The EU released its legislative proposal of the European Cyber Resilience Act. Hardware and software products are increasingly subject to cyberattacks, leading to an estimated annual cost of €5.5 trillion by 2021.

This regulation proposal is aimed at setting cybersecurity rules for hardware and software products that are sold in the European Union to increase their security and lower the chances of being involved in cyber incidents. Until now, hardware and/or software products were not addressed by any directive in regards of their cybersecurity unless they were embedded devices/software. As you can imagine the scope of application of this law proposal is huge and will be impacting many products in the EU market.

The proposal is 87 pages long and it is not easy to summarize everything in it. However, I will try my best to provide the most important topics about it:

• The regulation sets rules for placing on the market the products with digital elements to ensure its cybersecurity.

• Sets requirements for the design, development and production of products regarding their cybersecurity.

• Sets essential requirements for the process of vulnerability handling put in place by manufacturers to ensure the security of products with digital elements during their whole life cycle.

• Rules on market surveillance and enforcement of the previous mentioned rules and requirements.

What does all that mean and how consumers and producers may be affected?

Consumers will receive a product with the following information provided by the manufacturer:

• Where vulnerabilities can be disclosed to the manufacturer.

• The intended use of the product and the security properties it provides.

• Any foreseeable cybersecurity risk derived from a misuse.

• A software bill of materials related to the product.

• The type of technical support that can be expected from the manufacturer and until when the users can expect to receive security updates.

• Relevant information on how the user can obtain information on how to:

  • Commission the device

  • Install security updates

  • Secure decommissioning of the device

Manufacturers will have to:

• Design products that are in line with cybersecurity requirements.

• Perform a conformity assessment of their product regarding the requirements set out in this new rule. This assessment can be performed as a self-assessment or it can be provided by a notified body.

  However, special conditions apply if the product falls into the class I or II type of products, which are considered the ones with the most risk. In these cases, the manufacturer will have to opt to provide the assessment through very specific means. More information on this topic can be found in article 24.

• Provide documentation to the end user to ensure it can use the device in a secure manner.

• Have a procedure to handle vulnerability disclosures, mitigation and release of security patches.

States will have to:

• Monitor the market to ensure the rules are being followed.

I’ve summarized a huge law into few bullet points, so I am sure there are some inaccuracies, oversimplifications and some topics are not even reflected in the summary. However, I think this high level overview can provide some insight on what the EU is preparing for the near future regarding the cybersecurity of consumer and industrial products. Feel free to reach out to me to discuss any of the topics if I got them wrong!

This week iOS 16 has been released to the public. I am not going to enumerate every new feature, you can already find lots of other sources that have done that. I just want to focus and got into detail on two new security features: Passkeys and Lockdown mode.

Passkeys

Apple Passkeys are Apple’s implementation of WebAuthn standard. WebAuthn is a web credential standard API initially proposed by the FIDO alliance and later standardized by the W3C.

This protocol is aimed at substituting password based authentication, and instead it proposes cryptographic based authentication mechanisms, a much more secure way of authenticating on the Internet. It uses Public key cryptographic mechanisms, where for each credential a couple of keys are created. The public key is shared with the web service and the private key is kept secret in the authenticator device.

At the moment of performing the authentication against the web service, a challenge is sent through the browser, which acts as a mediator between the web service and the authenticator device.

The authenticator is the device that holds the private key and is the one that resolves the authentication challenge at the moment of login. In the case of Apple, the keys are protected by either TouchID or FaceID, that is, by a biometric authentication. This means that only the intended user will be able to authenticate with the keys that are stored in the device. No secrets are shared between the web service and the authenticator. This makes this technology highly phishing resistant.

Apple offers the possibility of saving the private keys to iCloud Keychain, which is end-to-end encrypted, enabling the possibility of having the keys synchronized in all your Apple’s devices.

Apple is able to make its users adopt this new technology very fast in a very convenient way. I mean, who wouldn’t want to ditch passwords forever? I think that web developers that implement Passkeys into their services are about to boom.

Passkeys are a joint initiative from Apple, Google and Microsoft and I presume that soon we will be using Passkeys in all our devices, independently of the vendor and start thinking that passwords are just a thing from the past.

