Destination PWND: Safes, ATMs, phones all fall to Vegas hax0rs
Analysis BSides, Black Hat, DEF CON… For the last six days, Las Vegas has been home to the top brains in the computer security industry and the business menagerie that follows them – causing some panic among locals.
We’ve seen the pathetic state of the US electronic voting system exposed, claims of advanced eavesdropping at the Standing Rock camps and elsewhere, killer car washes and the awards for this year’s biggest blunders and best research. But there’s a lot going on at the edges of the shows that gets missed.
Hacker Jeff Moss kicked the whole conference season off in 1993 with a few hotel suites booked in Vegas where he and his mates would code and party. It has grown into one of the most popular hacking events out there and this year was DEF CON’s biggest show ever.
Black Hat was established five years later as a commercial offshoot. It involves days of training before the main show, a day of CIO-level briefings with no press allowed, and then a two-day jamboree with as many as eight tracks of talks running concurrently. Alex Stamos, chief security officer for Facebook, kicked off the opening keynote and it looked more like a rock concert than a technology conference.
This is a security conference, not a rock venue. Is Black Hat getting too big? pic.twitter.com/sNbJTw4vRt
— Iain Thomson (@iainthomson) July 26, 2017
“When I brought my girlfriend – now my wife – to the first Black Hat 20 years ago, it was because we were hacking the Man,” he joked. “Now, we are the Man.”
DEF CON is even more complex. While the show only has four main keynote tracks, there are a plethora of other briefings. The hardware hacking talks are well worth it, the social engineering village is fascinating if unsettling, and there is a phenomenal amount of smaller training sessions dotted around the venue, not to mention informal meet, greet and share hacking talks.
Some of these sessions we’ll be reporting on later in the year, when fixes have been found and papers peer-reviewed. But here’s a roundup of the best hacks that weren’t covered on the day.
Mobile madness
Considering how much of our lives is tied to the things these days, mobile phone hacking is a focus for many, and Chinese giant 360 Technology detailed a disturbingly easy way to hijack phones because of lousy network security.
The firm’s Unicorn Team pulled off what they called the Ghost Telephonist attack by intercepting the signals between a smartphone and a cell tower. When phones link to a new tower, they send an ID code to ensure connection, but the team found that when phones switch from a 4G to a 2G connection this authentication code is skipped.
By intercepting a signal at the point when it switched network, using an aerial-equipped laptop, an attacker could send texts and take calls from the hacked phone. They could also log onto a Facebook account using the stolen phone’s credentials and get a password reset sent to their devices.
The Unicorn Team are now working with operators to fix this issue and that should disable the attack. But, based on other research, telcos are already going to have more problems on their hands with 3G and 4G communications.
Research by Ravishankar Borgaonkar and Lucca Hirschi has found a cryptographic flaw in the authentication system used to connect a phone to a network. While the flaw doesn’t allow the content of calls or messages to be read, it does allow for pinpointing of mobile phone users and provides records of how long they are online.
The flaw also turns out to be very easy to exploit. The team spent just $1,500 on its surveillance system and it’s clear that police forces around the world would be willing to pay that – considering that they already use Stingray cellphone targeters in the US, and locally produced equivalents overseas.
But the real doozy of a flaw was Broadpwn, a now-patched remote exploit that left over one billion smartphones open to a worm infection that could have built one of the largest botnets, according to its discoverer Nitay Artenstein of Exodus Intelligence.
Broadpwn stems from a serious flaw in Broadcom’s BCM43xx family of Wi-Fi chipsets that would allow malware to install itself on a device’s firmware. It could then ping out to other vulnerable devices in range and create a cascade of infections.
Broadcom is one of the biggest suppliers of chipsets to the smartphone industry and the vulnerability is found in every iPhone since its fifth version, Samsung handsets from the S3 to the S8 and all Samsung Note 3s, as well as Google’s Nexus 5, 6, 6X and 6P.
