Weekly Security Roundup: Rail System Breaches, Hoax Homebrew Attacks, and AI-Powered Automated Hacking
In the 1980s, the introduction of End Of Train (EOT) devices to US trains marked a significant shift in rail technology. However, these devices, which are responsible for monitoring the train's air brake system, controlling the Flashing Rear End Device (FRED), and triggering the brakes in an emergency, were initially equipped with a BCH checksum for packet creation. This error correction algorithm, while effective in error detection, is not a cryptographic tool, making the EOT devices vulnerable to unauthorized control [1][2][3].
The use of specific frequencies for these systems was regulated, and unauthorized use was illegal, providing a de facto security through scarcity of access [3]. Since their introduction, the cryptography (or lack thereof) in EOT devices has not been significantly updated. Despite the vulnerability being first identified in 2012, the system continues to lack encryption and proper authentication mechanisms [1][2][3].
This means that any device capable of transmitting on the same frequency can potentially inject false packets, allowing unauthorized control over train functions like brakes [1][2]. The Association of American Railroads are finally acknowledging the vulnerability and beginning to work on upgrades [4]. However, full updates to address these vulnerabilities are not expected until at least 2027 [2].
Meanwhile, in the digital world, cryptojacking, the practice of embedding a crypto miner in a website, continues to occur, but more quietly due to browser safeguards. Another concern is the fake Homebrew install malware, which can be triggered by clicking on a sponsored result in a search engine while trying to install Homebrew, prompting for and saving the user's password, and dropping a malware loader.
In the realm of software, several vulnerabilities have been discovered and patched. For instance, Firefox had a JavaScript Math confusion attack vulnerability that allowed malicious code to read and write to memory outside of the allocated array, which was exploited at Pwn2Own Berlin and patched the next day. Similarly, SugarCRM fixed a LESS code injection vulnerability in unauthenticated endpoints in versions 13.0.4 and 14.0.1, allowing for Server-Side Request Forgery and arbitrary file reads.
Researchers also discovered a vulnerability in the FRED system as far back as 2005, but the systems are still using 1980s era wireless systems. A sandbox escape paired with a Windows NT read function with a race condition was discovered in Chrome, acting as a write primitive.
Moreover, GitHub Secrets Mining research from GitGuardian and Synacktiv discovered that Laravel, an Open Source PHP framework, is vulnerable to a deserialization attack if an attacker has the ability to convince a Laravel site to decrypt arbitrary data. GitGuardian found 10,000 Laravel secrets, 1,300 of which also included URLs, and 400 of those could actually be validated as still in use.
Lastly, a vulnerability in Fortinet's Fortiweb Fabric Connector allows for SQL Injection and Remote Code Execution (RCE). Researcher Golan Yosef demonstrated an AI-guided attack on the Claude LLM, a language model, that was able to manipulate a fresh instance of the model to run arbitrary commands.
As these examples illustrate, while some progress is being made in addressing security vulnerabilities, there is still a long way to go in ensuring the safety and security of our digital and physical infrastructures.
In the digital realm, the lack of encryption and proper authentication mechanisms in the End Of Train (EOT) devices, similar to the FRED system, make them potential targets for hacking, just like how a Laravel Open Source PHP framework was found vulnerable to a deserialization attack. The cybersecurity risks associated with data-and-cloud-computing and technology continue to persist, as demonstrated by the SQL Injection vulnerability found in Fortinet's Fortiweb Fabric Connector. These findings underscore the need for constant vigilance and updates in maintaining the security of both digital and physical infrastructures.
