Thangrycat: a deadly Cisco vulnerability named after an emoji ???

Thangrycat is a newly disclosed vulnerability in Cisco routers that allows attackers to subvert the router's trusted computing module, which allows malicious software to run undetectably and makes it virtually impossible to eliminate malware once it has been installed.

Thangrycat relies on attackers being able to run processes as the system's administrator, and Red Balloon, the security firm that disclosed the vulnerability, also revealed a defect that allows attackers to run code as admin.

It's tempting to dismiss the attack on the trusted computing module as a ho-hum flourish: after all, once an attacker has root on your system, all bets are off. But the promise of trusted computing is that computers will be able to detect and undo this kind of compromise, by using a separate, isolated computer to investigate and report on the state of the main system (Huang and Snowden call this an introspection engine). Once this system is compromised, it can be forced to give false reports on the state of the system: for example, it might report that its OS has been successfully updated to patch a vulnerability when really the update has just been thrown away.

As Charlie Warzel and Sarah Jeong discuss in the New York Times, this is an attack that can be executed remotely, but can only be detected by someone physically in the presence of the affected system (and only then after a very careful inspection, and there may still be no way to do anything about it apart from replacing the system or at least the compromised component).

What's more, since Cisco routers power so much of the internet, and since the router is privy to enormous amounts of data and metadata, an attack at scale would be potentially devastating.

Red Balloon was founded by Ang Cui, who specializes in this kind of research, having previously discovered a way to permanently take over printers by sending them malicious documents, after which they could be used to scan their network and take over vulnerable machines, then open a firewall-busting reverse shell to an attacker's offsite system. As with Thangrycat, Cui's printer attack effectively permanently compromised the systems it hijacked, making them untrustworthy under any circumstances.

Sarah: The Red Balloon team told us that an attacker could get into some routers and then take down, say, the entire New York Stock Exchange. I think that's probably the nightmare scenario here.

Thrangrycat is a "low level" attack — and when computer people say "low level," they don't mean inconsequential, they mean it reaches deep inside the infrastructure, it's getting close to the bones of computing itself. In the case of Thrangrycat, we're talking about the placement of pins on circuit boards.

The problem with low-level nightmare scenarios is that they're highly theoretical. What's possible depends on the state of everything that's layered on top — hardware and software. I asked the Red Balloon folks whether data could be intercepted — like, say, my chats with you over the internet, right at this moment. And they said if end-to-end encryption were implemented correctly, probably not. The extent of the spying that's possible through Thrangrycat is, at the moment, largely theoretical.

Charlie: But a theoretical security apocalypse just sitting out there is still quite bad, no?

Sarah: To go back to my steel beams metaphor, imagine if someone told you that the steel beams in your building are insecure but also they're probably O.K. if the building is built under a certain height and the builders use a very specific brand of concrete. But also maybe the beams could give out if the wind starts blowing at a certain speed or if it's really hot for 10 days in a row. Also, who knows if your building will actually fall over? Maybe it'll just sway a lot or something and your floor will tilt? Who can say? Even if you're probably safe in the long run, I'd say this kind of risk is just unacceptable.

The Internet Security Apocalypse You Probably Missed [Charlie Warzel and Sarah Jeong/New York Times]

(via Super Punch)