Advisory ID: NCC-CSIRT-061223-044 

Summary: EURECOM researcher Daniele Antonioli discovered multiple novel attacks that break Bluetooth Classic's forward secrecy (a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised) and future secrecy guarantees (guarantees the confidentiality of future messages should the past keys get corrupted), resulting in man-in-the-middle (MitM) scenarios between two already connected peers.  .

Threat Type(s): Vulnerability, and Man-in-the-Middle Attack. 

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Bluetooth

Platform(s): Smartphones, Laptops and Earphones 

Version(s): Bluetooth 4.2, released in December 2014, and all versions up to the latest, Bluetooth 5.4, released in February 2023. 

Description: The Bluetooth Forward and Future Secrecy (BLUFFS) Attack, as disclosed by the researchers, exploits four architectural vulnerabilities in the Bluetooth session establishment process specification. This attack involves deriving a weak session key and subsequently brute forcing it to impersonate arbitrary victims. The Man-in-the-Middle (MitM) attacker, posing as the paired device, can then negotiate a connection with the other end to establish subsequent encryption using legacy encryption. Additionally, an attacker in proximity can ensure the use of the same encryption key for every session and force the lowest supported encryption key length. Exploiting these weaknesses allows real-time brute-force attacks on the encryption key, enabling live injection attacks on traffic between vulnerable peers. The attack's success relies on the attacking device being within wireless range during the pairing procedure initiation and the ability to capture Bluetooth packets in plaintext and ciphertext, including the victim's Bluetooth address, and craft Bluetooth packets. 

Consequences: By compromising a session key, an attacker can impersonate devices and establish man-in-the-middle (MitM) attacks, thereby undermining the future and forward secrecy guarantees provided by Bluetooth's pairing and session establishment security mechanisms. 

Solution: 

• Make sure that your Bluetooth devices operate in "Secure Connections Only Mode" to ensure sufficient key strength. 
• Ensure that Bluetooth pairing is done via "Secure Connections" mode as opposed the legacy mode. 
• Maintain a cache of seen session key diversifiers to prevent recycling.
• Requiring an attacker in the Central role to authenticate the pairing key. 

References:

https://cybernews.com/security/bluetooth-connections-no-longer-private-with-bluffs-attacks/ 

https://thehackernews.com/2023/12/new-bluffs-bluetooth-attack-expose.html 

https://www.bitdefender.com/blog/hotforsecurity/new-security-threats-in-bluetooth-technology-the-bluffs-attacks/ 

https://www.bleepingcomputer.com/news/security/new-bluffs-attack-lets-attackers-hijack-bluetooth-connections/ 

https://dl.acm.org/doi/10.1145/3576915.3623066  

Advisory ID: NCC-CSIRT-301123-043

Summary: Significant number of Google Drive users have reported the loss of recent files and folder structure changes, dating back to around April-May 2023. This issue has resulted in the disappearance of critical data stored in the cloud.

Threat Type(s): Data Loss, Service DisruptionData Loss, Service Disruption

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Google Drive

Platform(s): Web-based Cloud Storage Service

Version(s): All Versions

Description: Users of Google Drive have experienced a loss of recent data, with no indications of user error. The situation suggests a failure in thesynchronisation of data between local devices and Google Cloud. Google's support team is investigating the issue, with no resolution or root cause identified yet. Users of Google Drive have experienced a loss of recent data, with no indications of user error. The situation suggests a failure in the synchronisation of data between local devices and Google Cloud. Google's support team is investigating the issue, with no resolution or root cause identified yet.

Consequences: Potential loss of critical data, disruption of personal and business activities, loss of trust in cloud storage services. Potential loss of critical data, disruption of personal and business activities, loss of trust in cloud storage services.

Solution: 

• Do not make changes to the root/data folder in cloud storage.
• Back up important files locally or use an alternative cloud service.
• Monitor for official updates from Google. 

References:

https://www.bleepingcomputer.com/news/google/google-drive-users-angry-over-losing-months-of-stored-data/

https://www.digitaltrends.com/computing/google-drive-data-loss/

https://www.spiceworks.com/tech/data-management/news/google-drive-loses-user-data/amp/

Advisory ID: NCC-CSIRT-291123-042

Summary: Researchers at ThreatFabric, an online fraud detection company, have identified a dropper-as-a-service (DaaS) malware known as SecuriDropper. This malware employs an innovative method to bypass Android's security restrictions during payload delivery. SecuriDropper facilitates the infiltration of devices, enabling malicious actors to distribute spyware and banking Trojans. The deployment of these malicious payloads poses a threat to users' privacy and financial security.

