FOXTROT/ALFA: MI5 is OK with Chinese 5G Tech, Boeing Guys Wouldn’t Put Their Own Families on the 737, Cable Haunt

Hi there! This is FOXTROT/ALFA, issue 61, for Monday, 13 January 2020. Today we have some pretty crazy revelations from inside Boeing, some entirely expected news from Broadcom, and a douchebag tech CEO helicopter pilot, among other things. Let’s dive right in.

Broadcom Cable Modems at Risk of Remote Code Execution

Broadcom cable modems are vulnerable to remote code execution you say? Quelle surprise! 200 million modems in Europe vulnerable, you say?

A vulnerability in Broadcom’s cable modem firmware has left as many as 200 million home broadband gateways in Europe, and potentially more worldwide, at risk of remote hijackings.

Four Danish researchers have demonstrated how a miscreant could exploit the hole, CVE-2019-19494, the wild: essentially, a victim is tricked into opening a webpage or similar containing malicious JavaScript. This code subsequently connects to the web server built into the vulnerable modem on the local network. The script then alters the contents of the modem’s processor registers, by overwriting the stack, to redirect execution to malware smuggled in with the request.

At that point, the code can attempt miscreant-in-the-middle attacks, manipulate the firmware, change DNS settings to redirect connections to phishing pages, snoop on traffic, launch distributed denial-of-service assaults, and so on.

The thing has its own website. Of course it has.

CES is Weird

CES is generally a bunch of farfetched or bullshit products, that will probably never hit the market. That’s very clear to me as someone who’s always looked at it from afar and thus was never engrossed by the spectacle.

This year wasn’t any different, going by The Register’s wrap-up:

CES has a corporate vibe, but it is still somewhat of a testing ground for the weird and wonderful. This year was no exception. From Samsung’s keyboard-less keyboard, to Segway’s futuristic S-Pod buggy, looking very much like a pram for adults, manufacturers were keen to show they still had an active imagination.

(On the subject of the S-Pod, it had an almost Cybertruck-esque catastrophic demo, which saw the battery-powered vehicle careering dangerously into a wall during a demonstration.)

And they didn’t even talk about the toilet paper “robot”. At least the whole thing is over now.

Boeing Techs Wouldn’t Put Their Own Families on a 737 MAX

I’m becoming convinced the Boeing 737 MAX should never be allowed to fly again. This company seriously needs to go away for a few years, re-assess their business and start designing new planes that put safety of the passengers first. The shit that’s coming out is just completely appalling.

Boeing this week turned over damning new documents around the design and response to its ill-fated 737-Max airliner. The aviation giant provided an archive of employee emails and messages to investigators in both US Congress and the FAA covering the design and handling of accidents in the error-prone plane.

In one message, an employee is quoted as saying the Max was “designed by clowns, who are in turn supervised by monkeys.” In another exchange, while discussing the simulators used during the design of the aircraft, one Boeing employee asked another “Would you put your family on a Max simulator trained aircraft? I wouldn’t” to which the recipient responded “no.”

The messages also show the disdain Boeing’s ranks held for the FAA, vowing to fight any efforts to require additional simulator training for pilots and comparing presentations the company gave for the FAA to “like dogs watching TV.”

In other cases, employees did express concern for the problems plaguing the craft, with one quoted as writing “I still haven’t been forgiven by God for the covering up I did last year.”

Wow. Just wow. I’m not one to call for breaking up companies, but what’s coming out about Boeing is almost getting me there. If Airbus wasn’t without competition in that case (which would be even worse), I’d be almost convinced to completely wipe that company out with fines. Unbelievable shit. They build planes, not fucking sofas!

MI5 Sees No Problem with Huawei 5G Tech

The UK’s Security Service, more commonly known as MI5, keeps saying they have no indications that Huawei tech in 5G networks would actually be spyware.

The head of Uk’s domestic spy agency, MI5, has declared that he has “no reason to think” that Britain’s impending decision to use Huawei in the core of 5G mobile networks will harm UK-US relations.

American government officials have spent the last couple of years screaming blue murder at any country thinking of adopting Huawei kit, with notably little success in Germany, a country increasingly looking away from its traditional Western alliances.

I wonder why the Americans keep insisting that the Chinese will spy on everyone. Might there actually be, shock horror, economic reasons at play here? Or do they want to make sure we use 5G tech Made in the U.S.A., riddled with their spyware?

I’m in a Helicopter That Costs £550 an Hour

He he he. He he. Gonna quote this Register story in full. It’s just too good not to.

The managing director of a Manchester-based infosec firm has been fined for flying his helicopter into an air traffic control zone without permission – having first launched a rant at tower controllers. Joel Tobias, a helicopter owner and pilot who was described by the Manchester Evening News as a “wealthy businessman”, was fined £1,600 plus £870 in legal costs after his on-frequency rant at air traffic controller Andrea Tolley. Tobias, who owns his own Eurocopter EC-120 registered G-HVRZ, was flying his family between Lytham St Annes and Blackpool when he radioed Blackpool on 31 July last year for permission to enter its air traffic zone (ATZ).

British aviation law says pilots of aeroplanes entering ATZs need to radio air traffic control before doing so. Manchester Magistrates’ Court heard that after being told by duty controller Andrea Tolley to stand by three times while she dealt with other traffic, Tobias said over the radio: “I’m in a helicopter here that costs £550 an hour and I’ve waited 10 minutes for you to answer the call. It’s absolutely appalling.”

He also ranted, on the Blackpool Approach frequency: “Your job is actually to take calls from aircraft and not have two-way chats with other aircraft asking how their day’s going and how fun it is.” After listening to Tobias moaning that he had “been waiting for 10 minutes for a call back,” and declaring that he was going to route around Blackpool instead of waiting, Tolley responded: “Good. Stay out of my ATZ. You need to check your radio. By all means complain”.

Tobias promptly said: “I’m the pilot in command. I’m entering the ATZ,” before doing so. Even after someone else radioed for permission to land, Tobias kept on, declaring that Tolley was “setting a safety issue now”, demanding her name and telling everyone tuned to 119.950MHz that he was going to file a complaint – something he did not do. Nonetheless, an appalled fellow pilot reported him to the Civil Aviation Authority.

CAA prosecutor Alison Slater told the court that Tobias “gave Miss Tolley no time to ask him to pass his message, as radio protocol requires,” and that he “did not give his location, altitude, destination or request permission to enter the aerodrome traffic zone (ATZ).” “She did not know if G-HVRZ was going to enter the ATZ or not, where it was or what height it was at,” added Slater. “Potentially it caused a serious risk to other air traffic in the area.”

Tobias was reportedly not represented at the hearing. His licence was suspended after the incident and the CAA will decide whether or not to return it. In a statement, he said he “regretted” his radio calls and said he was “unhappy about the service being given and fled under pressure with regard to the route.” Tobias is MD of Cyfor, which bills itself as a digital forensics firm. Among a list of partners featured on its homepage are iPhone hacking biz Cellebrite, as well as Symantec, Veritas and others. It is also a Crown Commercial Services accredited supplier.

Douchebag. He’s lucky there aren’t any 9K330 Tor SAMs stationed next to Blackpool Airport.

Also Noteworthy

Some other stories that might be worth your time:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.