Skip to main content
banner image
venafi logo

Lethal Apps, Contraband Huawei and A Door that Unlocks Itself [Encryption Digest 7]

Lethal Apps, Contraband Huawei and A Door that Unlocks Itself [Encryption Digest 7]

Huawei mobile devices
July 19, 2019 | Katrina Dobieski


In this issue, I’ll look at why it may not be a good idea to outsource your trust, as illustrated by “contraband” Huawei certificates discovered in Cisco firmware and Dark Matter’s rejection from Mozilla’s trust store. Then, I’ll take a peek at how outsiders could be using encryption vulnerabilities in your Logitech keyboard to type you a message. And I’ll wrap it up with a look at the ethics of safely encrypting medical-ware and why some folks are suing for the right to use a regular-old door key instead of a run-of-the-mill SSH key.




Cisco put Huawei X.509 certificates and keys into its own switches

Ever look through an old drawer and find something left behind from a past relationship? So did Cisco.

Cisco recently disclosed several vulnerabilities, including a bug labeled 'informational' affecting Cisco Small Business 250 Series Switches, or the ‘House of Keys’.  Apparently, researchers were doing a sweep of the firmware and discovered digital certificates (X.509s) and keys issued to Futurewei Technologies, a subsidiary of Huawei.



After banning the telecom giant from US trade last August, it became illegal for US companies to use any Huawei (or subsidiaries') components if you worked with, or planned to work with, the US government.

”We noticed Huawei certificates being used in the firmware. And given the political controversy we didn't want to speculate any further” said Florian Lukavsky, COE of SEC Technologies. SEC Technologies is the IoT division of SEC Consult, the security firm responsible for discovering the foreign certificates.

Find out what the certificates were doing there and how Cisco handled the dilemma. Read the full article.

Related posts



"Fox in the Hen House”: Mozilla boots Dark Matter

No more will Mozilla entertain Dark Matter as a trusted Certificate Authority and has slid them onto their OneCRL blocklist. After plausible allegations of Dark Matter’s involvement in Project Raven, a United Arab Emirates spy ploy targeting human rights activists, enough dirt was stirred around the CA that the Electronic Frontier Foundation (EFF) spoke out against it February of this year.



"Giving DarkMatter a trusted root certificate would be like letting the proverbial fox guard the henhouse," quipped Cooper Quintin, senior staff technologist at the EFF. The EFF had warned Mozilla, Apple, Google and Microsoft.

Dark Matter has been vying to become a root certificate authority for two years. Read the full article.

Related Posts



Logitech wireless USB dongles vulnerable to new hijacking flaws

If you use Logitech Unifying dongles, you may be vulnerable to a man-in-the-middle attack.

Researcher Marcus Mengs recently discovered vulnerabilities in Logitech’s Unifying USB receivers that add a few CVE identifiers to the still open 2016 list.

In one vulnerability, by intercepting the pairing between a Logitech device and Unifying dongle, an attacker can steal the encryption key and “...inject arbitrary keystrokes, as well as … eavesdrop and live decrypt keyboard input remotely,” according to Mengs. This affects all Logitech Unifying USB receivers with keyboard feature.



In a second vulnerability, faulty protections prove a low fence over which attackers can dump stored encryption keys. The attack takes “one second to carry out” and leaves the attacker with the ability to strong-arm remote commands and take control of the user’s system.

Logitech has declined to issue patches for all vulnerabilities. Find out which ones are covered. Read the full article.

Related Posts



Major Security Vulnerabilities in Smart Home Devices Could Allow Hackers to Unlock Doors

You protect what’s valuable in your home by locking your door. You protect your door by installing a smart-lock. You protect your smart-lock with encrypted SSH keys.

Except when you realize everyone else has been shipped those same SSH keys.

It was discovered that the private SSH key for the ZipaMicro smart-hub was coded into all shipped devices. This made safety a matter of Russian roulette as anyone who knew what they were doing could extract the “root” SSH key and access all devices without even a plain-text password.



“[It’s] like winning an exploit jackpot,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “It can literally provide attackers with the ability to unlock your home.” And the homes of anyone else with a ZipaMicro smart-hub.

Renters are now suing for the right to not use smart-lock doors.

Find out how researchers plumbed the vulnerability and what smart-hub maker Zipato is doing about it. Read the full article.

Related Posts:



These Hackers Made an App That Kills to Prove a Point

A year ago at Black Hat August 2018, two researchers outed a security vulnerability that would leave diabetic MiniMed users open to remote hijack – of their insulin. This type of vulnerability highlights an overall lack of understanding about the importance of protecting the machine identities of IoT devices.

The MiniMed looks like a key fob and allows caretakers to administer automated shots of insulin through a connected device on the patient from several feet away. It’s like a remote control.



Billy Rios and Johnathan Butts discovered that a hacker could easily find the unencrypted radio frequency between the paired devices and reverse engineer a way around the coding to capture the fob’s commands. When the findings were displayed at Black Hat, no one moved. This year, they’ve taken their advice to the next level and made an app that can prove their point.

"We’ve essentially just created a universal remote for every one of these insulin pumps in the world," Rios says.

Find out how maker Medtronic is responding. Read the full article in WIRED.



Related Posts


Like this blog? We think you will love this.
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more