Security researchers have discovered a flaw in a security product given to banking customers to protect them against online threats. The vulnerability allows hackers to inject remote commands into the product and take control of a system.
According to Andrew Tierney, a consultant at Pen Test Partners, the issue was found while testing the security of automotive products in a separate test. The product in question, Heimdal Thor Foresight Enterprise, is used by banks such as the Royal Bank of Scotland, to help protect its customers against online threats.
"During hardware tests, we often setup a Wi-Fi access point and attempt to redirect the device’s traffic through an intercepting proxy, like Burp Suite. Why? Because a disturbingly large number of embedded devices don’t check the identity of servers, which allows us to act as a man-in-the-middle," he said.
When he was looking at Burp Suite traffic, a device appeared that hadn’t checked the identity of the server, enabling him to tamper with the firmware update process. Instead the traffic logs revealed that a windows machine had been communicating with a domain called coreservice.heimdalsecurity.com.
This he said, "quickly led us to the culprit – Heimdal Thor."
Tierney then ran an evaluation copy of Heimdal Thor running inside of a virtual machine and saw the same behaviour. He could then intercept HTTPS communication without being noticed.
He added that he could see JSON lists of software being downloaded, containing a URL, version etc.. and in those lists, parameters called "beforeInstallScript" and "afterInstallScript".
Tierney said that he could add his own commands to be run. "So, when the client updates that piece of software, the commands will execute."
Tierney said that an attacker would need to be able to intercept traffic, but an ideal location would be an open Wi-Fi access point in a coffee shop. Or one could compromise a home Wi-Fi network (weak PSK?) and then compromise the PCs on that home network.
Tierney said the issue was reported to Heimdal Thor immediately.
"It turns out that changes had been made to the software, bypassing certificate validation, probably to temporarily cure a functionality problem. This appeared to have been present for up to a year," said Tierney.
The issue was fixed and automatically deployed in around 10 days.
"Heimdal Thor is security software that runs at a high level of privilege on a user’s machine. It’s essential that it is held to the highest possible standards; we feel they have fallen far short," said Tierney." Many instances of certificate validation can be caught at the code review stage – I have lost count of the number of times that it is turned off for "development" and left off when deployed."
Paul Farrington, EMEA CTO at Veracode, told SC Media UK that this is an example of securing the software supply chain, which is a problem every business is facing.
"In this case, the software was free for the customer, but the cost of free was less security. Both consumers and businesses need to accept that security costs money. Businesses need to ensure they have secure software practices in place for any software they use, including third-party software. Security of the software supply chain is a giant problem. Businesses are confronting it in many cases by more carefully vetting potential partnerships and making companies prove their software is developed securely before doing business with them. Businesses need to push back on vendors to deliver more secure software as part of reducing their risk," he said.
Henry Harrison, co-founder and CTO at Garrison, told SC Media UK that the reality - as the Heimdal example shows - is that they must assume they are not. If building products that were "secure within themselves" was easy, "we wouldn't have a cyber-security problem in the first place and we wouldn't need security products at all: we would simply have operating systems, browsers, and other applications that did not have vulnerabilities".
"It is possible to build products that are "secure within themselves" but it is not really practical using software: you have to address security at the hardware level. Even that is hard - witness Spectre, Meltdown, and numerous other Intel vulnerabilities. But hardware security products are beginning to become available, driven by the requirements of national security organisations who really do need products that are "secure within themselves," he said.