Lockdown mode

Creating secure devices is a tough task. Apple has learnt that the hard way. Recent scandals such as the Pegasus infections have put Apple’s actual security of its devices and Operating Systems on doubt.

Lockdown mode is Apple’s response to the latest attacks with highly sophisticated malware to their iOS based devices, which by the way, is not the ideal solution, because it means that Apple is actually recognizing that its product are not safe enough for highly targeted individuals and they only way to protect them a bit more is just to disable certain features.

Lockdown mode is a new configuration of iOS in which certain features are restricted or even disabled. These restrictions are activated after the user selects to run in this mode after a restart of the device.

Using Lockdown mode reduces the attack surface of iOS by:

• Disabling Facetime incoming calls from unknown users.

• Disabling most of the files that can be shared through Messages app and disabling link previews.

• Features in the browser are disabled: Web fonts won’t load and the Javascript engine will not use JIT (just in time) compilation. So, web rendering will be affected and also loading times will increase.

• Configuration profiles cannot be installed while the device is under the lockdown mode. To install new ones, the user should disable it, install the profile and re-enable it.

• To use USB accessories or to connect your iPhone to a computer the device must be unlocked.

A couple of notes regarding the measures taken in the browser:

• Apple forces every web browser (not only Safari) to use its WebKit based rendering engine. There is no way to work around that. Therefore, every web browser will be applying the same security measures as Safari.

• I have personally tried Lockdown mode in the iPhone and the web browsing gets a little bit impacted. Specially on those sites who rely heavily on icon rendering through web fonts (which are most of the pages I visited). Other than that, I haven’t seen any other downsides to my normal activity on the phone.

This week’s highlights in tech & cybersecurity

• Tesla’s model Y can be unlocked and started by performing an NFC relay attack: The attack requires 2 attackers working in conjunction. Researchers say that the attack takes 2 seconds and lowering the timeout for the NFC authentication to about 0.5 seconds would increase the difficulty to perform this attack. The authors of the attack comment that this attack could be performed on other manufacturer’s vehicles that do not have mitigations like the use of a PIN to start the engine, like Tesla does.

• Uber fail - “Security Response Break the glass account”: Uber has been hacked allegedly by an 18 year attacker, who social engineered some workers. Leaked screenshots show how bad the breach is: the attacker accessed to the administrator dashboard of Uber’s infrastructure. The attack is still under investigation.

  Bonus: Check the redacted screenshot for the account names…

• Ethereum has finally merged: Ethereum, from September 15th, is finally based on proof-of-stake instead of proof-of-work. The most evident benefit is that Ethereum reduced its global energy footprint by ~99.95%.

• Have i been trained ?: A website to find images that have been used to train AI models capable of generating images.

• EU Cyber Resilience Act: New law project to enforce cyber security measures to the digital markets throughout the life-cycle of the products.

❤️ My favorite things

• Michale Driscoll illustrated network protocol and cryptography collection: The animated Elliptic Curve, the illustrated TLS 1.3 connection and QUIC connection are perfect learning materials for those of you who want to know more about them. These resources are visually appealing and make easier to understand what’s beneath the protocols, and the math behind Elliptic Curve.

The Open Insulin project is lead by a team of biohackers and open-source hardware makers who are trying to change a multi-billion dollar business by engineering microorganisms (bacteria and yeast) that are capable of producing insulin and all the related machinery to make all that possible.

Before talking about the details of the project and why what they do is important for many people, let’s have brief look into the history about insulin:

The first injection of insulin was given to a 14-year-old diabetic patient a 100 years ago at the Toronto General Hospital in Canada. A century has passed since then and one could think that access to this vital hormone would be affordable universally. Well, not really, specially in the US and other countries… Let’s dive into why.

The original process to obtain insulin was based on extracting it and filtering it from cows and pigs pancreases. This process was granted a patent which was sold for $1 to the Toronto University with the aim that it anyone would be free to prepare the extract, but no one could secure a monopoly on it.

