From 8d101a6194497f90e7b9defd17fe84ab3132d2a4 Mon Sep 17 00:00:00 2001 From: jebba Date: Fri, 28 Jan 2022 07:38:24 -0700 Subject: [PATCH] vuln overview --- doc/SEC.md | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/doc/SEC.md b/doc/SEC.md index a4e5912..9a867d6 100644 --- a/doc/SEC.md +++ b/doc/SEC.md @@ -38,7 +38,9 @@ Not sure this is necessary... (?) /system/framework/com.android.location.provider.jar ``` -Uses SELinux kernel. +Uses SELinux kernel, may even have that old special hole! `:)` +(cf. Brad Spengler attack). + # Net When connected to wifi the device tries to connect to port `80` of @@ -57,3 +59,47 @@ $ file xbin/zcat xbin/zcat: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, stripped ``` +# Vulnerability Surface +The analyzers have Android on board, which is generally well documented. +There have been numerous Android security holes published in the last +decade or so. The analyzers have a lot of binaries dating back many versions, +some as old as 2013. + + +# Attack Surface + +* Wifi + +* Bluetooth + +* Cell ? + +* USB + +# Attack Points +Nature of attacks, once exploited. + +The devices query remote servers on port `80` in cleartext. This can be +easily hijacked and fed false data. + +* Device can be fed bogus data. For example, hack a competitor's device to +say there's no gold when there is gold. Nefarious company could EPA's device +when they come inspect contaminated land, and make the device's readings +say everything is ok. + +* Device can be a remote access point back into a corporate network. +Since the device is taken into the field and back into corporate offices, +it makes it an ideal vector to further penetrate networks. An employee +takes the analyzer into the field, exploitation and implant occurs, the +employee takes analyzer back to office to download data. In doing so, +they connect the analyzer to the network (e.g. even via USB), where the +device then phones home back to attackers. + +* Safety features of the device can be overridden, causing it to emit +xray or laser power beyond default limits. + +# Misc + +* All devices have the same static IP hardcoded in binary. + +