Thereís been more than enough tech press about the big issues, which is okay; I want to discuss one that doesnít seem to be on anyoneís radar yet. Itís a sleeper app, but with huge potential if Iím right.
People are usually glad if computer applications are configured to update automatically, less to worry about. That may change. What if an attacker could hijack the update request and download malware instead of the update?
Iíd like to introduce you to Ippon (Japanese for ďgame overĒ) an attack tool created by Itzik Kotler, security team leader and Tomer Bitton, security researcher for Radware
. Ippon is one of those ideas thatís so obvious Iím sure many are saying why didnít I think of that.
How Ippon works
Ippon looks for computers that are asking for updates and tries to replace the update with malware. One thing in Ipponís favor is that most applications are setup to check for updates automatically. Kotler and Bitton have ported Ippon to scan open Wi-Fi networks specifically for Hyper Text Transport Protocol (HTTP) update request traffic. When traffic is detected, it becomes a race to see if Ippon can respond before the update server for that particular application.
If Ippon wins, a message is sent informing the application that an update is available, even if itís not
. To avoid suspicion, Kotler and Bitton have built in a reference library to allow Ipponís response to closely mimic the actual one. Once the connection is established a malicious file is then downloaded from the attackerís server and game over.
Vulnerable update processes
Kotler and Bitton in an informal poll determined that approximately 100 applications are vulnerable to the Ippon attack, but wonít specifically mention which ones. Thankfully Microsoft applications arenít. All MS updates are digitally signed and canít be spoofed. Actually, thatís the way to tell if an application is not susceptible to Ippon.
Some of the suggested solutions are a bit obvious. Such as donít use open Wi-Fi networks. Or if you have to, donít update your computer while connected to an open Wi-Fi network. I said they were obvious.
But what about an application that updates automatically and in the background. The only visual indication usually happens after the process is complete. Technically, the only way to avoid the Ippon attack while using open Wi-Fi networks is to use a secure VPN tunnel.
A friend of mine suggested that I mention to update proactively, maybe using Secunia PSI
. I think thatís a good idea, even if Ippon didnít exist. Still, Iím concerned about a false sense of security, automated updaters follow a schedule and will check for updates regardless.
As of this writing Ippon has been released, so itís only a matter of time. I have e-mailed and left voice mails with several of the major application developers, Adobe for instance. When I learn whether an application uses signed updates or not, I will add a comment with that information.
I have one last question. Kolter and Bitton are focused on Wi-Fi, because itís the simplest attack vector. What if Ippon could be developed into an exploit that infiltrated wired networks?