vuln overview

doc/SEC.md

@@ -38,7 +38,9 @@ Not sure this is necessary... (?)
 /system/framework/com.android.location.provider.jar
 ```
 
-Uses SELinux kernel.
+Uses SELinux kernel, may even have that old special hole! `:)`
+(cf. Brad Spengler attack).
+
 
 # Net
 When connected to wifi the device tries to connect to port `80` of
@@ -57,3 +59,47 @@ $ file xbin/zcat
 xbin/zcat: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, stripped
 ```
 
+# Vulnerability Surface
+The analyzers have Android on board, which is generally well documented.
+There have been numerous Android security holes published in the last
+decade or so. The analyzers have a lot of binaries dating back many versions,
+some as old as 2013.
+
+
+# Attack Surface
+
+* Wifi
+
+* Bluetooth
+
+* Cell ?
+
+* USB
+
+# Attack Points
+Nature of attacks, once exploited.
+
+The devices query remote servers on port `80` in cleartext. This can be
+easily hijacked and fed false data.
+
+* Device can be fed bogus data. For example, hack a competitor's device to
+say there's no gold when there is gold. Nefarious company could EPA's device
+when they come inspect contaminated land, and make the device's readings
+say everything is ok.
+
+* Device can be a remote access point back into a corporate network.
+Since the device is taken into the field and back into corporate offices,
+it makes it an ideal vector to further penetrate networks. An employee
+takes the analyzer into the field, exploitation and implant occurs, the
+employee takes analyzer back to office to download data. In doing so,
+they connect the analyzer to the network (e.g. even via USB), where the
+device then phones home back to attackers.
+
+* Safety features of the device can be overridden, causing it to emit
+xray or laser power beyond default limits.
+
+# Misc
+
+* All devices have the same static IP hardcoded in binary.
+
+