Discovering vulnerabilities like the ones mentioned below is why the Checkmarx Security Research team performs investigations. This type of research activity is part of their ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based technologies, while bringing more security awareness amid the consumers who purchase and use them. Protecting privacy of consumers must be a priority for all of us in today’s increasingly connected world and organization have a responsibility to build software security into everything they deliver. With that in mind, let’s review a few of the research highlights from the Checkmarx team in 2019.
AEG Smart ScaleIn early 2019, the research team released their findings pertaining the AEG Smart Scale. Today, IoT devices are an easy entry point to invade users’ privacy. With that in mind, the team tested the Smart Scale, specifically investigating the Bluetooth (Bluetooth Low Energy or BLE) security of the device. Below and in the blog highlights the vulnerabilities the team discovered.
- Denial of Service: A malicious request via BLE can crash the device.
- Change privacy settings: Anyone within BLE range could track the victim because the device keeps the MAC address fixed due to a configuration in the Generic Attribute Profile (GATT).
- Change device name: Anyone within BLE range could change the name of the device to something offensive or even to trick innocent users.
- Mobile app (Smart Scale) MiTM: Some requests made by the mobile application do not use HTTPS, which could allow attackers to intercept the information sent between the mobile application and the host.
Lenovo Watch XNext, the team released their findings pertaining to the Lenovo Watch X. During the course of their research, they found quite a few vulnerabilities in the device. Below and in the blog highlights the vulnerabilities the team discovered:
- Pinpoint Phone Location: Phone latitude and longitude coordinates were regularly sent to a remote, unknown server in China.
- Sniffing / MiTM: Communications sent between the mobile application and web server is not encrypted, so anyone could sniff the traffic.
- Account Takeover: Due to the lack of account validation and permissions, it’s possible to force a password change request for any user.
- Magic BLE: The Bluetooth Low Energy pairing allows pairing devices using only normal hand movement. There is no timeout system enabled.
- Spoofing Calls: Write permissions on a specific GATT UUID allows the spoofing calls attack.
- Set Alarms: Write permissions on a specific GATT UUID allows setting alarms on the watch.
LeapFrog LeapPad UltimateThen the team released their findings after researching a popular children’s learning device. Protecting children from the dangers on the internet is something all parents strive for and struggle with. When you find a toy that you think is safe, and will educate and entertain your child, you buy it. Right? That’s why parents bought and continue to buy LeapFrog’s LeapPad Ultimate. Below and in the blog highlights the vulnerabilities the team discovered:
- Finding LeapPads’ Location Using the Pet Chat App: Anyone can identify the possible location of LeapPads using Pet Chat by finding them on public Wi-Fi or tracking their device’s MAC address.
- Come Outside & Play: Any bystander within 100 ft of a Leapfrog device running Pet Chat can send a message to a child’s device.
- MiTM: The outgoing traffic from a LeapPad was not encrypted using HTTPS, but rather using the clear-text HTTP protocol—making it vulnerable to attack.
- LeapSearch-Portal Phishing Attacks: By injecting pieces of real data retrieved in the previous step, the team created a “phishing version” of the LeapSearch portal which appears to be legit.
Android CameraFinally, the research team investigated camera applications on popular smartphones running the Android OS. After a detailed analysis, the team discovered that the Android camera app is prone to multiple security-bypass vulnerabilities. The team demonstrated how an attacker could take photos and/or record videos through a proof of concept rogue application that has no permissions to do so, without the user knowing it. The malicious app the team designed for the demonstration was nothing more than a mockup weather app that could have been malicious by design. When the client starts the app, it essentially creates a persistent connection back to the C&C server and waits for commands and instructions from the attacker, who is operating the C&C server’s console from anywhere in the world. Even closing the app does not terminate the persistent connection. The operator of the C&C console can see which devices are connected to it, and perform the following actions (among others):
- Take a photo on the victim’s phone and upload (retrieve) it to the C&C server.
- Record a video on the victim’s phone and upload (retrieve) it to the C&C server.
- Parse all of the latest photos for GPS tags and locate the phone on a global map.
- Operate in stealth mode whereby the phone is silenced while taking photos and recording videos.
- Wait for a voice call and automatically record:
- Video from the victim’s side.
- Audio from both sides of the conversation.
- The blog, report, and video provides additional details of the team’s findings.