Software-based network isolation provided by routers is not as efficient as believed, as hackers can smuggle data between the networks for exfiltration. Most modern routers offer the possibility to split the network into multiple segments that work separately. One example is a guest network that works in parallel with the host.

The boundary insulates sensitive or critical systems from others that enjoy less strict security policies. This practice is common and even a recommended security measure. It is a logical separation that occurs at software level, though, and it is not airtight.

Covert cross-network communication

Researchers at the Ben-Gurion University of the Negev discovered multiple methods to carry data across two segregated network segments on the same hardware.

They achieved this through direct or timing-based covert channels and tested the findings on seven routers in various price ranges from multiple vendors. The methods do not allow exfiltration of large aounts of data but shows that it is possble to break the logical barrier.

Clandestine direct communication is possible by encoding the data in packets that several protocols erroneously forward to both isolated networks. This method does not work on all tested routers and where it is valid, the transfer is not bidirectional in all cases.

Timing-based covert channels rely on shared hardware resources (CPU time, network and memory buffers) to send the information. This is done by influencing the use of those resources and reading the effect to interpret the bits of data.

“To exploit these [timing-based] channels, we need to construct sender and receiver gadgets which cause an increased demand on the router’s control plane or sample this demand, respectively.”

The researchers tested devices from TP-Link, D-Link, Edimax, and Belkin. Some of them are still in support, the most recent firmware update we could find is from January 14, 2019, for Edimax BR-6208AC.

Read more »

Multiple vulnerabilities were found by security researchers in 4G routers manufactured by several companies, with the flaws exposing users to information leaks and command execution attacks.

Pen Test Partners researcher ‘G Richter’ shared the flaws found in 4G devices during this year’s DEF CON hacking conference, saying that “a lot of existing 4G modems and routers are pretty insecure.”

“We found critical remotely-exploitable flaws in a selection of devices from variety of vendors, without having to do too much work,” Richter said.


“Plus, there’s only a small pool of OEMs working seriously with cellular technologies, and their hardware (& software dependencies) can be found running in all sorts of places.”

The worst part is that the security flaws were discovered after examining a limited set of 4G routers, covering the entire prices spectrum, from consumer-grade routers and dongles to very pricey devices designed to be used in large enterprise networks.

All the security flaws found were reported to the vendors who fixed most of the discovered issues before the Pen Test Partners report was published but, unfortunately, the disclosure process didn’t go as smooth as expected.

Read more »

If you own a device, or a hardware component, manufactured by ASUS, Toshiba, Intel, NVIDIA, Huawei, or other 15 other vendors listed below, you’re probably in a bad situation.

A team of security researchers has discovered high-risk security vulnerabilities in more than 40 drivers from at least 20 different vendors that could allow attackers to gain most privileged permission on the system and hide malware in a way that remains undetected over time, sometimes for years.

For sophisticated attackers, maintaining persistence after compromising a system is one of the most important tasks, and to achieve this, existing hardware vulnerabilities sometimes play an important role.

Read more »

Microsoft announced that a vulnerability in Remote Desktop Services was discovered that could allow a wormable malware, such as a ransomware, to easily propogate through vulnerable systems.

This vulnerability, now known as BlueKeep, was given the unique ID of CVE-2019-0708 and affects Windows 7, Windows 2008 R2, Windows Server 2008, Windows XP, and Windows Server 2003. Due to its severity, Microsoft released patches for all supported versions of Windows as well as for Windows XP and Windows Server 2003, which no longer received security updates.

Since then, numerous security vendors and researchers have successfully created proof-of-concept exploits that can exploit this vulnerability. While none of these have been released, it would not be surprising if malware developer and threat actors were working on their own exploits.

As detailed in Microsoft’s security advisory:

  • A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.
  • An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests

Read more »

A new variant of the Spectre (Variant 1) side-channel vulnerability has been discovered that affects all modern Intel CPUs, and probably some AMD processors as well, which leverage speculative execution for high performance, Microsoft and Red Hat warned.

Identified as CVE-2019-1125, the vulnerability could allow unprivileged local attackers to access sensitive information stored in the operating system privileged kernel memory, including passwords, tokens, and encryption keys, that would otherwise be inaccessible.

Speculative execution is a core component of modern microprocessor design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues, otherwise discarded.

Such speculative executions also have side effects that are not restored when the CPU state is unwound, leading to information disclosure, which can then be accessed using side-channel attacks.

Microsoft silently issued patches for the new speculative execution vulnerability in its July 2019 Patch Tuesday security update which was discovered and responsibly disclosed by researchers at security firm Bitdefender.

According to a security advisory released today by Red Hat, the attack relies on speculatively executing unexpected SWAPGS instructions after a branch gets mispredicted.

Read more »