In 1978, scientists from Genentech figured how to create insulin in a lab without the need for pigs or cows. Recombinant DNA was the new technique used to make yeast produce insulin in a lab environment. This discovery makes possible to have virtually unlimited insulin with cost-effective ingredients. 4 years later the first r-DNA insulin was produced commercially by Eli Lilly. This new process granted patents to the laboratories.

Over the years, the pharmaceutical companies have been extending their different patents related with insulin production. Some of these companies are accused of evergreening their patents, that is, extending the grant of the patent by applying some minor changes to it but without providing any significant improvement on the hormone.

Sanofi, Eli Lilly and Novo Nordisk account for 96% of the world’s insulin supply and they all have been using patents to keep competitors out of the market. With few competitors in the market there is no incentive in keeping the prices low. The laboratories have been marketing in favor of the insulin based on r-DNA over the animal based one. Since 2006, all the commercially available insulin is based on r-DNA.

However, patents are not the only restriction that competition will encounter, but the FDA too. A competitor would have to undergo for a biosimilar approval process, which can be very costly (up to $250 million) and take huge time to be completed.

This project pretends to find the microorganisms, the protocols and the laboratory equipment needed for producing insulin at a small scale. This could change the current trend of centralized production by big pharma and allowing small laboratories at a city or state level to produce the insulin. The ultimate goal of the foundation is to be able to produce fast-acting (lispro) and long-acting insulin (glargine).

Vadim Kimlaychuk is an IT infrastucture manager who is volunteering in the project and he is working on the design of a key equipment for manufacturing insulin: the Fast Protein Liquid Chromatography machine (FPLC). This piece of hardware is needed to purify proteins. Vadim is working in creating a FPLC based on open source designs. One of the difficult tasks that they are facing is finding and obtaining the right components to build the hardware as they are often not specifically design for the purpose they intend, so they have to adapt them.

The Open Insulin project has a long road ahead before they will be able to release insulin usable by diabetics. Even though there are some major issues to overcome they continue ahead.

It’s encouraging and sad at the same time that projects like this exist. It’s nice to see that there are people who are willing to volunteer and try to find out a solution that relies on the same principles of the open-source software, from which a lot of people can benefit as everyone will be able to access the resources to replicate an insulin laboratory and can also contribute back with any improvements that can be applied to original process or design. However, it is also sad that this project is searching for a solution that already exists, but due to the exploitation of the patent system (and unlimited pricing in the US drug market) many people in the US and around the world don’t have proper access to the insulin they need.

Sources: United Nations News, The Hill, WiredPen, The Verge

This week’s highlights in tech & cybersecurity

• Albania cuts Iran ties over cyber attacks: Albania has ordered Iranian diplomats to leave the country. These measures come after the US concluded that Iran was behind July 15th cyber attacks to government infrastructure. On September 10th, Albania reported a second cyber attack on its border systems.

• iPhone 14 will have satellite connectivity (only one-way communication for SOS): Globalstar is going to be the provider for the emergency communication.

• Go programming language has added a tool in its tool-chain to detect known vulnerabilities in your projects.

• Ships manipulate their location data to avoid international laws: United Nations discovered that more than 500 ships tampered with their Global Navigation Satellite Systems (GNSS) to hide their real locations. The use of this fraudulent technique has been used to cover tankers stopping at Iran, Chinese fishing boats operating in protected waters in South America and container ships that hide journeys in the Middle East. International laws require that all big ships equip satellite transponders, known as AIS (Automated Identification Systems). AIS location manipulation shows how easy it is to tamper with these systems

❤️ My favorite things

• I just finished reading The Elephant in the Brain: This book goes into detail into our hidden motives for what we do as social and political creatures that we are. It’s interesting in how in takes another perspective in religion, politics, charity, art, among others. I must recognise that it was a bit hard to finish for me and I felt that some explanations were oversimplified, but overall I would recommend it.

This week I stumbled upon with Cookie Monster, an article written by CS and security professor Lorrie Faith at Carnegie Mellon University where she exposes the pitiful state of the mandatory cookie banners in the Web.

The lab at the Carnegie Mellon University conducted a study where 1000 people from the U.S. where presented one of 12 cookie banners while they were shopping. After the task was completed they were interviewed about what they consented to and why.

