TIFF images in MS-Office documents used in targeted attacks
	
	Today, Microsoft published a research note and a security advisory covering a remote code execution vulnerability (CVE-2013-3096) that can be triggered with a malformed TIFF image. According to the write-up, the vulnerability is being actively exploited in a "very limited" number of targeted attacks that involved a Word (MS-Office) document which in turn contains the malformed TIFF image.
There is no patch yet, but the two Microsoft articles contain some information on mitigation options.
Is your vacuum cleaner sending spam?
	
	Past week, a story in a Saint Petersburg (the icy one, not the beach) newspaper caught quite some attention, and was picked up by The Register [1]. The story claimed that appliances like tea kettles, vacuum cleaners and iron(y|ing) irons shipped from China and sold in Russia were discovered to contain rogue, WiFi enabled chip sets. As soon as power was applied, the vacuum cleaner began trolling for open WiFi access points, and if it found one, it would hook up to a spam relay and start ... probably a sales pitch spam campaign for cheap vacuum cleaners from China?
A couple years back, we at SANS ISC were investigating a significant Christmas-time scam that involved electronic picture frames that came pre-loaded with lovely malware . Could it be that this year, we are facing an even more sinister threat? Could it be that all those festive domestic efficiency gifts that adoring husbands love to pile on their rightly unappreciative wives could, in fact, be part of an evil Chinese ploy to subvert our hearth and home with trojaned appliances?!
As The Register already reported, yes, from a technical point of view, this could work. From a cost point of view, it could also work. WiFi chipsets and associated logic are, if produced in significant quantity, down to about 3$ apiece. There is also the blog post by HaxIt [2], showing how a WiFi-enabled Transcend WiFi SD card (think "small") can be pwned, rooted, and turned into a little WiFi enabled Linux PC. The cheapest cards of this type are currently at around 20$, which is likely not cost effective yet to be used for spamming and such, but is getting close.
The real "killer" application would be such a WiFi enabled nano PC that works without external power. The specimens quoted in the Register article were all hooked up to a power source within the appliance. But .. what if these toys can draw their power from Thin Air, like RFID tags do? This is called "energy scavenging" or "energy harvesting", and is a serious research topic with lots of very useful and benign applications. But imagine it would work to power "over the air" an SD-card with WiFi and Linux. You could then stick that SD card onto the used chewing gum that is disgustingly yet conveniently already present under your chair in your local Starbucks .. and that's all you'll need to have a relay, bot, whatever you want. It won't be fast, but hey, with the right P2P design, a couple of these cards would probably beat TOR in terms of anonymity and isolation any day.
I did a couple of back-of-the-envelope calculations, and I don't quite think that "energy harvesting" by drawing on the power radiated by the WiFi access point alone will work for WiFi enabled chipsets just yet. WiFi transmissions are quite power hungry, and the path loss over thin air is significant at the frequencies where WiFi operates. [Fellow amateur radio geeks might remember the 20*log10(4*pi*distance/lambda) equation :)]. I would love to be proven wrong though - if you have a WiFi design that draws its sole power from RF, please comment below. Photovoltaic and mechanical energy sources don't count, I know that these can be done, but they don't quite offer themselves to the chewing-gum-mounted-spambot-in-Starbucks scenario just yet.
	So .. while the fully autonomous SD-card based bot without external power source is maybe not feasible yet .. a WiFi enabled bot inside your vacuum cleaner, drawing power off the mains, is definitely feasible, and quite cost effective. Not that you needed yet another reason to not run an open WiFi, I hope. And your partner will probably appreciate a more meaningful Christmas gift than a vacuum cleaner anyway. Try a cast iron dutch oven or a kitchen fire extinguisher this year. They are still analog, and unlikely to be bugged or backdoored for now :-D.
	 
	[1] http://www.theregister.co.uk/2013/10/29/dont_brew_that_cuppa_your_kettle_could_be_a_spambot/
	[2] http://haxit.blogspot.ch/2013/08/hacking-transcend-wifi-sd-cards.html
 
              
Comments