00:44:42] Speaker A: Well, one of the things you could use to turn into cash is only hijack the drones that are going to neighborhood where houses over a million dollars. [00:44:52] Speaker B: Yeah. And you could probably, like certain things, like, you can tell, oh, this package is 65 inches by 20 inches. Like, oh, that looks like a tv or a lot of times. Last time I got a laptop shipped to my house, they just stuck a sticker on the dell box. I was like, thank you. Thank you for hiding the fact that it's a laptop. [00:45:12] Speaker A: When I got my tv delivered, they just put it in my driveway and it was like, full color image what you'd see and leaned up against the wall at Best Buy or whatever, sitting in my driveway. I was like, oh, thanks a lot. That's great. [00:45:32] Speaker B: I'm glad that my neighbors are trustworthy. [00:45:35] Speaker A: Yeah, or they're too lazy to pick up something that heavy. [00:45:39] Speaker B: I mean, tvs are so cheap today, it's almost not even worth it. The tvs in my house aren't worth stealing anymore. Like ten years old. [00:45:47] Speaker A: Yeah, well, I mean, it's like the CRTs. You can't even give them the goodwill. You can't even give them away anymore. And when I was a kid, we actually had our tv repaired. Now no one would have a tv repaired. You throw it out and you buy a new one. No one repairs tvs anymore. [00:46:09] Speaker B: So would it be worthwhile having drones doing, like, war, like Google does that for as part of their mapping thing? I'm surprised we don't have, like, Google drones overhead, like, mapping out our wifi networks. [00:46:20] Speaker A: It's probably a matter of range. [00:46:23] Speaker B: Yeah, because what does a phantom fly now? Like, 30 minutes or so? [00:46:29] Speaker A: I am not sure. [00:46:31] Speaker B: I'm going to go do some real time research. Phantom four, flight time. See, this is real quality programming you got here, guys. 28 minutes. Yeah. How fast does it go? It says Max wind speed 10 meters/second how fast, though? Oh, this is no longer in production. Whatever. It's close enough. [00:46:52] Speaker A: Yeah, this is why it would have to be more targeted, because those limitations right now. [00:47:00] Speaker B: For now, Max speed is 20 meters/second translate that into freedom. Freedom units miles per hour. That's 45 miles an hour, though. Oh, my God. That's a pretty good clip for 28 minutes. Yeah, you could go 12 miles out and 12 miles back, assuming you had a connection that did that. Wow. Good gps. And you could do a pretty big swath. Although again, probably the connection is not that big, so you probably have to do it in acres at a time rather than linear miles. [00:47:36] Speaker A: Well, I mean, once they upgrade those drones to have satellite connections to. What the heck is it called? Elon Musk. Yeah. [00:47:47] Speaker B: His new Internet. Yep. [00:47:50] Speaker A: Starlight. [00:47:51] Speaker B: No, Starlink. [00:47:52] Speaker A: Right. [00:47:52] Speaker B: Starlink. [00:47:53] Speaker A: Starlink, Starlink. That's it. [00:47:55] Speaker B: There we go. Yeah. [00:47:58] Speaker A: So then you don't even have to maintain line of sight of the drone anymore as long as the satellites can see it. [00:48:05] Speaker B: Especially if you had a little bit of limited autonomy to make sure it avoids stuff. Either that or put it in altitude where it's above everything. It doesn't have to worry about hitting anything. Then you just tell it to run a pattern and then come back. [00:48:15] Speaker A: Right. Stay away from helicopters. [00:48:19] Speaker B: Yeah. Wow. More than 500,000 orders for Starlink satellite service. I had satellite service once, and it was awful. I don't know how he's going to improve the latency issues there. [00:48:30] Speaker A: It's low orbit. So that's how it's going to reduce the latency, is it's reducing the distance travel. [00:48:38] Speaker B: I got you. [00:48:38] Speaker A: Yeah. [00:48:39] Speaker B: Because it used to be we could download via the satellite, but we had to upload via, like, a 56K modem. But even then, there was, like, a two or a three second latency between the two trying to sync them up. Interesting, but that's not what we're talking about. All right, so why does this matter? It mostly doesn't. Drones are not in the threat model of most people. But I think depending on your business model and depending on your service, it actually may be like, if you're in a very sensitive area where you're back off the road, you're trying to keep some physical distance. I think it's something you should consider. What happens if somebody does stick a wireless retransmitter and fly it onto the roof of your nice, physically separated facility and then set up an AP or something there? I don't think you should do anything about it. I don't think that this is something where you need to run out and get yourself some anti drone, anti aircraft defenses. Although that would be funny if that was a thing in about a decade's time. But I think it is something to just kind of start tossing around the ideas. Now, this is one of those things where we probably shouldn't wait until after the first drone related hacking attack occurs, because it's going to happen. As silly as that kind of sound saying it out loud. [00:49:54] Speaker A: Yeah. Then you'll need the autonomous automated guns on the top of the roof. [00:49:59] Speaker B: Go buy a couple of phallic systems from the carriers. Those were pigeons. Those were pigeons. [00:50:07] Speaker A: So then you got. [00:50:13] Speaker B: Feel almost like. It's funny, I read a lot of Sci-Fi you know this, David, but I almost feel stupid talking about this like it's. But they're used in warfare. You can buy a little one for a couple hundred dollars commercially. Like this is. This is going to be something in a couple of years. [00:50:33] Speaker A: Yeah. I think right now there's two challenges that it faces. Right now is what we talked about before about the limitations of the drones themselves and the fact that the attacks that most people can think of right now are easily done, or done more easily, different via different methods. [00:50:55] Speaker B: Yeah. Really, the only thing the drone buys you is physical proximity. For a website, physical proximity doesn't matter. You just turn on your Internet. That was the only real thing that a drone could buy you. I thought the ability to get a lot closer than maybe you could in person without sneaking around. [00:51:13] Speaker A: Yeah. And it's probably not going to be shot down by the laser defense grid on the sidewalk, so you can bypass that. [00:51:23] Speaker B: Yeah. No automated turrets or security cameras to catch you. No augmented security guards. [00:51:32] Speaker A: Yeah. It's not the venture compound on. [00:51:39] Speaker B: Right. I think. I think that's about it for that article. Do you want to take us out? [00:51:44] Speaker A: Sure. So thanks for joining us. Please follow us on at serengeti sec on Twitter and subscribe on your favorite podcast app.

Other Episodes

Episode 4

April 04, 2021 00:39:42
Episode Cover

SS-SUBJ-04: Security 101 - What is XDR?

This week we discussed XDR.  What is it?  How much of it is marketing speak?  How much should you care? Here are some links...

Listen

Episode 92

January 02, 2023 00:45:22
Episode Cover

SS-NEWS-092: Lastpass hacked, Cyber Insurance unmanageable?

David and I sit down to discuss a new article from an insurer stating that Cyber Insurance is going to get more expensive than...

Listen

Episode 77

September 12, 2022 00:41:23
Episode Cover

SS-NEWS-077: Reading an Interview with an Initial Access Broker

In this episode we look at a marketing article that discusses some survey result that are a little interesting, specifically regarding how people at...

Listen