Threat Type(s): Malware, Spyware and Banking Trojans 

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Android 

Platform(s): Android Operating System

Version(s): Android 13

Description: The researchers revealed that the threat employs a 'session-based' installer to load malware, effectively evading Android 13's Restricted Settings feature introduced by Google. Restricted settings act as a safeguard against sideloaded applications seeking accessibility and notification listener permissions, commonly exploited by malware. In the case of apps obtained from a marketplace, a session-based package installer is utilized, distinguishing them from sideloaded counterparts. To overcome these restrictions, SecuriDropper employs a two-step infection process. It initially distributes a seemingly harmless application, functioning as a dropper for the actual malware payload. SecuriDropper utilizes an Android API to emulate the installation process of a marketplace, preventing the operating system from recognizing the payload as sideloaded and thus bypassing Restricted Settings. The dropper requests permissions for external storage access, package installation and deletion, then checks for the payload's presence. If installed, the dropper launches it; otherwise, it prompts the user to 'reinstall' the application, triggering payload delivery. 

Consequences: SecuriDropper bypass Android's 'Restricted Settings' feature, allowing it to install malware on devices and gain access to accessibility services. 

Solution: 

• Caution is advised for Android users against downloading APK files from unfamiliar or untrusted sources or publishers. 
• Android users should be mindful of the permissions granted to apps, as they have control over which permissions an app receives. 

Pay attention to warnings from Google Play Protect and agree to block any apps flagged by Google Play Services for displaying malicious behavior. 

References:

https://www.securityweek.com/dropper-service-bypassing-android-security-restrictions-to-install-malware/ 

https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions 

https://www.bleepingcomputer.com/news/security/cybercrime-service-bypasses-android-security-to-install-malware/ 

https://www.noypigeeks.com/tech-news/securidropper-bypass-android-security/ 

https://thehackernews.com/2023/11/securidropper-new-android-dropper-as.html 

Advisory ID: NCC-CSIRT-241123-041

Summary: A study led by Blackwing Intelligence researchers Jesse D'Aguanno and Timo Teräs, supported by Microsoft's Offensive Research and Security Engineering group, indicates a potential vulnerability in Windows Hello's fingerprint authentication. If successfully exploited, this could enable a hacker to log in as the device owner, provided they can steal or have access to the device without supervision. 

Threat Type(s): Vulnerability, System Unlocking 

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Laptop Computers 

Platform(s): Goodix, Synaptics, and ELAN fingerprint sensors 

Version(s): Dell Inspiron 15, Lenovo ThinkPad T14, Microsoft Surface Pro Type Cover with Fingerprint ID (for Surface Pro 8 / X) 

Description: According to the researchers, the security flaw exists in the Windows Hello fingerprint feature. Windows Hello, a biometric authentication interface in Windows, allows users to log in through facial recognition or fingerprint scanning. For fingerprint authentication, users set up their fingerprints on compatible devices. Windows Hello uses a secure enclave to store and verify the fingerprint data during login, providing enhanced security compared to traditional password-based methods. 

In the Windows Hello system, fingerprints are stored in the sensor chipset. During setup, the operating system (OS) generates an ID linked to the user's fingerprint by the sensor chip. This ID is then associated with the user's account. In the login process, the sensor reads the fingerprint, and if it matches a known print, the chip sends the corresponding ID to the OS for account access. Despite cryptographic measures, vulnerabilities in this system make devices susceptible to unlocking if a hacker gains physical access to the device to connect certain electronics. 

The researchers outline the specific steps for exploiting the three affected systems as follows: 

1. Dell Inspiron 15:If hackers can boot the laptop into Linux, they can use the sensor's Linux driver to enumerate the ID numbers associated with known fingerprints. The attacker can then store their own fingerprint with an ID identical to the Windows user they want to impersonate. By using a man-in-the-middle device during Windows boot, the chip is directed to use the Linux database for fingerprints, allowing the attacker to log in as the Windows user. 
2. Lenovo ThinkPad T14:Similar to the Dell Inspiron 15, the ThinkPad attack involves using Linux to add a fingerprint with an ID associated with a Windows user. TLS is used to secure the connection, but this can be undermined to add a new fingerprint and log in as the targeted Windows user. 
3. Microsoft Surface Pro 8 / X Type Cover with Fingerprint ID:This is the most dangerous of all. In this case, there is no security between the chip and OS. Any device that can mimic the chip can send a message to Windows, allowing an attacker to log in without presenting a fingerprint. 

Consequences: Laptop hardware may be physically insecure and allow fingerprint authentication to be bypassed if the equipment falls into the wrong hands. 

Solution: 

• Use a password instead of a fingerprint for BIOS boot authentication.
• Users of the impacted computers should ensure they have the latest updates installed, as vendors have addressed the identified issues. 

References:

https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/ 

https://www.theregister.com/2023/11/22/windows_hello_fingerprint_bypass/