5 Freaky but Real Application Security Threats

Wear a smartwatch and you could cause a data breach that brings your organization to its knees. Install an anti-virus product on any one of your endpoints and you could compromise the security of key enterprise applications.

Smartwatches and certain anti-virus products are just a small sample of the growing number of shocking application security threats. Just like more familiar application security threats such as code injection, cross site scripting and buffer overruns, the threats they pose can be critical.

This article discusses five emerging application security threats:

  • PIN and password inference software
  • Mobile app collusion
  • Anti-virus software
  • JavaScript ransomware
  • Voice-activated attacks

PIN and Password Inference Software

So how can a smartwatch present an application security threat? The answer lies in the sensors such as accelerometers that are built into the device to detect the watch’s — and therefore the wearer’s — movements. Thanks to these sensors, data about the wearer’s hand motions are captured every time they enter a password on a keyboard — perhaps to log in and administer a corporate database, or a PIN on a keypad.

This risk isn’t theoretical. Researchers at Binghamton University and Stevens Institute of Technology have developed a piece of software that they call a “Backward PIN Sequence Inference Algorithm.” The algorithm takes data captured by smartwatches’ accelerometers and other sensors and works out what hand and finger movements must have taken place to generate that data. It can then work out a PIN that has been entered with a 90 percent success rate or a password that has been entered with an 80 percent success rate on the first attempt, rising to a 90 percent success rate after three attempts.

Of course, a would-be attacker can only run an algorithm like this and derive PINs and passwords if they can get hold of the data on the smartwatch. The bad news is, they don’t have to get the smartwatch to get the data. The smartwatch is a computer of sorts in its own right, and a connected one at that.

To get the data, a hacker has three choices:

  • They can infect the smartwatch with malware that collects the data and forwards it on by email or some other means
  • They can infect the smartphone that the smartwatch is connected to in order to forward the data
  • If they can get close to the smartwatch wearer, they can intercept the data as it is transmitted – typically by Bluetooth – from the smartwatch to the smartphone

Mitigation: The researchers suggest that device makers should inject a certain type of noise into the data so that it cannot be used to derive fine-grained hand movements and thus pose an application security threat, while still being effective for fitness tracking purposes.

They also suggest that access to sensor data should be regulated by the smartwatch to avoid leakage, and that better encryption of transmitted Bluetooth data be implemented. On a more practical level, users can avoid entering PINs or passwords using only the hand that the watch is worn on.

Mobile App Collusion

In theory at least it should be hard for an attacker to infect a smartphone with malware, even if a particular smartphone owner is specifically targeted – perhaps through a spearphishing attack designed to trick the owner into downloading a particular app. That’s because mobile device management systems should ensure that apps can only be downloaded from a corporate app store if there is one, or at the very least from official sources such as Google’s Play store rather than from unknown websites where no protections are in place.

But anti-virus vendor McAfee Labs has detected a rise in “colluding apps” that can bypass malicious code scans. Colluding apps contain segments of code which are not malicious in themselves. But when two or more such apps are installed on the same device these apps communicate with each other – or collude – and allow the different segments of code they contain to unite into a single piece of malicious code which is then executed.

Such code could steal data (such as sensor information), carry out fraudulent transactions or install more malicious applications.

“It should not come as a surprise that adversaries have responded to mobile security efforts with new threats that attempt to hide in plain sight,” said Vincent Weafer, vice president of Intel Security’s McAfee Labs group

Mitigation: McAfee suggests a variety of user approaches to minimize mobile app collusion, including downloading mobile apps only from trusted sources, avoiding apps with embedded advertising, not “jailbreaking” mobile devices and always keeping operating system and app software up-to-date.

Anti-virus Software

Surely such a thing would be less likely to happen on a desktop machine or server, which would almost certainly have some form of endpoint anti-virus software running that could spot code displaying malicious behavior as soon as it was activated and before it could become an application security threat?

The problem is that anti-virus software itself can pose a huge application security threat, as users of Symantec’s security products may have discovered recently. Symantec uses its own unpacker in its security software to decompress executables, and security research Tavis Ormandy recently discovered a buffer overrun error in this unpacker.