The results are that if a user is presented with an easy selection of any of the options, they tend to accept fewer cookies. If they banner is unobtrusive, they are likely not to interact with it, and therefore default policy applies. However, if a permanent button is shown floating on the right bottom side of the page, nobody interacts with it.

The author also mentions the use of obscure patterns so that users are tricked into giving consent to all cookies. In other cases found in the study, the banners are completely useless as they do not even comply with the law and they just state that the website uses cookies and they do not give any option to the user.

The terms to use are not standardised and varies from region to region, which create confusion among users.

Automated solutions have been proposed to allow users to set their preferences in their web browser rather than a website by website basis. These include “Do Not Track” and a more recent solution called “Global Privacy Control” which allow users to automatically send requests to not to sell their personal information to all website they visit. GPC requests are considered valid under the the California Consumer Privacy Act (CCPA) and websites that ignore them may face enforcement actions in California. However, these mechanisms are usually ignored by most of the sties.

The author proposes in the short term to provide cleaner cookie banners so that users can access easily to their choices and remove banners where no relevant choices are given to users. On the long term, automated solutions are needed so that user’s choices are respected everywhere.

Still a long way to have a harmonised and automated way of keeping the privacy cookie monster away from our browsers.

This week cybersecurity news

• Lastpass internal source-code and some documentation was stolen by a cyber attacker. The company assures that no user data or encrypted password vaults are at risk.

• A security researcher has found a novel way to exfiltrate data from air-gapped machines by abusing the LED activity indicators that are usually present in NICs (network interface controllers). This new technique named ETHERLED demonstrates that an attacker could use malware to exfiltrate data by encoding as Morse code, for instance. The receiver of the information could be placed tens to hundreds of meters away from the air-gapped machine.

• A cybercrime organization is allegedly trying to sell NATO missile classified data from MBDA company. The criminals are trying to sell around 70 GB of data for 1 BTC.

• iOS lockdown mode detection test: The people from Cryptee have created a proof-of-concept test that is able to assess by opening this website if you are running lockdown mode on your iPhone. Remember that lockdown mode disables messaging and other engagements with people who are not on your contact list, link previews and on Safari it disables JIT compilation (Just In Time) and custom fonts.

• Google Chrome is releasing a security update to mitigate CVE-2022-3075. Google states that is aware that exploits exist in the wild.

• Microsoft discovered a one-click exploit for TikTok on Android platform. The vulnerability (CVE-2022-28799) can lead to account hijacking as stated in Microsoft’s write-up

• Apple issued a security update for iOS 12 (12.5.6) which addresses a major security vulnerability, recently patched for iOS 15. Apple states that is aware of a report that the vulnerability may have been actively exploited.

❤️ My favorite things

• Liveoverflow’s great video on kernel root exploitation of a race condition: This video is a wonderful learning resource of how race conditions can be exploited. It is explained in detail and with simple explanations that ease the difficulty of such kind of exploitation.

Infosec resources

• pwnedkeys offer an API to check if any private key that you may be using has been leaked or reused? You can check on this website if a key you are using is untrustworthy.

• DEFCON 30 repository contains video, slides, audios, white-papers and other resources that were presented at DEFCON 30.

Open-source repositories

• GaloisInc/MATE: MATE is a suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code using Code Property Graphs. The documentation can be found on: https://galoisinc.github.io/MATE/

• Google/paranoid_crypto: Paranoid project checks for well known weaknesses on cryptographic artifacts such as public keys, digital signatures and general pseudorandom numbers.

The Open Source release of Stable Diffussion got me thinking about the big breakthrough it will be for the Internet and for our society as well. For those of you who are not familiar with the current trend of text-to-image Artificial Inteligence, Stable Diffusion is an open-sourced AI model that can turn whatever we describe with words into an image. It is not the only AI capable of doing so, but it is the first one to be open-sourced. 2022 has been a crazy year for this kind of technology: OpenAI’s Dall-e 2, Google Imagen, Dall-e mini, Google Parti, Meta’s make-a-scene, Microsoft’s NUWA, Midjourney,…

Until now, all of the available AIs have been under the full control of their developers, who could impose any restrictions on the images generated with their technology. For instance, Dall-e 2 cannot create any images depicting famous people, nudity, or violence. However, Stable Diffussion does not have any of these constraints, opening the possibility of easing the process of creating deep-fakes, violent images, or even adult content.

