vuln overview
parent
9e7d6313a9
commit
8d101a6194
48
doc/SEC.md
48
doc/SEC.md
|
@ -38,7 +38,9 @@ Not sure this is necessary... (?)
|
|||
/system/framework/com.android.location.provider.jar
|
||||
```
|
||||
|
||||
Uses SELinux kernel.
|
||||
Uses SELinux kernel, may even have that old special hole! `:)`
|
||||
(cf. Brad Spengler attack).
|
||||
|
||||
|
||||
# Net
|
||||
When connected to wifi the device tries to connect to port `80` of
|
||||
|
@ -57,3 +59,47 @@ $ file xbin/zcat
|
|||
xbin/zcat: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, stripped
|
||||
```
|
||||
|
||||
# Vulnerability Surface
|
||||
The analyzers have Android on board, which is generally well documented.
|
||||
There have been numerous Android security holes published in the last
|
||||
decade or so. The analyzers have a lot of binaries dating back many versions,
|
||||
some as old as 2013.
|
||||
|
||||
|
||||
# Attack Surface
|
||||
|
||||
* Wifi
|
||||
|
||||
* Bluetooth
|
||||
|
||||
* Cell ?
|
||||
|
||||
* USB
|
||||
|
||||
# Attack Points
|
||||
Nature of attacks, once exploited.
|
||||
|
||||
The devices query remote servers on port `80` in cleartext. This can be
|
||||
easily hijacked and fed false data.
|
||||
|
||||
* Device can be fed bogus data. For example, hack a competitor's device to
|
||||
say there's no gold when there is gold. Nefarious company could EPA's device
|
||||
when they come inspect contaminated land, and make the device's readings
|
||||
say everything is ok.
|
||||
|
||||
* Device can be a remote access point back into a corporate network.
|
||||
Since the device is taken into the field and back into corporate offices,
|
||||
it makes it an ideal vector to further penetrate networks. An employee
|
||||
takes the analyzer into the field, exploitation and implant occurs, the
|
||||
employee takes analyzer back to office to download data. In doing so,
|
||||
they connect the analyzer to the network (e.g. even via USB), where the
|
||||
device then phones home back to attackers.
|
||||
|
||||
* Safety features of the device can be overridden, causing it to emit
|
||||
xray or laser power beyond default limits.
|
||||
|
||||
# Misc
|
||||
|
||||
* All devices have the same static IP hardcoded in binary.
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue