Bad news for anyone who owns a Samsung, LG, Xiaomi among other Android phones. Apparently this phones have been left vulnerable to malicious apps with system-level privileges, following the leaking of their platform-signing keys:
As shared by Googler Łukasz Siewierski (via Mishaal Rahman), Google’s Android Partner Vulnerability Initiative (APVI) has publicly disclosed a new vulnerability that affected devices from Samsung, LG, and others.
The core of the issue is that multiple Android OEMs have had their platform signing keys leaked outside of their respective companies. This key is used to ensure that the version of Android that’s running on your device is legitimate, created by the manufacturer. That same key can also be used to sign individual apps.
By design, Android trusts any app signed with the same key used to sign the operating system itself. A malicious attacker with those app signing keys would be able to use Android’s “shared user ID” system to give malware full, system-level permissions on an affected device. In essence, all data on an affected device could be available to an attacker.
Notably, this Android vulnerability doesn’t solely happen when installing a new or unknown app. Since these leaked platform keys are also in some cases used to sign common apps — including the Bixby app on at least some Samsung phones — an attacker could add malware to a trusted app, sign the malicious version with the same key, and Android would trust it as an “update.” This method would work regardless of if an app originally came from the Play Store, Galaxy Store, or was sideloaded.
Google’s public disclosure doesn’t lay out which devices or OEMs were affected, but it does display the hash of example malware files. Helpfully, each of the files has been uploaded to VirusTotal, which also often reveals the name of the affected company. With that, we know the following companies’ keys were leaked (though some keys have not yet been identified):
- Samsung
- LG
- Mediatek
- szroco (makers of Walmart’s Onn tablets)
- Revoview
Yikes! I have a pair of comments from Venafi on this:
Tony Hadfield, Sr. Director of Solutions Architects at Venafi: “This is a great example of what happens when organizations sign code without a plan to manage code signing keys. If they keys fall into the hands of an attacker it can lead to catastrophic breaches. The only way to prevent this kind of problem is to have an auditable, ‘who/what/where’ solution: how do you control signing keys, where are they stored, who has access to them, and which kind of code gets signed? You need this information to protect your keys and also respond quickly to a breach by rotating your public and private keys.”
Ivan Wallis, Global Architect at Venafi: “This is a great example that showcases the lack of proper security controls over code signing certificates, in particular the signing keys for the Android platform. These certificate leaks are exactly related to this, where these vendor certificates made it into the wild, allowing for the opportunity for misuse and the potential to sign malicious android applications masquerading as certain “vendors”, similar to Solarwinds. Bad actors can essentially gain the same permissions as of the core service. The lack of the who/what/where/when around code signing makes it difficult to know the impact of a breach, because that private key could be anywhere. At this point it must be considered a full compromise of the code signing environment and key/certificate rotation must happen immediately.”
The article that I linked to has some really good advice in terms of protecting yourself. Specifically”
While the details of this latest Android security leak are being confirmed, there are some simple steps you can take to make sure your device stays secure. For one, be sure that you’re on the newest firmware available for your device. If your device is no longer receiving consistent Android security updates, we recommend upgrading to a newer device as soon as possible.
Beyond that, avoid sideloading applications to your phone, even when updating an app that’s already on your phone. Should the need to sideload an app arise, be sure you completely trust the file you’re installing.
This is advice that you should be following anyway as it will keep you safe from exploits of any type.
Pediatric EMR Vendor Hacked…. 2.2 Million Affected
Posted in Commentary with tags Hacked on December 5, 2022 by itnerdA hacking incident at a cloud-based electronic health records software vendor has surfaced
Pennsylvania-based Connexin Software Inc., which does business as Office Practicum, reported the hack to the U.S. Department of Health and Human Services on Nov. 11 and said it involved a network server.
Connexin in its breach notification statement lists about 120 pediatric practices affected by the incident.
In the statement, Connexin says that on Aug. 26, it detected “a data anomaly” on its internal network. A forensics investigation determined that an unauthorized third party had gained access to an internal computer network, removing some data contained in an “offline” patient data set used for data conversion and troubleshooting.
Connexin’s “live” electronic medical record system was not accessed, and the incident also did not affect any pediatric practice groups’ systems, databases or medical records systems, the statement says.
In any case, the range of patient data potentially compromised in the incident is wide. Connexin says patient information affected may have included name, guarantor name, parent/guardian name, address, email address, date of birth, Social Security numbers, health insurance information and medical and/or treatment information – including procedures, diagnosis, prescription information and physician names.
Financial information – such as billing claims, invoices and patient account identifiers used by providers – was also contained in the affected data set.
John Gunn, CEO, Token says the following:
“Hackers are known for chasing quick scores and fast payoffs, but surprisingly they also “invest” for the future. They have spent years cultivating fake identities on Facebook, LinkedIn, and other social media to commit crimes and they harvest data for future crimes as they did in this instance. Each year, more of the victims of this breach will celebrate their 18th birthday and become prime targets to have their identity stolen because the hackers already have their SSN and other key information.”
Total number of people affected: 2.2 million. That’s not trivial. Hopefully someone investigates this data breach and holds any parties who allowed this to happen to account.
UPDATE: I have additional commentary from Chad McDonald, Chief of Staff and CISO, Radiant Logic:
“A breach of this size will have insurmountable repercussions for pediatric patients long after this is reported. The information obtained in this attack can be used for years in social engineering attacks, phishing attempts and more. Furthermore, while data conversion and troubleshooting practices are necessary, real patient data should almost never be used for this.”
Leave a comment »