Anyhow, not having restrictions on the images generated by the AI is not what is shocking to me, but the deep changes that are about to start in society. What about the work of artists, designers, and illustrators? Will these AIs become tools that will help them in their creative process or will they become a substitute for their work?

I always thought that creative tasks would be the last ones to be automated by AIs. I have been used to the automation of repetitive tasks, for example, the ones at a factory, and I think I am not the only one thinking this way. The automation of repetitive tasks is viewed positively by humans because those tasks typically have less value than more creative ones. However, this new trend is breaking the paradigm that we were used to.

Not only is image creation a task being performed by AIs, but other creative tasks are also performed nowadays incredibly well by AIs, such as code completion with Github Copilot or music track separation with LALAL.AI. Let’s not forget automated driving, which in its current state is able to drive safer than humans (under favorable conditions).

So, there is a clear question to ask ourselves: Are we going to go jobless? Well, I am pretty sure there will be employment destruction derived from the massive adoption of these technologies, as there always has been when society adopts any revolutionary technology. However, new jobs will be created, jobs we were not able to imagine years ago. Take the example of any image generation AI; right now, these AIs respond to a textual input but the results need to be checked by a human to make sure that they look realistic and that they fit with the description that we wanted to be represented in the form of an image. Imagine now that these AIs could have fine tweaks in their input such as more complicated parameters, not only words. Most likely this task would be carried out by someone who understands the underlying technology. This task will be performed by what is known as a prompt engineer. I never imagined that such a job could ever exist.

Let’s go one step further and imagine the next AI capable of not only creating images but creating movies by being fed just a text script. Even more, let’s add an AI that would create the soundtrack of the movie that created the AI on its own. Isn’t it surprising and scary at the same time?

We are about to live a moment of breakthrough change, just like when social networks started becoming popular or the popularization of the Internet and the Web.

🔒 Highlights on cybersecurity this week

• Inappbrowser.com is a tool that let’s you check what JavaScript commands get injected through an in-app browser. Felix Krause, the creator of the tool, has performed some testing on the in-app browser of various iOS applications with worrying results.

  Apps like Instagram, Facebook or FB Messenger have the ability to modify the page that is being shown in the in-app browser. However, the most intrusive one is TikTok: when opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input. Therefore, they could be collecting critically sensitive information such as passwords, credit card information, etc.

  

  This Twitter thread from the creator gives more insight on his findings:

• A whistleblower on Twitter: Peiter Zatko a.k.a Mudge, former head of security at Twitter was fired on January 21 by Parag Agrawal in one of his first official acts as Twitter CEO. Recently, Mudge has filed an 84-page complaint to the Securities and Exchange Commission, the Deparment of Justice and the Federal Trade Commission.

  Some people see this complaint as a huge advantge for Elon Musk in his trial against Twitter for having cancelled its acquisition.

  Mudge states in the complaint that security practice at Twitter was a disaster. I am sure we are going to have some really juicy headlines when the Musk vs. Twitter trial starts in a couple of months.

• The OpenSSL 3.0 FIPS Provider has had its FIPS 140-2 validation certificate issued by NIST & CSE.

• Dirtycred (CVE-2022-0847) is a newly discovered privilege escalation method that can overwrite any files with read permission on Linux. It was presented at Blackhat USA 2022. This new technique is data-only with currently no mitigations on upstream kernel. Exploits based on Dirtycred could work across different kernels without the need of re-writing their code, making the exploits universal. According to the researchers who discovered it, this method could take advantage of existing vulnerabilities that have double-free ability to perform privilege escalation and even container escaping.

  There is a public GitHub repository https://github.com/Markakd/DirtyCred in which they have published a Proof-of-concept of the technique taking advantage of an already existing vulnerability CVE-2021-4154 and CVE-2022-2588. The repository also contains the code of a potential fix to the Linux Kernel to prevent exploiting with this technique.

