pysalx/doc/SEC.md

Security

aka, I'd rather be teaching an AI to categorize spectra, but since I can't do that, I'm sitting around doing this in the interim.

• #1

Quick evaluation is it is basically an older Android device, likely vulnerable to a wide range of older attacks. Has wifi, bluetooth, maybe even GSM...

The process table shows it's ready to send SMS... :)

root@ngl:/ # ps a
USER     PID   PPID  VSIZE  RSS     WCHAN    PC        NAME
root      126   2     0      0     002366ec 00000000 S apr_driver
system    328   1     16956  4044  ffffffff a548fa20 S /system/bin/audiod
root      2528  1     5868   368   ffffffff 00434a84 S /sbin/adbd
u0_a70    4397  302   1257352 23972 ffffffff a66719c0 S com.android.smspush

Not sure this is necessary... (?)

# from lsof
/system/priv-app/Telecom/Telecom.apk
/system/priv-app/TelephonyProvider/TelephonyProvider.apk
/data/data/com.android.providers.telephony/databases/cdmacalloption.db
/data/data/com.android.providers.telephony/databases/HbpcdLookup.db
/system/app/PhoneFeatures/PhoneFeatures.apk
/system/framework/qcrilhook.jar
/data/data/com.android.providers.telephony/databases/telephony.db
/data/data/com.android.providers.telephony/databases/mmssms.db
# Ok, so it has pretty much everything enabled/running apparently...
/system/app/Email/Email.apk

# Don't think it has hardware GPS (?).
# Perhaps for use with paired GPS (e.g. android phone).
/system/priv-app/com.qualcomm.location/com.qualcomm.location.apk
/system/framework/com.android.location.provider.jar

Uses SELinux kernel, may even have that old special hole! :) (cf. Brad Spengler attack).

Net

When connected to wifi the device tries to connect to port 80 of IP 142.250.72.14, which is allocated to Google LLC.

It also tries to connect to port 443 of IP 157.240.19.19. That IP is owned by Facebook, Inc. Not sure why that is needed.

Binaries

The busybox binaries are (ancient) 32-bit(?).

$ file xbin/zcat 
xbin/zcat: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, stripped

Vulnerability Surface

The analyzers have Android on board, which is generally well documented. There have been numerous Android security holes published in the last decade or so. The analyzers have a lot of binaries dating back many versions, some as old as 2013.

Attack Surface

• Wifi

• Bluetooth

• Cell ?

• USB

Hypothetical Scenarios

Nature of attacks, once exploited.

• Device can be fed bogus data. For example, hack a competitor's device to say there's no gold when there is gold.

• Nefarious polluting company could root EPA's device when they come inspect contaminated land, and make the device's readings say everything is ok.

• Attacker sells bullion to vendor. Vendor tests with analyzer, which attacker has rooted. Grade of bullion is found to be pure, when fake. Vendor overpays for fake metal.

• Device can be a remote access point back into a corporate network. Since the device is taken into the field and back into corporate offices, it makes it an ideal vector to further penetrate networks. An employee takes the analyzer into the field, exploitation and implant occurs, the employee takes analyzer back to office to download data. In doing so, they connect the analyzer to the network (e.g. even via USB), where the device then phones home back to attackers.

• Safety features of the device can be overridden, causing it to emit xray or laser power beyond default limits.

Misc

• All devices have the same static IP hardcoded in binary.

• The devices query remote servers on port 80 in cleartext. This can be easily hijacked and fed false data.

CVE

The system is running kernel 3.10.49 which has a vast list of known vulnerabilities.

Known Kernel Holes:

The system uses Linux kernel 3.10.49. This kernel was released July 17th, 2014. Release announcement:

• https://lwn.net/Articles/605933/

There were twenty-five Kernel 3.10.49 vulnerabilities disclosed in 2021:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23222

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46283

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28715

...

• This doozy is considered a top 25. Nice how it has a CVE from 2018, but disclosure in 2021! :)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25020

...

• Too numerous to list for now...

Other Known Issues

The 3.10 kernel series was declared a LTS kernel by Greg KH in 2013. This blog post linked below from 2017 reflects back on it's history. In that post it says there were 3,456 known unfixed bugs in the 3.10.49 kernel in 2017. The number has likely increased.

https://wtarreau.blogspot.com/2017/11/look-back-to-end-of-life-lts-kernel-310.html

The last release in the stable 3.10 series was 3.10.108, which was released November 4th, 2017.

The post was released by the kernel developer that made the 3.10.108 commit to the official linux-stable archive. Last line, from 2017:

So it's really time to switch now! 3.10 is dead.