November 2020: Cybersecurity Roundup
This past month in cybersecurity:
- Chase Unlimited Reward Point Vulnerability
- Apple lets some Big Sur Network Traffic Bypass Firewalls
- Cit0day Leaks 23,618 Hacked Databases
- Tesla Model X Key Fob Hack
- Hacked Crypto Exchange KuCoin Recovery
Chase Unlimited Reward Point Vulnerability
Chad Scira released a blog post this month outlining his experience reporting a significant vulnerability to Chase Bank back in November 2016. He wanted to release the post back in 2016, but was worried about retaliation from Chase bank, so decided to wait.
By transferring balances back and forth between cards, Scira gave himself unlimited points, which he could redeem for cash rewards. Scira reached out to Chase bank via Twitter and arranged a conference call. After the call, Chase fixed the issue and stopped responding to Scira. A week later, Chase sent him a hostile email warning him not to release any information regarding this attack. He received no reward and was instead ignored by the Chase team.
Years later, Chase terminated Scira’s credit cards and would not provide a reason for doing so.
Apple lets some Big Sur Network Traffic Bypass Firewalls
Apple’s new Big Sur update comes with some perplexing changes to the computer’s software firewall. This undocumented change makes the firewall “100% blind” to traffic coming from ~50 Apple applications.
Firewalls aren’t just for large corporations. Many privacy-conscious individuals use firewalls to filter or redirect traffic entering and leaving their computer. Patrick Wardle demonstrated how malware developers could take advantage of the firewall’s “blind spot” to bypass the firewall by sending the traffic through an approved Apple application and connecting to a command and control server.
Apple has yet to explain the reason behind the change.
Cit0day Leaks 23,618 Hacked Databases
More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels. Many threat intel analysts are calling this one of the most significant leaks to date.
The database collection is said to have originated from Cit0Day. Cit0Day’s main service was collecting hacked databases from many sources and providing them to other hackers for a fee. Many other sites offer similar services and house databases full of breached credentials. For instance, LeakedSource and WeLeakInfo both sold breached credentials, and both were taken down by authorities in 2018 and 2020, respectively.
The Cit0day website went down in September, and the page showed an FBI and DOJ seizure notice, but that was almost certainly fake. It’s unclear if the site’s creator leaked the data or if a rival gang hacked it, but the data was posted to a forum for Russian-speaking hackers for about an hour before the forum owners took it down. Since then, the data has been circulated in Telegram and Discord channels.
Tesla Model X Key Fob Hack
A team of Belgian researchers demonstrated that it is possible to exploit the Tesla Model X keyless entry system to break into a Model X within minutes. The keyless entry system uses Bluetooth Low Energy (BLE) to interface with a smartphone app, where the vulnerability lies.
“By reverse-engineering the Tesla Model X key fob, we discovered that the BLE interface allows for remote updates of the software running on the BLE chip,” said the researchers. They built a proof of concept device to demonstrate the exploit using a Raspberry Pi computer, a CAN shield, a modified key fob, an Electronic Control Unit (ECU) from a salvaged vehicle, and a LiPo battery. Altogether, the device costs around $200 to create. It only takes the device about a minute and a half at a distance of more than 30 meters to unlock the victim’s Tesla.
Hacked Crypto Exchange KuCoin Recovery
The popular cryptocurrency exchange KuCoin was hacked back in September and has since recovered around 84% of the stolen funds in the $280 million hack. In mid-November, Kucoin restored the exchange’s deposit and withdrawal services.
One or more hackers obtained private keys to KuCoin’s hot wallets gaining vast amounts of BTC, ETH, TRX, XRP, XLM, and several ERC-20 tokens. KuCoin’s CEO Johnny Lyu said that an insurance fund would completely cover any stolen customer funds.
That’s All Folks
Thanks for reading! We’ll be back next month with a quick roundup of topics we found interesting.
Did we miss a super important story? Let us know! We’ll do better next time.