Hackers infect users of antivirus service that delivered updates over HTTP

eScan AV updates were delivered over HTTP for five years.

https://arstechnica.com/security/2024/04/hackers-infect-users-of-antivirus-service-that-delivered-updates-over-http/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

@arstechnica back in 2019 with @civilsphere / @stratosphere we sent reports to over 30 AVs showing how they were sending traffic unencrypted that could put people at risk. We showed how we could do injections in their apps. We got less than 5 answers. None accepted our report as valid.

@verovaleros @civilsphere @stratosphere Do you have a link to share about this research? @arstechnica

@buherator @civilsphere @stratosphere @arstechnica It’s been a while so I will have to check.

@buherator @civilsphere @stratosphere @arstechnica

We presented in 2019 in some local conferences. And we talked about this with @eldraco at Ekoparty in 2022 (In Spanish, sorry): https://www.youtube.com/watch?v=uN0EVwWWMbs&t=32s

At some point we were keeping this list updated and we wrote some blogs but not on AVs:
https://www.civilsphereproject.org/research/mobile-applications-we-helped-improve

When we found the issues on the AVs apps, we wrote reports and send emails, and then we waited. Honestly we are a university research team and students come and go; eventually we moved on as it was too much work outside our 'core' research and teaching duties. We did it the right way, PDF reports with reproducibility and everything, and it was so much work. It was an exhausting season for us.

We still have the spreadsheet with all the issues we identified per AV.

@verovaleros @eldraco Interesting! I found that on desktop HTTP is often employed so TLS errors won't block updates (and traffic is often MitM'd anyway by perimeter security) and you can check file signatures (which eScan apprently didn't). I don't know much about MDM but this looks like a less reasonable choice on mobile.

@buherator @eldraco Yeah, we got about the same reasoning from a few of the vendors that answered. You want to ensure the AV always work, this is why also they do some DNS magic that triggers some alarms often in IDS/IPS. It is understandable up to some extent.