Zero-Days in RGB Keyboards, Top DID Network Exposed at INTENT Threat Research Summit

January 19, 2023 Andy Thompson

INTENT Threat Research Summit

Data breach headlines are daily reminders that cyberattackers keep innovating. While constant research to uncover threats and share crucial intelligence with defenders is far less visible, the second annual INTENT Summit offered a glimpse.

Together with our friends at Checkmarx, CyberArk recently welcomed global security researchers to Tel Aviv to “go down the rabbit hole” and explore today’s most fascinating cybersecurity challenges.

I may be a bit biased, but the event – for researchers, by researchers – was truly incredible. From the décor and music, to the missing vendor booths and life-sized bunny mascot (who had a creepy way of hopping out when you least expected it), the vibe was decidedly “un-security conference,” and buzzing with energy from start to finish. We demystified Tesla’s Bluetooth entry system, broke open-source CI/CD pipelines using code search and injection and shared embedded device security nightmares (and how to tackle them). We competed in an epic capture the flag challenge involving a robotic arm that danced and taunted the crowd, jammed out to a private Tuna concert and cheered for the World Cup finals together.

While I can’t possibly pick a favorite part, a few INTENT sessions stood out to me for their relevancy and potentially far-reaching security implications. If you’re an online gamer, or if the growing self-sovereign identity (aka decentralized identity) movement fascinates you, keep on reading.

Use an RGB Keyboard? Know the Potential Vulnerabilities (Literally) at Your Fingertips

Your computer keyboard isn’t likely to stick out when considering cybersecurity threats, but that may change after this discovery by Tal Lossos, security researcher at CyberArk Labs.

Many online gamers use RGB keyboards – advanced keyboards with colorful, customizable backlit LED lighting – as they battle virtual foes and construct new worlds. There’s a lot to like: RBG keyboards are ergonomic, help boost actions per minute and contribute to an immersive experience. And in some popular models used in Linux environments, the underlying software could cause serious security problems.

Without getting overly technical, Linux operating systems are made up of two levels: User and kernel. The kernel level is privileged, with elevated levels of access that enable interaction with the computer and home to “kernel drivers” – modules that extend support to other hardware devices like your keyboard, mouse and headphones.

Because of the kernel’s high privileges, even the tiniest bug can pose major risks. And exploiting a vulnerability in a kernel driver (like the one used to configure macros on your keyboard) can be just as impactful as exploiting a bug in the kernel itself. You may not realize it, but every time you add a new accessory to your gaming set up, you load a new kernel driver into the kernel, which greatly expands the attack surface.

Lossos set out to find these kernel-level vulnerabilities, and came upon OpenRazer, an open-source software powering most products made by popular gaming peripherals manufacturer, Razer. Deeper analysis of this Linux kernel module revealed several zero-day flaws (CVE-2022-29021, CVE-2022-29022, CVE-2022-29023), including a buffer overflow vulnerability that could be potentially exploited to launch attacks from generic denial of service to full local privilege escalation (in other words, the attacker “owns” your entire system).

Here’s the wildest part: These vulnerabilities are determined by the user’s specific RGB color selections. CyberArk Labs submitted a patch as part of disclosure, but gaming enthusiasts and developers alike will be interested in the details, risk mitigation recommendations and Linux kernel bug hunting considerations highlighted in Lossos’ full INTENT talk and corresponding technical blog post.

RCE’ing Our Way Into the Decentralized Identity Blockchain

There’s a growing global movement toward decentralized identity (DID), in which individuals fully own and control their digital identities as they interact in cyberspace. It’s a fascinating visionary concept, yet it presents a boatload of new challenges, from getting people everywhere to change the way they operate (and take full responsibility for safeguarding their “keys to the kingdom”), standardization and technology constraints and, perhaps the biggest hurdle of all, securing the massive DID attack surface.

At INTENT, Shaked Reiner, principal security researcher at CyberArk Labs, dug into the technology behind DID implementations through the eyes of an attacker. He highlighted five distinct components of the identity attack surface: Blockchain code, private keys, post-authorization, trust-building and traditional “off the chain” systems, and ways they could all be exploited. But the bulk of his talk focused on a critical vulnerability (CVE-2022-31020, CVSS 10) unearthed during DID research involving the Hyperledger Indy-based DID network.

If you’re not familiar with it, Hyperledger Indy is a ledger designed to support identity operations. It’s used to run one of the largest DID networks in production today – Sovrin – along with several other prominent DID networks used by governments.

The vulnerability Reiner and team discovered allows an attacker to take over every node (used to validate transactions, write to the blockchain and read from it) in every Hyperledger Indy network. With this access, the attacker can practically own the consensus algorithm and impersonate any DID in the network.

This incredible research shows how important it is to embed security into the development process from the start and, especially in the case of decentralized identity, extend protections from code to every component involved. Explore Reiner’s decentralized identity 101 post, technical deep dive on the Sovrin vulnerability research and full INTENT talk to learn more.

Be sure to check out free on-demand INTENT sessions for more cutting-edge threat research. After all, enriching and inspiring the community is what INTENT is all about.

Previous Article
Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 1
Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 1

Everything started when I was researching Windows containers. It required installing Docker Desktop for Win...

Next Article
Chatting Our Way Into Creating a Polymorphic Malware
Chatting Our Way Into Creating a Polymorphic Malware

Abstract ChatGPT took the world by storm being released less than two months ago, it has become prominent a...