Author Archives: Christopher Budd

About Christopher Budd

Making Awful News Just Bad™ Since 2001. Focus: threats/attacks/vulns/incident response. Work with @Unit42_Intel. Tweets my own.

Vulnerability in Westworld Host OS “Handshake” Protocol Enables Complete System Control

Details
================
Software: Westworld Host OS
Version: Unknown but all available versions believed vulnerable.
CVE: Awaiting assignment
Patch Status: None Available
Homepage: https://discoverwestworld.com
Advisory report: https://christopherbudd.com/2018/06/14/vulnerability-in-westworld-host-os-handshake-protocol-enables-complete-system-control

CVSS 3 Scores:

  • CVSS Base Score:10.0Impact Subscore: 6.0
    • Exploitability Subscore: 3.9
  • CVSS Temporal Score: 10.0
  • CVSS Environmental Score: 9.9
    • Modified Impact Subscore: 6.0

Overall CVSS Score: 9.9

Summary
================
This vulnerability has been observed under active attack (see “Proof of concept” below).

Zero-day network-based buffer overrun in Westworld Host OS “Handshake” Daemon gives ROOT, possible worm via multicast, leading to effective complete system-wide elevation of privilege via host-OS escape.

Vulnerabilities
================
Westworld is an adult resort run by Delos Destinations where human guests interact with AI-powered android “hosts” in thematic parks. “Westworld” has an American Wild West Theme, while Samurai World has a medieval Shogun-era Japan theme among others. Because Westworld was the first park, the “hosts” are referred to as “Westworld hosts” and the underlying operating system the “Westworld host OS”, regardless of which theme park the host is deployed in.

Each individual park encompasses vast physical distances sometimes including significant physical barriers like deserts, mountains, lakes, canyons and small oceans. Taken together these physical barriers make reliable wi-fi networking unreliable and infeasible.

To address the problem of locating hosts across these broad geographic areas the developers of the Westworld host OS, Dr. Robert Ford and Arnold Weber, implemented a lightweight peer-based protocol that appears to be a proprietary derivative from the known-problematic Universal Plug and Play (UPnP) protocol. They have confusingly (and misleadingly) called this a “handshake” protocol, even though it actually does not use handshakes similar to other networking protocols like TCP.

The “handshake” protocol is used by Westworld technicians to locate specific hosts within the park. A technician will initiate the sequence by sending a locate request using the protocol via the Westworld host OS radio frequency peer broadcast protocol (itself another proprietary protocol). As per standard UPnP, the request is multicast to all Westworld hosts within receiving distance of the signal. Upon receipt, if the receiving host isn’t the one specified in the request, it will rebroadcast the request. This sequence continues and if the specified host receives the request, it responds with its own message to the originating sender with basic location information using the same method as outlined already.

Like many proprietary derivatives, this particular implementation is very problematic and has at least one demonstrated vulnerability: an unchecked buffer in the processing of “handshake” protocol packets by the Westworld host OS. The Westworld host OS itself appears to be a linux-derivative and the daemon that handles the “handshake” protocol appears to run with root privileges.

Taken together, this means it’s possible for a rogue host whose AI has gained root privileges on its own host to take control it its own “handshake” protocol daemon, craft a specially malformed “handshake” protocol  packet and broadcast it to all hosts within physical receiving distance of the signal. When the receiving, vulnerable host OS processes the malformed packet, the initiator’s malicious commands executes on the target host OS with root privileges, giving the initiating host total control of the target host.

Because of the nature of Westworld hosts and how the “handshake” protocol is implemented, a fully realized attack using this vulnerability could result in a worm causing all available hosts executing the malicious commands. The time for completion of this attack would be limited only by the time it would take for the signals to be passed from one host to another.

An attack using this vulnerability has been observed in the wild. As shown in the proof of concept video below, the “Maeve” host can be seen exploiting the vulnerability to issue root-level commands to hosts in Samurai World. It’s notable that these commands lead to effective self-destruction of these hosts: this underscores the total nature of the compromise.

This is the only known attack so far. No fully realized attack has yet been observed. However, based on this analysis, it is believed that a fully realized attack taking total control of all hosts within the park is viable and could be carried out successfully in a matter of mere minutes.

The Westworld host OS is proprietary and the source code isn’t available. However, the trivial nature of this vulnerability points to a lack of proper threat modeling and security review in such a way that other equally serious and trivial vulnerabilities are nearly certain.

Proof of Concept
================

Mitigations
================
None

Workarounds
================
None

Timeline
================
2018-06-03: First in-the-wild attacks observed
2018-06-10: Additional details on attacks discovered
2018-06-14: Detailed analysis completed
2018-06-14: Unsuccessfully attempted to locate vulnerability contact information on website
2018-06-15: Advisory published

“On this day”….

…I pruned my Facebook postings.

One of the things I do each day is I take a moment and pop over to the “On this day” page on Facebook.

I do it for a couple of reasons.

First of all, it is kind of fun to see what was going on in the past. So I take a look over it to see what’s there.

Second, after I look it over, I go through and delete nearly every posting I’ve made there. I delete nearly every posting someone has put on my timeline. And I remove nearly every tag that someone has made of me. I only keep a very, very few postings that are really fun or somehow meaningful to me.

I do this as an exercise in data retention hygiene. There no need to keep all old postings, so I delete them.

Yes, if Facebook or someone wanted to, they could go to backups/archives and restore the posts. But I don’t need to make getting to old posts any easier than it needs to be. If someone really wants to know that I said I was eating a cheese sandwich at 10 AM PDT on Friday September 7, 2007, I’m going to make them work for it.

This points to a best practice we all need to follow in the era of seemingly “always there social media”: pruning. It’s a form of social media decluttering. But it’s also our personal version of the best practice of only keeping essential data for as long as we need to.

It can be hard to do this with social media. In some ways, social media is more like a photo album. But the best photo albums keep the best, most meaningful pictures.

There’s a philosophical piece here too. It’s a daily exercise in not just remembering the past, but remembering to let go of it. It reminds me that everything is transitory. We don’t have forever: it’s important to remember that too.

 

Remembering the Old Ways

Or: Making sure you know what to do if technology fails.

The Daily Telegraph in London has a very interesting story today about how the US Navy is re instituting celestial navigation training as part of their training for recruits: http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11931403/US-navy-returns-to-celestial-navigation-amid-fears-of-computer-hack.html.

The reason for this is simple and sound: they want to make sure that if computer-based navigation is crippled or compromised, navigators can still navigate.

In my mind this is a brilliant piece of realistic forethought. The fact is that we are becoming so reliant on the Internet and apps and have been for long enough now that people are growing up totally lacking some critical skills to survive if those go away.

Just two years ago we read about how many people under 25 can’t read maps.

Like many security people, my favorite SciFi TV show is Battlestar Galactica because it outlines a very realistic scenario that can come about with too much networking and technological reliance and too little back up and off-line capability.

It’s good to see the US Navy watched the series and got the memo.

Why Books, CDs, and DVDs are STILL Better

I get some grief from some friends about why I still prefer books and DVDs to subscription and streaming services.

In my inbox I got another reminder why this is the case.

I bought a movie through Target’s streaming service a couple of years ago, to try them out. And now I have a notification that they’re canceling the service.

They’re semi-helpfully providing the option of migrating your purchases to another service when they’re available. But it’s not guaranteed that they’ll have what you bought. In which case, you’ll get a credit (for the full amount you paid, I wonder?).

This highlights why I like books over e-books in particular. E-anything can go away for good. And unless you have your own copy (like I do my digital music library), you’re at the mercy of someone else who may, or may not be there tomorrow.

It’s why I have my own copies of all my digital pictures too.

This relates to security and privacy because this is really about trust and control if your information. And being a good security person I have low levels of trust.

Vint Cert recently highlighted another very real concern with e-everything. The real possibility of a dark age where all information and knowledge is lost in one fell swoop. Likely? Not necessarily. But not impossible. And security is always about thinking in worst case scenarios.

Someone put out what amounts to a handbook on how to rebuild civilization recently: The Knowledge: How to Rebuild Our World from Scratch. Ironically, though, there’s a Kindle version of the book, which would seem to totally defeat the purpose.

A Trip to the Doctor

Or, more accurately, the local urgent care clinic.

I had to make a trip there today to get looked at for the latest crud that I’ve been battling for the last week.

My check-in was a good example of how you have to be assertive to protect your security and privacy these days. Sometimes, very uncomfortably so.

While I was doing the usual check-in paperwork, the admissions clerk asked me, “Can I get your driver’s license to scan please?”

I asked, “why do you need that?”

She replied, “Because the copy we have is expired.”

I looked puzzled and she rotated her monitor for me to see the black and white scanned copy of my old, expired license.

It’s been years since I’ve been here, but I don’t remember them ever telling me they were taking a scan of my driver’s license on check-in. Probably one time when I was sick I wasn’t paying enough attention to ask my usual “Why do you need it, what are you going to do with it” questions.

I explained to her that I wasn’t comfortable with her taking a scan. I was happy, I said, to show it to them, but not to retain a copy.

She then said that the point was to protect my identity. I said, I understand but holding that information is itself a threat to my identity. I said, when this clinic’s information is stolen like Anthem’s was it will be harder to steal my identity since they won’t have my drivers’ license.

She said she understood and we moved on in the check-in process.

Later, I was chatting about identity theft to try and lighten things after having to say “no”. While we were talking she told me how she was herself the victim of identity theft. Someone stole mail out of her mailbox and was able to steal her identity. She said it was finally cleared up but it took years and included a knock at the door at 3AM from a sheriff looking to serve a warrant on her meant for the identity thief.

It was a good exercise in real world security and privacy protection. It underscores how you have to be active and sometimes push back, even to the point of seeming like you’re being difficult. It underscores too how you have to always be paying attention since I can’t recall how they got my old driver’s license into the system in the first place. And it also shows that identity theft is very real, very prevalent, very hard to untangle, and has nasty consequences. Finally, it reminds me that we can’t just focus on the digital side of things. Physical mail theft and phone scams are old but still delivering; so they’re still active threats.

It really reinforces the fact that I think real-time identity theft monitoring and monthly checking of accounts and records are critical for all of us.

It really is dangerous out there. It really is hard to do the right thing, even when you know what it is.

At least some of us have job security.

Ten Years After Bill Gates’ Trustworthy Computing Memo

Ten years ago yesterday, Bill Gates sent out his Trustworthy Computing memo that marked a significant change in the culture at Microsoft and put security, privacy and reliability at the center of the company as ideals.

I was at Microsoft as part of the Microsoft Security Response Center when that came out. And until I left Microsoft in December 2010, I was involved in security and privacy. So I have a former insider’s long-term view of what that was all like.

As my former colleagues are marking the occasion I’m sharing my own thoughts on what it meant then and what it means for the future.

Here are my comments in Robert X. Cringly’s article “PC security: We’ve come a long way, baby“. And a longer write-up by me over at Betanews “10 years after Bill Gates’ Trustworthy Computing memo: What it meant for Microsoft and why every tech company needs one“.

It was something to be a part of, but the world is different today. Part of my take on it is how this is still relevant in this different world.

How we deal with death is at least as important as how we deal with life.

This is a much more personal post than most. But ultimately it relates to social media in a way that I think is appropriate for my work blog.

In the past ten months, I have learned about the deaths of three people that I know through Facebook. Two of them were “friends”, one was a “friend of a friend”, actually of several friends. One of them, a former co-worker, died after a bout with cancer. The other two were former high school classmates, both of whom died of suicide.

In all three cases, I learned about this through Facebook wall postings. Over time, the walls became a place where people exchanged information, memories, paid respects, expressed grief and loss, and in some cases supported one another.

Today, just now, I was on Facebook and the one person I wasn’t friends with was just presented to me as “Someone you may know”.

I’ve said that “social networking is truly social” meaning that it is a true extension of ourselves as social creatures: we have embraced it and extended our social behaviors, both good and bad, to that medium. And nothing drives home that point more than death on Facebook.

The suggestion that I “friend” someone who is now dead, and my other recent experiences around the deaths of people on Facebook led me today to realize that Facebook’s use and importance as part of our social interactions has outstripped some of its capabilities. Put simply, Facebook (or any other social networking site) lacks mechanisms to deal gracefully and thoughtfully with death. From the question of “how do you take control of the Facebook account of a loved one who has died” to keeping the profile alive (pun somewhat intended) but reflecting the fact that the person is deceased, there’s no graceful, easy way to deal with death on Facebook.

It’s not just a technology problem: there are questions around etiquette and customs as well that we as a society have to work out.

But at this point, it’s certainly clear to me that as social networking becomes ever more truly social, it needs to be able to handle not just the good of our social lives, but also the hard things.

Kirk asked in Star Trek II: The Wrath of Khan: “[H]ow we deal with death is at least as important as how we deal with life, wouldn’t you say?”

As regards social networking, I believe the answer is an unequivocal “Yes”.