Ten scary hacks I saw at Black Hat and DEF CON
Hackers can mess with the music in your car, and then cause you to crash
The highlight of this year's Black Hat conference was a remote hack of the Jeep Cherokee and other Fiat Chrysler vehicles demonstrated by security researches Charlie Miller and Chris Valasek.
The attack was the culmination of a year of painstaking work that involved reverse engineering car firmware and communications protocols. It eventually allowed the two researchers to hack into the car infotainment systems over mobile data connections and take over brake, steering and other critical systems. The research forced Chrysler to recall 1.4 million automobiles so they could be patched and prompted a car cybersafety legislative proposal from the U.S. Congress.
Rootkits in your CPU are now a thing
Researcher Christopher Domas from the Battelle Memorial Institute disclosed a design flaw in Intel's x86 CPU microarchitecture that dates back to 1997. The vulnerability, which affects all Intel CPUs older than the second generation Core processor family, also known as Sandy Bridge, can be leveraged to install a rootkit into the deepest parts of a system, the System Management Mode (SMM). This can make malware undetectable to security products and allows attackers to reinfect the operating system even after a complete wipe.
Intel released firmware updates for some of its server and desktop motherboards, but other manufacturers have to follow suit. Since Sandy Bridge was released in 2011, older boards might not even be supported anymore and might not receive updates. Even if they do, it's unlikely many users will install the updates, so vulnerable systems will still be around for years to come.
Critical vulnerabilities put hundreds of millions of Android devices at risk
There were two major Android security issues presented at Black Hat that put hundreds of millions of Android devices at risk. One was a vulnerability in a core Android media processing library called Stagefright that could be exploited via a single MMS message or browsing to a Web page. The flaw prompted Google, Samsung and LG to commit to monthly security updates for their devices.
In a different talk at Black Hat, Android's lead security engineer, Adrian Ludwig, referred to the Stagefright patching effort as the "single largest unified software update in the world."
The second issue was not in the core Android components, but in the support tools that manufacturers and carriers install on their devices so that technical support staff can remotely troubleshoot issues. Security researchers from Check Point Software Technologies found multiple issues with these remote support tools that allowed any malicious applications to communicate with them and take control of devices.
When computers help you shoot, hackers can help you miss
Computer-assisted rifles are scary, but remotely hacking into one and forcing the shooter to miss his target or potentially to hit something else is even scarier. That's what security researchers Runa Sandvik and Michael Auger did with a TP750 rifle and scope made by precision guided firearm manufacturer TrackingPoint, which they attacked over the gun's built-in Wi-Fi access point.
Their hack, which was presented at both Black Hat and DEF CON, prompted a response from the manufacturer that amused many attendees: "Since your gun does not have the ability to connect to the Internet, the gun can only be compromised if the hacker is actually physically with you. You can continue to use Wi-Fi (to download photos or connect to ShotView) if you are confident no hackers are within 100 feet."
Pass the hash... on the Internet
SMB relay, the network version of a long-time hacker favorite attack called "pass the hash," was believed only to work inside Windows networks. Security researchers Jonathan Brossard and Hormazd Billimoria found that that's not actually true and that an attacker can harvest Active Directory NTLM (NT LAN Manager) credentials from the Internet by simply tricking a user to visit a Web page in Internet Explorer, open an email in Microsoft Outlook or play a video file in Windows Media Player.
SMB Relay involves using man-in-the-middle techniques to capture authentication requests from a Windows computer to a server and then relay those requests back to the server in order to be authenticated as the user. The requests include a cryptographic hash derived from the user's password that can be cracked with some special hardware in some cases. However, in most cases the hash can be used as is, to impersonate users.
Brossard and Billimoria showed that they can pull off the same attack against cloud-hosted Exchange, Sharepoint and other Windows-based servers by using a relatively new feature called NTLM over HTTP. The issue stems from a system DLL that automatically sends the credentials to a remote SMB server even when an Internet Explorer option is set to only send credentials to the local network.