• An encrypted zip file can have two valid passwords TL;DR: Zip files with password protection use PBKDF2 to generate they encryption key for ciphering the contents. However, if the password is longer than 64 bytes it uses the SHA-1 of such password as the input for the PBKDF2 function. Therefore, for a file that used a sufficiently long password, we could use the original long password or the SHA-1 string representation of that password as valid passwords for that file.

♥ My favourite things

• Dungeon Master - Clever Floppy Disk Anti-Piracy A video from Modern Vintage Gamer in which he explains with astonishing detail how a clever anti-copy mechanism was implemented on floppy disks.

Infosec online resources

• What is Lattice-based cryptography? Is a nice website that has compilation of different resources to learn more about this quantum resistant algorithm. Most of the resources, however, require some degree of math knowledge. If you are interested in lattice-based cryptography and, like me, find this materials hard to understand, you can start with Introduction to Lattice Based Cryptography

• Twitter thread about penetration testing labs:

• Hijack Libs is a project that provides a curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via its website.

As this is my first note to all of you, I will try a format and if you like it I’ll keep it, if you hate it tell me what you’d change. I’m here for you, so just let me know!

This week I read about the John Deere jailbreak, and I thought once again about the right to repair. Being the son of an electronic repairman, who made a living repairing all sorts of electronic equipment, the current situation of the reparability of electronics ashames me. I was used to the possibility of being able to repair everything, no matter what the issue was with the device, but that’s not the case anymore. Not to mention the planned obsolescence practices that some manufacturers apply to their products, where even when the device is perfectly fine, it just stops working. Farmers have been fighting for a long time against John Deere's restrictions on tractor repair. Similarly, as with cars, which are nowadays computers with wheels, the possibility to roll your own repairs can be jeopardised at the manufacturer’s will.

However, there is some light on the horizon as some countries like France and the USA are passing laws to enforce the creation of long-lasting products and to protect the right to repair.

By the way, if you want to know more about how farming has become highly technified and the vision of John Deere’s CTO on it, check out this Decoder podcast.

My highlights on cybersecurity this week

• 💻 CPU vulns: Vulnerabilities have been discovered for Intel (ÆPIC) and AMD (SQUIP) CPUs.

  ÆPIC is a micro-architectural vulnerability that affects SGX enclaves (Intel’s Trusted Execution Environment solution) and can lead to leaks of AES and RSA keys with 94% and 74% success rate respectively.

  SQUIP (Scheduler Queue Usage via Interference Probing) is a side-channel vulnerability in the scheduler queues, which are are critical for deciding the schedule of instructions to be executed in superscalar CPUs. The researchers have been able to fully recover a 4096-bit RSA key with 50500 traces from a co-located process in a co-located virtual machine.

• 🔓 Broken crypto: SIKE, a post-quantum cryptographic algorithm that made it to round 4 of the NIST standardisation process has been broken with very basic hardware. In their preliminary paper they state that the attack only needs 1 hour of processing on a single core of an Intel Xeon E5. Quite surprising as this algorithm already underwent brutal cryptanalysis (as the other candidates) as part of the NIST standardisation process.

• 🍎 Apple Patch updates: Apple issued patches for MacOS, iPadOS and iOS to mitigate a couple of 0-day vulnerabilities (CVE-2022-32893 and CVE-2022-32894) that affect WebKit component and the kernel.

  The count of the 0-day vulnerabilities patched by Apple from the start of this year sums to a total of 6.

• 🚗 Car Hacking: This story is a complete 🤦‍♀️: A developer explains why it was possible to run their own software on the a Hyundai Ioniq SEL infotainment hardware after discovering the vehicle's manufacturer had secured its system using cryptographic keys that were not only publicly known but had been lifted from programming examples.

  Developer tip: Remember to always create your own keys and never copy them from public sources.

♥ My favourite things

• 🎙Podcast: 99% invisible is an amazing podcast hosted by Roman Mars about all the thought and design that goes into everything that we do not think about, the unnoticed design and architecture that shapes our surroundings. Definitely one of the podcasts that I enjoy the most.