No 400-pound hacker here: Lightbulb and ‘do-gooder’ worms, machines replacing humans to hack other machines, and high-speed car hacking were among the most innovative white-hat hacks this year.
In a year when ransomware became the new malware and cyber espionage became a powerful political propaganda tool for Russia, it’s easy to forget that not all hacking in 2016 was so ugly and destructive.
Sure, cybercrime and cyber espionage this past year turned the corner into more manipulative and painful territory for victims. But 2016 also had its share of game-changing “good” hacks by security researchers, with some creative yet unsettling ways to break the already thin-to-no defenses of Internet of Things things, as well as crack locked-down computers and hijack computer mice. Hackers even took a back seat to machines in the first-ever machine-on-machine hacking contest this summer at DEF CON.
So if you’re still confused about that elusive “400-pound” hacker in his bedroom, or just sick of hearing about Bitcoin ransoms and fancy and cozy Russian “bears,” here’s a look at some of the coolest hacks by the good guys this year.
‘MouseJack’ Attack Bites Wireless Non-Bluetooth Wireless Mice
With a $15 dongle, researchers at Bastille were able to sniff traffic from PCs, Macs, and Linux machines that use non-Bluetooth wireless mice and keyboards, thanks to the unencrypted communications employed by seven different wireless dongle vendors.
The so-called “MouseJack” attack exploited nine vulnerabilities across devices from Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, and AmazonBasics. The researchers could take control of the input devices and ultimately infiltrate the machines and their networks — from a distance of 100 meters from the victim’s machine.
MouseJack exploits wireless proprietary protocols that operate in the 2.4GHz ISM band and don’t encrypt communications between a wireless mouse and its dongle. An attacker then could spoof a mouse and insert his own clicks and inputs to the dongle, and generate keystrokes instead of mouse clicks on the victim’s computer.
“If an attacker sitting in the lobby of a bank could get the wireless dongles [via MouseJack], all of a sudden you’ve got an APT [advanced persistent threat] inside a bank,” said Marc Newlin, the Bastille engineer who found the flaws that lead to MouseJack. An attacker could install rootkit, for instance, he noted.
Who needs to hack the power company when all it takes is one “smart” lightbulb rigged with a worm to spread to nearby lights within minutes? At Black Hat USA this summer, researcher Colin O’Flynn, who is CTP of NewAE Technology Inc., outlined work he and fellow researchers Eyal Ronen, Adi Shamir, and Achi-Or Weingarten conducted with the Philips Hue smart lighting system to demonstrate how a worm could be unleashed to turn out (or on) the lights in a city or local area, or even to wage a distributed denial-of-service attack.
“The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity,” the researchers wrote in a research paper.
They wanted to illustrate how plugging in just one infected bulb anywhere in a city using the smart lights could then spread to adjacent lights throughout the city.
While the attack sounds simple on paper, it was actually quite sophisticated. The researchers discovered and exploited a vulnerability in the Touchlink element of the ZigBee Light Link protocol, as well as devised a type of side-channel attack to grab Philips’ global AES-CCM key that encrypts and authenticates new firmware so they could inject their own firmware with the worm.
“To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates,” they wrote.
Stuxnet’s Silent Successor?
Stuxnet, the destructive attack that sabotaged and ultimately damaged centrifuges in Iran’s Natanz uranium-enrichment facility, met its demise and was outed when the self-propagating worm spread outside the facility to other Windows machines.
A pair of researchers this year at Black Hat Europe in November demonstrated what they describe as a “silent” rootkit for the programmable logic controllers (PLCs) that control physical processes such as water and power in an industrial network. Researcher Ali Abbasi, a Ph.D. candidate in the distributed and embedded system security group at University of Twente, Netherlands, and Majid Hashemi, a system programmer and independent security researcher at the time of their research, say their rootkit, unlike Stuxnet, can’t be detected. That’s because their creation sits directly on the PLC, at the lower-level of the system – in dynamic memory – where it’s less likely to be spotted.
Abbasi and Hashemi’s PLC rootkit manipulates the PLC I/O process, so if a plant’s parameters require that a gate be opened to relieve pressure if a boiler temperature reaches 80 degrees Celsius, the rootkit attack could manipulate the temperature values and cause the boiler to overheat and explode, according to Abbasi. He says that “in PLCs, the I/O operations are one of the most important tasks.”
The attack basically exploits inherent security weaknesses in the PLC hardware.
Machines Hacking Machines (No Human Hacker Required)
DARPA hosted one of the most intriguing contests at DEF CON this year: the first-ever all-machine Capture the Flag contest. Teams of researchers brought their hacking machines to the ring to go at it in a live forum against the contest’s testbed of challenges as well as their opponents’ machines.
The so-called Cyber Grand Challenge featured high-performance autonomous systems – aka “cyber reasoning systems” – were tasked with finding and fixing security flaws in the contest’s air-gapped network.
Seven teams associated mainly with various universities for 12 hours watched their machines reverse-engineer binary software, write new intrusion detection system signatures to protect themselves from opposing teams, and patch and defend their own machines.
A machine called “Mayhem” won and the team, which has ties to Carnegie Mellon University, took home a $2 million prize for their efforts.
In case you’re wondering how the machines did: six of the seven machines patched the contest’s SQL Slammer flaw/flag, and six of the seven did the same with Heartbleed – all within a matter of minutes.
“This is a huge deal,” said “Visi,” a white hat hacker who helped with the play-by-play commentary during the DEF CON contest. “In the past, patching these vulnerabilities took humans days and weeks of doing the work by hand.”
An IoT Security ‘Vigilante’ Writes a Worm to Infect and Fix Lame Passwords
Weak, default passwords are notoriously common among Internet of Things devices. The danger of these passwords became painfully obvious with the arrival of the Mirai botnet, a bot army of IoT devices used to wage distributed-denial-of service (DDoS) attacks against a DNS domain provider this year.
So Leo Linksy, a software engineer and researcher with network monitoring company PacketSled decided to take a more aggressive approach to securing All The Things: he wrote what he called an “anti-worm” worm that hacks into IoT devices using their default credentials and then changes their passwords to strong credentials. Linsky’s vigilante worm was a proof-of-concept for academic purposes only, although he published the PoC on GitHub.
“The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device-specific or random,” he wrote.
“Such a tool could theoretically be used to reduce the attack surface,” he said, but should only be tested in closed research labs.
The worm cause some uproar, with ethical and legal concerns over how the worm could be fail or get abused. But it also spurred discussion over more proactive ways to lock down vulnerable digital video recorders, routers, and IP cameras from Mirai and other threats.
“This is the cybersecurity equivalent of vigilante justice,” Jonathan Sander, vice president of product strategy at Lieberman Software, told Dark Reading. “People love a vigilante while what they are doing works. The moment a vigilante does something wrong, however, the public tends to turn against them.”
$5 ‘Poison Tap’ Tool Hacks Locked Windows, Mac Machines
White-hat hacker Samy Kamkar built a Raspberry Pi-based tool for a mere $5 that can hijack Internet traffic from a password-locked computer. The so-called PoisonTap tool, which plugs into a USB port, installs a persistent Web-based backdoor on the Windows or Mac OS X machine.
It’s not using a security bugs but instead the inherent trust in USB, HTTP, DCHP, and DNS. PoisonTap basically emulates an Ethernet device so Windows and OS X automatically load it, even on a locked machine. The hack fools the machine into prioritizing it over the existing Internet connection.
“Normally it would be irrelevant if a secondary network device connects to a machine as it will be given lower priority than the existing (trusted) network device,” Kamkar said. PoisonTap then gets all the network traffic and is able to intercept HTTP requests and steals cookies, for instance.
It’s actually easy to defend against this attack, though: Kamkar says it doesn’t work against HTTPS, for example, and enabling Secure Flag on cookies.
Gone in 6 Seconds: a ‘frighteningly Easy’ Visa Credit Card Hack
European researchers from the UK’s Newcastle University devised a technique for bypassing the security features for online payments that allowed them to guess full credit-card details in six seconds.
The so-called Distributed Guess Attack nabs the credit or debit card number, security code, and expiration date of Visa payment cards, literally via guesswork.
The attack automatically generates and verifies different combinations, and exploits the reality that in many cases online sites have no way to detect multiple invalid payment requests by the same card on different sites. It also takes advantage of the fact that not all websites require the three-digit security code on the back of the Visa card, nor the address and other information.
An attacker then can get card details one field at a time by automatically generating and verifying various combinations. “The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,” said Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science.
The hardest part was getting the cardholder’s address,
Visa, meanwhile, maintains that the research doesn’t “take into account” fraud-prevention measures employed by the payments system.
Car Hackers Miller & Valasek Literally Accelerate their Epic Jeep Hack
Car hacking research is all the rage now and not much about gaping security holes in vehicles is really surprising anymore. But famed car hackers Charlie Miller and Chris Valasek this year still were able to top their epic 2015 remote-hack of the Jeep Cherokee traveling at low speed: this time, they hacked and wrested control of the Jeep’s accelerator, brakes, steering, and electronic parking brake at more dangerous high speeds of travel.
Miller and Valasek wowed – and mortified – the industry with their 2015 hack recorded on video of how they could control the 2014 Jeep Cherokee’s electronic functions while sitting on Miller’s couch with their laptops 10 miles away. The hacks were limited to the Jeep traveling at about five miles-per-hour.
At Black Hat USA in August of this year, the pair “fine-tuned” their original hacks and tricked the Jeep’s controls by impersonating CAN bus messages to it. “This is a new class of attacks against CAN messages,” Miller said.
Unlike their previous live hack, when they remotely controlled the Jeep while Wired journalist Andy Greenberg was at the wheel, this time they physically plugged into the diagnostic port of the vehicle to hack it.
They spun the steering wheel 90 degrees while traveling at 60 mph in one attack, and were able to permanently immobilize the electronic parking brake. “We disabled all aspects of steering, so it’s super-hard to turn the wheel and even harder if you drive the car without steering [capability] … at any speed,” Miller said.
But the researchers warned that their latest research doesn’t just apply to the Jeep; other vehicles are vulnerable to this type of attack.
Jeep maker FCA US LLC said Miller and Valasek’s attacks in reality would be difficult to pull off and would require “extensive technical knowledge” of the vehicle. “Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.”