BRATISLAVA – ESET, a global leader in IT security, will highlight its latest research during Black Hat USA 2020. ESET researchers Robert Lipovský, Štefan Svorenčík and Vladislav Hrčka will present this Thursday, August 6, on “KrØØk: Serious Vulnerability Affected Encryption of Billion+ Wi-Fi Devices” and “Stantinko Deobfuscation Arsenal.” Black Hat is the world’s leading information security event, which is being held completely virtually this year due to the COVID-19 crisis. After the conclusion of the event, ESET will make the findings available to the research community, media and the general public.

The presentation about KrØØk by Robert Lipovský and Štefan Svorenčík will take place on Thursday, August 6, at 12:30 – 1:10 PDT (21:30 – 22:10 CEST). The talk will disclose the most recent discoveries that more Wi-Fi chip manufacturers, specifically Qualcomm and Mediatek, have also been affected by variants of the KrØØk vulnerability.

KrØØk is a vulnerability originally discovered in Broadcom and Cypress Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Exploiting KrØØk allows adversaries to intercept and decrypt (potentially sensitive) data, but with a significant advantage for the attackers: While they need to be in range of the Wi-Fi signal, they do not need to be authenticated and associated to the WLAN. In other words, the attackers do not need to know the Wi-Fi password.  
The KrØØk findings were first presented at the RSA Conference 2020 in February. After publication, the vulnerability was brought to the attention of many more chipset and device manufacturers. Some manufacturers have since discovered their products to be vulnerable and have deployed patches. 

The second talk will aid malware researchers and reverse engineers to analyze Stantinko, a botnet performing click fraud, ad injection, social network fraud, password stealing attacks and cryptomining. The Black Hat Arsenal format will predominantly focus on Stadeo, a set of tools we developed primarily to facilitate the analysis of Stantinko but that can also be helpful when analyzing other malware strains utilizing similar techniques, including the infamous Emotet crimeware. Stadeo will be demonstrated for the first time at Black Hat USA 2020 and subsequently published for free use. 

The demo will be provided by ESET researcher Vladislav Hrčka on Thursday, August 6, at 11:00 – 12:00 PDT (20:00 – 21:00 CEST).

For more information, visit Black Hat USA and WeLiveSecurity, where the research will be subsequently published. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

BRATISLAVA – ESET has published a comprehensive overview of risks stemming from Thunderspy, a series of vulnerabilities in Thunderbolt technology, and possible protections. Via Thunderspy, an attacker can change – possibly even remove – the security measures of the Thunderbolt interface on a computer. As a result, an attacker with physical access to the target computer can steal data from it, even if full disk encryption is used and the machine is locked with a password or sleeping in low-power mode.

Thunderspy was discovered by Björn Ruytenberg, a computer security researcher, in May 2020. “While Ruytenberg’s research has received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim,” points out Aryeh Goretsky, ESET Distinguished Researcher.

In his article “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe,” Goretsky briefly explains the technical background for Thunderspy but focuses primarily on practical methods to defend against it.

Thunderbolt-based attacks are very rare because they are, by their nature, highly targeted. “The fact a typical user will not get into an attacker’s crosshairs doesn’t mean everyone is safe. For many, following some of the admittedly draconian recommendations we describe in our article really makes sense,” comments Goretsky.

There are two types of attacks against the security that Thunderbolt relies on to maintain the integrity of a computer. The first is cloning the identities of Thunderbolt devices that are already trusted and allowed by the computer. The second is to permanently disable Thunderbolt security so that it cannot be re-enabled.

“The cloning attack is like thieves who steal a key and copy it. Afterwards, they can use the copied key repeatedly to open that lock. The second attack is a form of bricking a chip. In this case, permanently disabling Thunderbolt’s security levels and write-protecting the changes so they cannot be undone,” explains Goretsky.

Neither type of attack is done simply, since actual in-person access to the target computer is required, along with the tools to disassemble the computer, attach a logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip. Such attacks are a type of “evil maid attack,” implying the scenario of the attacker entering a hotel room while the victim is not present to conduct the attack.

The necessity to physically tamper with the computer limits the range of potential victims to high-value targets. Some may be pursued by nation-state intelligence or law enforcement agencies, but also business executives, engineers, administrative personnel or even frontline employees may be targets of opportunity if the attacker has some commercial motive, such as industrial espionage. Under oppressive regimes, politicians, NGOs and journalists are also possible targets for advanced threats like Thunderspy.To defend against Thunderspy, just like any other hardware attacks requiring physical access to the system, it’s important to decide whether the goal of the defense is to make it evident that a physical attack occurred, or to protect against it.

Protection methods against Thunderspy attacks may be divided into separate categories. “First, prevent any unauthorized access to your computer. Second, secure all your computer’s relevant interfaces and ports, such as USB-C. Besides that, look beyond physical measures and also take steps to make your computer’s firmware and software more secure,” summarizes Goretsky.

The article “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe” contains many practical pieces of advice on improving the security against the theft of data by Thunderspy, including one that stands out as simple yet relatively powerful.

“Disable hibernation, sleep or other hybrid shutdown modes. Make the computer turn completely off when not in use – doing this can prevent attacks on the computer’s memory via Thunderspy,” recommends Goretsky.

Aside from all other security measures, users employ security software from a reputable provider that can scan the computer’s UEFI firmware, one of the locations where Thunderbolt security information is stored.

For more information, please read “Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe” at WeLiveSecurity.com.