Breaking Badness Episode 19: The Regin of Doom

The Regin of Doom

Coming up this week on Breaking Badness. Today we discuss: How is Russia Putin up with This, Where There is a Wheel, There is a Way, and Kid Pro Quo.

Here are a few highlights from each article we discussed:

How is Russia Putin up with This?
  • Regin is a type of malware that has been used by the US and Great Britain in the past, as early as 2003, though it was first discovered in 2012. So it’s certainly not new, but it is notable that it was seen in this particular incident because the source code isn’t publicly available as far as the infosec community knows.
  • The malware itself is modular, so it can be adjusted as needed for each campaign. The malware can collect keylogs, make screenshots, steal any file from the system, extract emails from Microsoft Exchange servers and any data from network traffic.
  • This was a slightly modified version of Regin compared to what has been seen in the past. Because of those two pieces of evidence, it’s likely that the same group conducted this campaign as has used Regin in the past (the US and Britain). In addition, the target being Yandex gives a little more credence to it being a western intelligence agency.
  • According to Symantec they have seen Reign recently, although they are being fairly tight-lipped about where it was seen to avoid breaching their client’s trust. Other than that, it has been seen in the past targeting a variety of different types of organizations, including government institutions, FIs, and research institutions across at least 14 different countries.
Where There is a Wheel, There is a Way
  • Regulus is saying they were able to commandeer the Autopilot system to command the car to “suddenly slow down and unexpectedly veer off the edge of the main road.” But this is one of those situations where you sort of have to parse the words, and in fact there are some hints in the press release, right before what I just read there, because they said “a staged attack” caused this veering and slowing to occur.
  • “Staged” attack can mean two things, right? One, and this is how you can get max FUD factor out of this, is, well, any attack has to be staged in one way or another. Preparing for the attack. But the other sense of this, and this is what I’m sure they’re referring to here, is that they took special measures to set this attack up, that wouldn’t really be applicable in the real world.
  • In terms of the demo, Regulus kind of sort of …ATTACHED AN ANTENNA TO THE CAR AND WIRED IT INTO ITS SYSTEMS before they could do the attack. Yeah. Not exactly something an everyday attacker will do while you’re at the grocery store. And this antenna and the electronics connected to it were not exactly James Bond microscopic stuff either. You would definitely notice this thing stuck on your Tesla if someone were trying to pull off this attack. But that’s not the main point—the main point is that the attacker had to have extensive access to the vehicle and do stuff to it before they could make the attack work. Now, admittedly, they did this so that they didn’t have to use an extraordinarily high-powered transmitter to spoof the GNSS signals; they could have gotten by without attaching that antenna if they didn’t mind lighting up a few hundred or thousand square meters with false navigation signals. So okay fine, this attack could in theory be pulled off without attaching stuff to the Tesla. But that’s not the only issue with this demo. There are also issues with the GNSS spoofing they did.
  • GNSS spoofing is achieved when using a radio transmitter to impersonate the GPS satellites, and sending false data to whatever system you’re trying to fool—in this case, a car. The thing that makes this possible is that when GPS was developed, the developers figured “no one would try to spoof these signals! And even if they did, that would be wicked hard!.” So they didn’t build in any provisions for authentication or really much of any other security.
  • Well…obviously lots of people tried to spoof these signals, and they have succeeded. Since GPS receivers are just listening for the data, if you have the right kind of transmitting apparatus and the right data to send, those receivers will happily take your data instead of the actual satellites’ data. So if you want to tell the car’s nav system that the road it wants is actually over THERE, it could possibly cause some kind of swerving action, like “hey, I’m about to miss the offramp!” But that depends on the idea that you know that some GPS-enabled thing is going to blow by that offramp unless you send a spoofed signal right NOW, and that’s…just…complicated.
  • Companies at this point really need to be pretty careful about these breathless exclamations about the car hacks that they’re pulling off. People are rightly skeptical about it. But I guess if they are able to get headlines…there is a school of thought that there’s no such thing as bad publicity. Still, if you discover some kind of basically RCE on a car, which you can demonstrate reliably in a truly RCE-kind of way, that is, hands-off and without any kind of extraordinary access to the victim system—well, then you should responsibly disclose to the manufacturer and then do a DEF CON demo of it after it’s been patched. Don’t go doing press releases like these. As for Tesla, they should always be performing due diligence on security risks that are brought up, but in this case I think their reaction was appropriate. The interesting thing is that I think they have the necessary hardware and brains that they might be able to actually detect when GNSS is being spoofed—by comparing what the accelerometers and whatnot in the car are “feeling” versus what the GNSS has been telling them to expect. If the GNSS signal suddenly changes—because you came into the range of a spoofer—you’d think that the car could possibly cross-check that and display something that says “GPS DATA INTEGRITY” or something like that. We’ll see!
Kid Pro Quo?
  • These types of programs are focused on employing participants rather than handing out criminal records, with the hope that those in the program will hack “for good”.
  • The use of “kids” is a bit of a misnomer (the program is targeted at individuals aged 13-22).
  • We will be interested in keeping an eye on this program and see if there is positive data in the next few years that reinforces this type of program.
This Week’s Hoodie Scale

How is Russia Putin up with This?
[Emily]
: 6/10 Hoodies
[Tim]: 6/10 Hoodies

Where There is a Wheel, There is a Way
[Emily]:
 0/10 Hoodies
[Tim]:
1/10 Hoodie

Kid Pro Quo?
[Emily]: 4/10 Goodies
[Tim]: 4/10 Goodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!

Leave a Reply