Computer crash reports are an untapped gold mine for hackers
When something bad happens software update from security firm CrowdStrike accidentally caused digital chaos around the world Last month, the first signs were Windows computers showing Blue Screen of Death. Are websites and services went down and people rushed to figure out what was going on, conflicting and inaccurate information was everywhere. Rushing to understand the crisis, longtime Mac security researcher Patrick Wardle knew there was one place he could look to get the truth: crash reports from computers affected by the bug.
“Even though I’m not a Windows researcher, I was curious about what was going on, and there was this lack of information,” Wardle told WIRED. “People were saying it was a Microsoft issue, because Windows systems were blue-screening, and there were all these wild theories. But it actually had nothing to do with Microsoft. So I went to the crash reports, which to me was the ultimate truth. And if you look there, you can identify the underlying cause long before CrowdStrike came out and said anything.”
At the Black Hat security conference in Las Vegas on Thursday, Wardle argued that crash reports are an underutilized tool. Such system snapshots give software developers and maintainers insight into potential problems with their code. And Wardle emphasized that they can be a particularly powerful source of information about exploitable vulnerabilities in software—for both defenders and attackers.
In his talk, Wardle presented several examples of vulnerabilities he found in software where apps crashed, and he examined the reports to find possible causes. Users can easily view their own crash reports on Windows, macOS, and Linux, and they are also available on Android and iOS, although they may be more difficult to access on mobile operating systems. Wardle noted that to glean insights from crash reports, you need a basic understanding of instructions written in low-level machine code called Assembly, but he stressed that the rewards are worth it.
In his Black Hat talk, Wardle outlined several vulnerabilities he discovered simply by examining crash reports on his device—including bugs in the YARA analysis tool and in the current version of Apple’s macOS operating system. In fact, when Wardle discovered in 2018 that a iOS bug causes apps to crash whenever they display the Taiwan flag emojiHe got to the root of the problem using, you guessed it, a problem report.
“We convincingly revealed that Apple had complied with a request from China to censor the Taiwanese flag, but their censorship code had bugs in it—it was ridiculous,” he said. “My first friend who saw this said, ‘My phone is being hacked by the Chinese. Every time you text me, it crashes. Are you hacking me?’ And I said, ‘That’s rude, I’m not going to hack you. And that’s rude, if I were to hack you, I wouldn’t crash your phone.’ So I pulled up the incident reports to see what was going on.”
Wardle stressed that if he could find so many vulnerabilities just by looking at crash reports from his own devices and those of his friends, then software developers should be looking there, too. Sophisticated criminals and well-funded state-sponsored hackers may have gotten their ideas from their own crash reports. Over the years, news reports have shown that intelligence agencies like the US National Security Agency make my crash logs. Wardle points out that crash reports are also a valuable source of information for detecting malware, as they can reveal unusual and potentially suspicious activity. Notorious spyware broker NSO GroupFor example, they often build mechanisms into their malware to delete crash reports immediately after infecting a device. And the fact that malware often has bugs makes crashes more likely, and crash reports are also valuable to attackers in understanding what happened to their code.
“With the crash reports, the truth is out there,” Wardle said. “Or, I guess, in there.”
