Original post date: September 8, 2024
Last updated: September 8, 2024
This is my subjective choice of security events from August 2024 that might interest embedded developers.
Recommended usage method: scan the list and find out which events interest you. Investigate them! Store the whole timeline for future reference.
For transparency, I mark with (*) events I have been involved with and events by organizations I’m involved with. I am also a guest author at LWN but I have not written any of the articles linked this month.
August 3rd: Researchers from the Graz University Technology publish a paper (presented at a conference later the same month) about a technique of exploiting Linux kernel memory access vulnerabilities. They “convert” a heap vulnerability into an arbitrary read-and-write vulnerability using a side-channel attack. The description is complex, but the methods seems feasible and practical. The full paper is available at https://www.stefangast.eu/papers/slubstick.pdf
August 5th: A set of security fixes for Android have been released, including a remote code execution that might be under exploitation. See the Bleeping Computer coverage at https://www.bleepingcomputer.com/news/security/google-fixes-android-kernel-zero-day-exploited-in-targeted-attacks/
August 5th: LWN reports on a discussion about interrupting actions in filesystems (mostly network ones) at the LSFMM+BPF conference https://lwn.net/Articles/983714/
August 6th: Samsung’s bug bounty program for important vulnerabilities in their products announces bounties up to one million USD. Details of the program are available here: https://security.samsungmobile.com/securityPostDetail.smsb/189
August 10th: a hardware vulnerability in AMD processors (CVE-2023-31315) is allowing to install malware at the protection level reserved for firmware. This vulnerability has been present for decades and is present in Ryzen or EPYC designs. Wired’s coverage: https://www.wired.com/story/amd-chip-sinkclose-flaw/ and DefCon talk abstract https://ioactive.com/event/def-con-talk-amd-sinkclose-universal-ring-2-privilege-escalation/
August 13th: GitHub actions artifacts of multiple high profile projects have been found leaking tokens. Verify what your CI artifacts contain from time to time… The research paper https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
August 13th: NIST (National Institute of Standards and Technology of the US) releases a first set of post-quantum encryption standards. NIST announcement: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards and BleepingComputer coverage https://www.bleepingcomputer.com/news/security/nist-releases-first-encryption-tools-to-resist-quantum-computing/ LWN gives background and history https://lwn.net/Articles/973231/
August 21st: The cyber-security company ESET reports bank credential stealing from mobile phones using progressive apps and NFC chips. Bleeping computer writes about the issue at https://www.bleepingcomputer.com/news/security/hackers-steal-banking-creds-from-ios-android-users-via-pwa-apps/ and https://www.bleepingcomputer.com/news/security/new-ngate-android-malware-uses-nfc-chip-to-steal-credit-card-data/
August 23rd: LWN reports about a Debian reproducible build experiences from a talk at DebConf https://lwn.net/Articles/985739/
August 24th: a new malware hiding technique on Linux has been described: using udev rules. It has been present in the wild since 2022. The source article https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp and BleepingComputer https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malware-evaded-detection-for-two-years/ coverage is available.
In August, a number of high profile security conferences took place. We are going to to a dedicated reporting on the presented work that affect embedded developers.
News: The first “Embedded Security” session is full and we have opened two new ones. It is designed to help embedded developers to include security best practices in their day-to-day work. No need to be a security expert. Reserve your spot now at https://ygreky.com/2024/09/embedded-security/
If you have an additional event to add, message me!
You can subscribe to the newsletter!