Siri, Alexa and other AI get Ultrasounds, the result is the Dolphin Attack

Researchers from China’s Zhejiang have found an interesting vulnerability in all the major AI smart assistants. They have dubbed their attack framework as DolphinAttack. This attack relies on using the sound frequencies outside the human audible range or those above 20kHz.  In all cases tested meaning whether you’re running  “Siri, Google Assistant, Samsung S Voice, Huawei HiVoice, Cortana, and Alexa, on devices such as smartphones, iPads, MacBooks, Amazon Echo” or even the voice assistant in the Audi Q3 vulnerability exists. The operating system and microphones can still use these ultrasonic signals ranging from 25-39kHz to complete commands to:

• Direct the victim to a malicious website
• Eavesdrop on the victim’s conversations
• Send fake messages to their calendar or email
• Deny cellular service to the victim
• Dim the screen and lower the volume on the victim’s phone to hide activity

Until a patch is made available to prevent DolphinAttacks, it is recommended for end users to disable applications that utilize voice assistant features. Another more complex way of solving this program is to have their devices programmed to ignore commands at inaudible frequencies.

*More to follow at the ACM Conference on Computer and Communications Security in Dallas, Texas next month.

RCE in Struts

A new vulnerability CVE-2017-9805 has been found in the well used Apache Struts.  Apache Struts is the free, open-source,  framework that is used to develop web applications in the Java programming language. It supports many plugins including REST, AJAX, and JSON. This particular vulnerability lies in the way the Struts framework handles the REST plugin and how that plugin receives and deserializes the XML payloads.  Many organizations use this framework including Lockheed Martin, Virgin Atlantic, and even our own IRS. A quote from an analyst states: “this has the potential to be worse than the ‘POODLE’ attack was.” This is said because all that is needed is a properly formed XML file and a web browser.  Once exploited the attacker has full control of the system and can then migrate across the internal network.

Versions affected since 2008:

• Struts 2.1.2 – Struts 2.3.33
• Struts 2.5 – Struts 2.5.12

This vulnerability has been patched in Struts version 2.5.13, it is strongly advised to upgrade the Apache Struts installation. A proof of concept has not been released publicly allowing administrators time to patch.