|
|
|
|
|
|
by rurcliped
1472 days ago
|
|
|
With CVEs for ham radio, clearly the next step is to add ATT&CK tactics and techniques. If you compromise a PC that's connected to a ham radio, you might be able to transmit maliciously, or interfere with the radio owner's ability to transmit or receive. But it turns out that ham radio isn't only about communicating with other ham radio people - it's also about using PKI to store details of who you communicated with: https://lotw.arrl.org/lotw-help/developer-pki/ Private key disclosure seems catastrophic because of their scorched-earth security policy https://lotw.arrl.org/lotw-help/certificatesecurity/ where the server admins plan to invalidate all signed data, even if the same data had been sitting on the central server for years before the compromise happened. Yet, the docs don't recommend a password for the private key except on "shared or public computers." The adversary just looks for -----BEGIN PRIVATE KEY----- in a text file in a keys directory (the filename is the call letters). In other words, although executing cmd.exe is a wonderful accomplishment, there's also the possibility of 1. wait for the PC and radio to be idle, 2. tune the radio to a clear frequency, 3. open the victim's private key file, 4. transmit the private key with Morse code. |
|
|