Hackers infect users of antivirus service that delivered updates over HTTP
eScan AV updates were delivered over HTTP for five years.
@arstechnica back in 2019 with @civilsphere / @stratosphere we sent reports to over 30 AVs showing how they were sending traffic unencrypted that could put people at risk. We showed how we could do injections in their apps. We got less than 5 answers. None accepted our report as valid.
@buherator @civilsphere @stratosphere @arstechnica It’s been a while so I will have to check.
@buherator @civilsphere @stratosphere @arstechnica
We presented in 2019 in some local conferences. And we talked about this with @eldraco at Ekoparty in 2022 (In Spanish, sorry): https://www.youtube.com/watch?v=uN0EVwWWMbs&t=32s
At some point we were keeping this list updated and we wrote some blogs but not on AVs:
https://www.civilsphereproject.org/research/mobile-applications-we-helped-improve
When we found the issues on the AVs apps, we wrote reports and send emails, and then we waited. Honestly we are a university research team and students come and go; eventually we moved on as it was too much work outside our 'core' research and teaching duties. We did it the right way, PDF reports with reproducibility and everything, and it was so much work. It was an exhausting season for us.
We still have the spreadsheet with all the issues we identified per AV.
@buherator @eldraco Yeah, we got about the same reasoning from a few of the vendors that answered. You want to ensure the AV always work, this is why also they do some DNS magic that triggers some alarms often in IDS/IPS. It is understandable up to some extent.