It's the time of year that software developers dread. Black Hat and Defcon security conferences just finished, the fallout is starting to be digested, and everyone is figuring out who got hit the worst. Micahel Kassner addresses the potential of a new threat involving automatic updates.
It's the time of year that software developers dread. Black Hat and Defcon security conferences just finished, the fallout is starting to be digested, and everyone is figuring out who got hit the worst.
There's been more than enough tech press about the big issues, which is okay; I want to discuss one that doesn't seem to be on anyone's radar yet. It's a sleeper app, but with huge potential if I'm right.
People are usually glad if computer applications are configured to update automatically, less to worry about. That may change. What if an attacker could hijack the update request and download malware instead of the update?Meet Ippon
I'd like to introduce you to Ippon (Japanese for "game over") an attack tool created by Itzik Kotler, security team leader and Tomer Bitton, security researcher for Radware. Ippon is one of those ideas that's so obvious I'm sure many are saying why didn't I think of that.How Ippon works
Ippon looks for computers that are asking for updates and tries to replace the update with malware. One thing in Ippon's favor is that most applications are setup to check for updates automatically. Kotler and Bitton have ported Ippon to scan open Wi-Fi networks specifically for Hyper Text Transport Protocol (HTTP) update request traffic. When traffic is detected, it becomes a race to see if Ippon can respond before the update server for that particular application.
If Ippon wins, a message is sent informing the application that an update is available, even if it's not. To avoid suspicion, Kotler and Bitton have built in a reference library to allow Ippon's response to closely mimic the actual one. Once the connection is established a malicious file is then downloaded from the attacker's server and game over.Vulnerable update processes
Kotler and Bitton in an informal poll determined that approximately 100 applications are vulnerable to the Ippon attack, but won't specifically mention which ones. Thankfully Microsoft applications aren't. All MS updates are digitally signed and can't be spoofed. Actually, that's the way to tell if an application is not susceptible to Ippon.Preventative measures
Some of the suggested solutions are a bit obvious. Such as don't use open Wi-Fi networks. Or if you have to, don't update your computer while connected to an open Wi-Fi network. I said they were obvious.
But what about an application that updates automatically and in the background. The only visual indication usually happens after the process is complete. Technically, the only way to avoid the Ippon attack while using open Wi-Fi networks is to use a secure VPN tunnel.
A friend of mine suggested that I mention to update proactively, maybe using Secunia PSI. I think that's a good idea, even if Ippon didn't exist. Still, I'm concerned about a false sense of security, automated updaters follow a schedule and will check for updates regardless.Final thoughts
As of this writing Ippon has been released, so it's only a matter of time. I have e-mailed and left voice mails with several of the major application developers, Adobe for instance. When I learn whether an application uses signed updates or not, I will add a comment with that information.
I have one last question. Kolter and Bitton are focused on Wi-Fi, because it's the simplest attack vector. What if Ippon could be developed into an exploit that infiltrated wired networks?