August 2, 2022

Our blog returns to surface

After a long hiatus, the blog returns with old and new content, without fully embracing this new era of Blockchain-and-JavaScript-everywhere.

Image Description

A decade’s worth of resisting the “web 2.0” pandemic

We are living through truly amazing times. Barefoot insurgents with 3D printed firearms running around Myanmar, vulnerabilities getting full marketing team makeovers with logos and dedicated websites, the word “opsec” becoming so common place you could hear it from your friendly neighborhood food truck chef, Burning Man going mainstream and the Winklevii chasing would-be Instagram models around Nevada’s largest patch of infertile dirt, the kids we picked on in high school enacting their revenge upon mankind one JavaScript app at a time, old faces from the scene gone all proper and hiding embarrassing tattoos under Brook’s Bros suits, etc, etc, etc. Amazing. This is clearly what the scientists of the previous century intended for their work and sacrifices. AI has become the new “Bluetooth” (even your washing machine has it), so expect a highly advanced conversational AI shaped like Clippy from 1996 soon in these pages.

All humor aside, we resisted the temptation and pressure long enough, but eventually it had to happen: we decided it was time to get a website back up and running, and a blog dedicated to all the one-off pieces related to research that do not merit an entire seminal work, or are simply just too informal or too humorous to be part of a press release.

We stay faithful to our roots, taking our work quite seriously, but not taking ourselves too seriously. We still managed to avoid the super-duper dark Geocities hacker site colors, you know, to look approachable.

Historical exploits (“offensive security tools”)

We have decided to slowly trickle out code and tools that are presently more useful and interesting for their educational value, as they date back to several years ago and research that is not longer immediately applicable (with some exceptions).

Hopefully, others get their courage up and follow suit, as there is some merit to fostering more sharing in the community. Virtually most “useful” research sharing came to a full halt, for reasons we all know :-)

Unfortunately, this does not help the younger folks and those trying to get their foot in the door. Since obsolescence in human beings is actually a thing, we might as well help our younger future replacements and provide a little inspiration.

We have been slowly but steadily preparing some interesting Apple Mac OS X old tools and exploits for public release:

  • An amusing example of the danger of inherited vulnerabilities (the old classic “software phagocytosis”, when a commercial vendor absorbs an open source project into its code base, in the process also absorbing all its vulnerabilities and potential backdoors), in no other component but the Seatbelt policy compiler (responsible for compiling policies used by the OS X security module “Seatbelt”, referred to as a sandbox by the cool kids these days). Coupled with a especially crafted cache file it was possible to subvert the behavior of Seatbelt, among other interesting possibilities.
  • Old classic privilege escalation vulnerabilities leveraging format string bugs and typical memory corruption vulnerabilities. This included the Tunnelblick client, for example.
  • Our multi-architecture multi-platform Quicktime “zero click” exploit, that was the first public public example of a vulnerability targeting multiple architectures and multiple products with automated targeting and payload selection through fingerprinting the client.

The landscape of OS X security has changed considerably, and we might revisit some things in the future. Unfortunately, nobody uses Apple products in the team, so our interest in the platform drastically decreased over the years. While Apple makes excellent products and they have a formidable PR machine, and very talented engineers, our customer base does not trust OS X and usually we would rather look like the boring sober people we are, so taking a Macbook to a meeting would be a serious breach of character. If we had a marketing guy and he cried to us to buy a Macbook for “his meetings”, we would likely just get him a good tailor and a better haircut, and an ugly Thinkpad. Appreciation for the “understatement” style still has a faithful following, or so it seems.

Check out the full list.

We are in the process of re-publishing some past work related to Android exploitation.

We have fixed up gr-lora to work with the latest stable release of GNURadio as of August 2022. It’s nothing ground breaking, so don’t come to us and say thank you. You should thank the original developer, J. Tapparel and co, for putting the bulk of the work in.

This is something almost controversial for the team, because the drone security-related industry is both similar and very different to the information security industry.

Our interest in civilian drones is negligible, and we do not believe that there is much of an argument to be made for the hyped but shaky concept of “drone operator privacy”.

Photographers and legitimate users of civilian drones are seldom impacted, and privacy is much better addressed following the European model: if you publish someone else’s personal information, or access it, even if it was merely “lying there”, the government and its LE agencies will slap you with an administrative fine and potentially felony charges (civil legal action from the affected party notwithstanding). In the US there is still a gaping hole as far as personal privacy laws go, compared to the EU, where things like video surveillance are highly regulated: while you can certainly have video-surveillance in your property, if you record your neighbor (without consent) or the public land (restricted to LE only) you will have law enforcement visiting with you, and a hefty fine to pay, as an appetizer.

Therefore, it seems that most of the fuss surrounding “Drone ID” (DJI’s proprietary protocol) or Remote ID (Wikipedia) would benefit from a drastic shift of perspective: instead of pretending it is a technical problem, address it properly and with far more beneficial ramifications: lobby and pressure for better personal data protection legislation. If a drone operator has his personal information misused, provide him with a legal framework to fight back. If somebody does not want an uncooperative drone operator to record his property or family, provide him with the necessary legal protection. Claiming that “Drone ID” or “Remote ID” merit some sort of treatment as security vulnerabilities is at best an artificial misrepresentation of reality, or the equivalent of severing one’s head to get rid of a headache. Technical low-hanging fruit should not merit hyped up misinformation in the press, either.

As for their technical details, they are not particularly interesting to us, even though we might be interested every now and then in specific platforms, and the opportunities they present for learning new tricks and techniques for RF reverse engineering.

With our position regarding civilian drones clearly defined, our stance with military drone platforms is different. The impact of research on military drone platforms has moral, technical and legal implications that cannot be overstated. Our disclosure policy as far as that area of research is involved, will be reactive, not proactive. More often than not it is quiet work that truly makes a difference, and we intend to honor that unless we have circumstances that justify doing the opposite.

So, what’s cooking?

So far, we are considering publishing some interesting work related to physical security involving RF devices, as well as our usual offensive and defensive security content. Every now and then we might comment on industry events and news. We are also working not-so-hard on getting back the original content for the blog, as well as other interesting articles.

Our time is very limited and publishing content is not a priority. We promise not to waste your time with vulnerabilities being presented with cool logos and online press conferences. Other people do that a lot better than us. We are absolutely terrible at all things marketing, and make no effort to hide it.

Until next time, the Subreption team.



Related articles