The big problem was that rather than sandboxing the unpacker to mitigate any errors such as buffer overruns, Symantec’s software installs it right in the operating system kernel. As a result, an overrun can lead to kernel memory corruption. And because anti-virus software like Symantec’s uses a filter driver to intercept all network traffic (in order to inspect it), simply emailing a malicious file to a victim or sending them a link to an exploit is enough to trigger it.

“The victim does not need to open the file or interact with it in any way. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences …,” Ormandy explained.

This buffer overrun was not the only problem in Symantec’s security portfolio. Ormandy detected other flaws which affected its consumer and enterprise security products and posed serious application security threats. Perhaps the most worrying problem was that Symantec has been using code derived from open source libraries like libmspack and unrarsrc that haven’t been updated for at least seven years, despite the fact that dozens of vulnerabilities have been discovered in them – some with exploits publicly available that posed severe application security threats.

Symantec may be at fault here, but other AV vendors’ products that are intended to detect and obstruct application security threats have also introduced critical vulnerabilities that actually end up increasing that risk.

Mitigation: “Network administrators should keep scenarios like this in mind when deciding to deploy anti-virus (as) it’s a significant tradeoff in terms of increasing attack surface,” Ormandy concludes. In other words, is running anti-virus software worth the risk?

JavaScript Ransomware

Avoiding anti-virus software, on the other hand, leaves you open to all kinds of malicious software that might otherwise be spotted and blocked. This includes malicious software like ransomware, software that encrypts the contents of all storage attached to a system. This can be downloaded by macros embedded in malicious word documents – perhaps purporting to be invoices – attached to emails.

Many organizations now block macros by default because they are such an obvious application security threat, but malicious hackers are now getting around this by delivering ransomware using JavaScript. That’s possible because Windows doesn’t show file extensions by default, so a file called invoice.txt.js will often be displayed as invoice.txt. And since the JavaScript icon looks like a scroll of paper, a user could easily mistake the icon for a document instead of a program.

Paul Ducklin, a senior security advisor at Sophos, points out that the JS/Ransom-DLL ransomware is entirely written in JavaScript. Since JavaScript runs outside a browser in the Windows Scripting Host it is not sandboxed or restricted, “so it can do anything a regular application could do,” he said.

Attackers can use freely available crypto source code, he added, so their job is made that much more easy. “No additional software is downloaded, so once the JS/Ransom-DDL malware file is inside your network, it’s ready to scramble your data and pop up a ransom message all on its own.”

JS/Ransom-DLL is particularly nasty because even if you pay the ransom to decrypt your data, it also installs a hard-to-detect application security threat of its own: a password stealer that Sophos calls Trok/Fareit-AWR. “This Fareit infection isn’t downloaded; instead it is encoded using base64 into a JavaScript string that is stored inside the ransomware file, and installed as a parting gift by the ransomware,” Ducklin explained.

Mitigation: Some anti-virus software (including Sophos’) will block JS/Ransom-DLL. (But don’t forget the risks that running anti-virus software can introduce.) More generally, JavaScript can be prevented from running in the Windows Scripting Host. To do this, disassociate .js and .jse file types with the Windows Script Host, or use regedit to create a DWORD named Enabled and set to the value 0 in the key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Script HostSettings

Voice Activated Attacks

Researchers at Georgetown University and University of California, Berkeley have shown that mobile devices can be made to respond to “OK Google” and “Hey Siri” voice commands hidden in YouTube videos which are masked enough to make them hard for humans to notice or comprehend, but clear enough for smartphones to pick up on. They have successfully demonstrated this in a video by making a smartphone left on a desk open a website; xkcd.com was used, but a malware download or drive-by site could be substituted which would represent an application security threat.

The potential damage may be limited on smartphones, but it could be far more serious if it proves possible to carry out similar attacks on Windows 10 machines that can accept voice commands using the “Hey Cortana” prompt, or Mac computers running the new macOS Sierra operating system which includes support for “OK Siri” voice commands.

Mitigation: Disable OK Google, Hey Cortana and Hey Siri to prevent this type of attack becoming an application security threat.

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.

Paul Rubens
Paul Rubens
Paul Rubens is a technology journalist based in England, and is an eSecurity Planet contributor.

Top Products

Related articles