Hardware hacking
A lot of hackers first got into the business by becoming fascinated by noodling around with hardware, typically picking locks. There’s an entire DEF CON village devoted to that now, but innovative hardware hacks elsewhere were also very much in evidence.
A personal favourite with this hack was the safe-cracking computer, an ingenious device that used an Arduino microprocessor, an Erector set framework, magnets to hold it in place and a 3D-printed unit that meshed onto the rotary combination dial.
The device’s father, SparkFun Electronics boss Nathan Seidle, explained at DEF CON that he got into safe-cracking when his wife (another hardware hacker) bought him one on eBay for $20 as a present. The safe was so cheap because it was locked and had no known combination, so the two of them were determined to crack it.
And they got it open. It only took 30 min. pic.twitter.com/LNxmlvOArO
— Jack (atDEFCON) (@jmorse_) July 28, 2017
Seidle set the robot working, aiming to have the safe cracked in the time it took him to give his presentation. The robot managed it in a few seconds over 30 minutes.
Another interesting DEF CON talk by Dennis Maldonado showed how easily RFID chips can be harvested and cloned. Using some cheap parts he bought on eBay, Maldonado was able to copy chips from two feet away and then fire the data to a card cloner.
Reading RFID chips that don’t belong to you is nothing new but it was the speed and ease of this attack that made it really impressive. And with more and more RFID chips in circulation, Maldonado’s research could come in handy.
Meanwhile, at Black Hat, researchers at IOActive performed a perennial favourite – making an ATM spew money everywhere.
They found that an ATM built by Diebold Nixdorf had a USB port that was trivially easy to manage. They informed the company, only to be told that it couldn’t possibly be used to carry out a hack.
The team found a way to reverse-engineer the ATM’s software and cause it to dump its entire load of cash. The team reported that Diebold still hasn’t fixed the flaw as it not longer makes that model of ATM and that the hacked model hadn’t been patched.
A mountain of malware
Software cracking is what most people associate with hacking and there was more than enough to go around.
Earlier this year, a new Mac malware was found called Fruitfly, and Patrick Wardle, chief security researcher at Synack, spoke about how he’d managed to hack a variant of the software’s command-and-control servers. What he found is going to be giving Apple some serious concern.
Fruitfly is an obfuscated perl script using antiquated code that can give an attacker pretty much complete control of macOS, including key logging, webcam control, alerts when the user is online, and a tunnelling system to get this back to the command and control servers.
With a reverse-engineered piece of the code, Wardle was able to log into the command and control systems and view infected systems. They appeared to be mostly US based, although not too numerous, but all had been taken over by malware and antivirus engines were missing.
Using malware for physical targets was also covered, with Robert Lee, CEO of industrial security specialist Dragos, giving a detailed rundown of how hackers brought down sections of the Ukrainian power grid last year. This was a complex attack with initial reconnaissance by hackers in 2014 followed by more than year of development before the biggest outage.
The attackers had designed malware to hit specific sections of the power grid and cause them to fail. This initially complex task had been simplified so that someone without detailed knowledge of the grid could use it. But Lee was hopeful that US grids were more resilient.
“The US government simply doesn’t know what is going on in infrastructure, because they own so little of it, but operators are getting on the case,” he said. “The North American power grid is one of the most complex organisations in existence, with systems piled onto system. That leaves a lot of redundancy.”
Finally Marcus Hutchins, the British researcher who discovered the kill switch for the WannaCry malware, was also wandering the halls and parties of Las Vegas. He just missed out on a Pwnie Award but Charlie Miller, car hacker extraordinaire, said that Hutchins was due his plaudits. Hutchins also enjoyed some traditional Las Vegas pursuits.
— MalwareTech@Vegas (@MalwareTechBlog) July 29, 2017
It was a fun, if exhausting, week. The first presentations for DEF CON and Black Hat are now online so you can catch up with the whole thing. ®
Sponsored:
The Joy and Pain of Buying IT – Have Your Say
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/31/best_of_rest_black_hat_def_con/