Your car didn't unlock on the first try You might have just been hacked
You can always count on serial hacker Samy Kamkar to have some tricks up his sleeve. Earlier this year he converted a wireless texting toy for girls into a tool that could unlock fixed code garage doors in seconds. At DEF CON he took that further and showed off a device that can open any car or garage door that relies on the more secure rolling codes.
When installed near a car or garage, the device will block the owner's first attempt to open the door using his legitimate wireless key fob and will capture the transmitted code. The device will do the same for the second attempt, but will play back the first code in order to open the door.
The victim will likely think that the first failure was a temporary glitch, but in reality the attacker will retain the second valid code which he can replay later to open the door.
Forgot your safecracking tools No problem. Use this USB thumb drive
Researchers Daniel Petro and Oscar Salazar from security firm Bishop Fox showed at DEF CON that smart safes are about as secure as Windows-based Internet kiosks.
Back in the 2000s, bypassing the paywall interfaces on Internet, photo printing and other types of interactive self-service kiosks was quite popular. Hackers were showing off various techniques based on key combinations and shortcuts that administrators forgot to lock down and which gave them access to the underlying Windows OS.
The CompuSafe Galileo, made by Brink's, is a huge safe that sits in the back-office rooms of retail stores and other businesses and is used to deposit money directly into the bank accounts of those companies. The safe has an interactive touch screen, runs Windows and has an interface that requires authentication from two people in order to open the door -- typically the store manager and the bank courier who comes to pick up the money.
The Bishop Fox researchers tried the usual key combinations to bypass the interface, but failed. Then they found an instructional Flash-based video in the interface's help section. Right clicking on the video and choosing settings launched a Web page in Internet Explorer. With the browser opened, the researchers now had a way to browse the file system and open the command line interface by running cmd.exe.
The safe also had an exposed USB port on the side, so they created an USB thumb drive that emulated a keyboard and mouse and sent the key strokes and clicks necessary to automate the attack. The ultimate goal of the attack was to add two new service users to the safe's database, which was stored in Microsoft Access.
Opening the safe door was then just a matter of plugging in the USB stick, waiting a few seconds, then logging in with the two new rogue service users.
Internal LTE/3G modems can offer attackers a place to hide persistent malware
An increasing number of business laptops and tablets have built-in LTE/3G modems so that their owners can use a mobile data connection while working remotely. These modem modules have their own processors, memory and operating systems, so they are essentially independent computers running inside other computers.
Security researchers Mickey Shkatov and Jesse Michael from Intel's security group found that the firmware update process for a popular modem module made by Huawei was insecure. At DEF CON they showed how this could be exploited by malware running on the main OS to write a modified firmware image to the modem and then use it to re-infect the system if the OS is cleaned or even completely re-installed.
Drones falling from the sky
The days when computer-controlled drones will be a normal sighting in the sky might not be far ahead. But if these flying devices are not designed with security in mind, they could also be regularly hijacked by hackers.
At DEF CON, researcher Ryan Satterfield from security firm Planet Zuda showed how he could kill the popular Parrot AR.Drone 2.0 in mid-flight, sending it crashing to the ground in a split second. The drone has a wireless network that can be easily hijacked and an open Telnet port with no authentication.
Satterfield's demonstration wasn't as much a hack as abusing existing features that completely lacked protection and should probably not even be there in the first place, like the open Telnet service.
Another DEF CON talk by researcher Michael Robinson was about hijacking the Parrot Bebop drone.
IoT massacre
Manufacturers are rushing to put wireless connectivity into electronic devices and hackers are rushing to show that they're designed with a disregard for the most basic security principles.
DEF CON had IoT hacking galore this year. Attendees could see hackers remotely hijacking electric skateboards, launching a man-in-the-middle attack against a smart fridge, messing with smart scales, taking over smart home automation devices, cameras, thermostats, baby monitors and more.
The on-site IoT hacking contest alone resulted in at least 25 previously unknown, or zero-day vulnerabilities, being found in a variety of devices. The contest was so successful that organizers were still left confirming and reporting some last-minute issues to manufacturers as the show came to an end.