Hacking conferences are a great way to learn he latest hacking techniques and more underground ways of thinking on IT Security. They complement nicely more corporate Security Training courses such as the ones offered by SANS.
They tend to be more chaotic, the talks are not as polished, some of the techniques discussed will have limited effect in the real world and connecting to the event WIFI is asking for trouble.
On the other hand, the atmosphere is buzzing with brain activities, convictions (right or wrong!), passion and cutting edge topics. If you can follow the rythme and embrace the moment then you will get out of this type of conferences energised and full of new ideas!
This year I attended the “Nuit du Hack” in France which runs other 24h, literally. You get some talks during the day, there is only 1 track so you get to watch/listen to all the talks. And during the night there is a traditional Capture The Flag event with some great questions!
I have also attended BlackHat Europe in Amsterdam earlier this month. This was my first BlackHat and I really enjoyed it even though I was not expecting it to be so “corporate”.
Below are some highlights of the sessions I attended, I hope you find them useful.
- Keynote – SIDE CHANNEL ATTACKS – PAST, PRESENT, AND FUTURE
Adi Shamir, the “S” in RSA, spoke about a recent research he presented at a previous conference related to a new type of power analysis to extract RSA keys via Low-Bandwidth Acoustic Cryptanalysis. In other words, using the microphone from a mobile phone located next to a targeted laptop and listening to the laptop “electrical humming” to detect power consumption variation when processing an RSA key and eventually deriving the original RSA key from the noise!
The main topic he presented at this year BHE was a practical example on how to communicate with an air gap network, similar to those used in high secure environments (i.e.: Military). The restriction of the experiment was to only use unaltered hardware and to, somehow, get a malware on one of the machine. The idea seems to be that installing malware would be easier than a Trojan hardware kit. Although the demonstration was impressive because it showed a command and control communication experiment works over 1km, it was also somewhat disappointing because of all the “IF” such attack needs to succeed:
– IF there is an all in one (AIO) printer;
– IF the infected malware can communicate to the AIO device and control its scanning capability;
– IF the AIO lead is left open or IF a heavy document is scanned (i.e.: Book);
– IF the AIO is next to a window;
– IF the window is left open;
– IF there is a direct line of sight to that window;
– IF the room is dark;
– IF no one notices the AIO scanning happening automatically;
Then, it is possible to send a coded message through a laser beam from a long distance (i.e. over 1km) to the AIO printer, get the malware to interpret this “light Morse code” and act accordingly, such as executing a command.
Such attack was technically impressive, and it has the merit to highlight the need to carefully consider the physical security aspect of an air gap network, not just its logical part.
- CELLULAR EXPLOITATION ON A GLOBAL SCALE: THE RISE AND FALL OF THE CONTROL PROTOCOL
The presentation highlighted the risks related to the current standard implemented in cellular Basebands which are components used to interface with mobile phone carriers. Basebands operate at a lower level and are not controlled by the Operating System (OS) thus allowing mobile phone carriers to control devices attached to their cellular network and bypass security controls implemented by the phones’ OS (i.e.: iOS, Android, etc).
The current standard is called OMA Device Management v1.2.1 (OMA-DM) and is on over 2 billion cellular devices. Most OMA-DM clients use the SyncML Reference Toolkit which has an open source unrestrictive license and was originally only meant to be used as proof of concept, last updated in 2004. One SyncML client vendor currently has nearly complete market dominance: RedBend. This vendor provides a software called vDirect mobile (vDM Version 4 and 5 are in use today). Clients are typically provided has a binary blob to OEMs (Basebands manufacturers included). This means phone manufacturers such as HTC or Samsung may not be fully aware of what functionalities are included into their phone basebands.
OMA-DM security is flawed and its authentication control can be broken, furthermore, it is possible to create rogue cellular towers using OpenBTS/BSC devices such as the NanoBTS or USRP B210, or Femtocells. Such cellular towers provide full control to a potential attacker over the 2.5G GSM neighbouring network which can also be leveraged to attack LTE GSM/LTE CDMA devices by downgrading this connection to 2.5G. (See 4.5)The following commands can be executed:
– Install and manage firmware update OTA
– Lock, factory reset, wipe, power cycle
– Manage device functionality such as encryption settings, camera control, GPS, etc.
– Manage and Monitor Battery status, Memory usage, Process list, etc.
– Ability to remotely install, remove, active, deactivate software applications.This standard is currently used as follow:
– iOS: Only in the US at the moment (Sprint)
– Android: Worldwide (Most Major)
– Blackberry: Only in the US at the moment (Most Major)
– Windows Mobile: Worldwide (Some Major)
– Cellular Hostspots: Worldwide (Most Major)
– Vehicles: Worldwide (Most Major)
LIGHTS OFF! THE DARKNESS OF THE SMART METERS
This presentation made the BBC headline on the day:
Although the talk focused on electrical smart meters used in Spain to control homes electricity (usage, on, off, etc.). The same technology might be used in other parts of the world for similar or other smart meter purposes.
The two researchers explained how they managed to reverse engineer the different commands understood by those devices, break the encryption, confirm the “secret” key used to authenticate to the devices was common to all them (hardcoded) and that their own smart meter could be used as an entry point in the electrical network.
It meant it was possible for them to control all their neighbours’ access to electricity!
HACKING THE WIRELESS WORLD WITH SOFTWARE DEFINED RADIO – 2.0
Balint Seeber gave a very interesting presentation on the diverse wireless technologies his company/hardware can interact with (monitor/hack): Restaurant Pagers, RDS TMC, Radar, RFID and even technology used by NASA space probes. In all cases he was able to intercept and communicate with the targeted devices. He also did a live demonstration of a Rogue GSM network running on an upcoming hardware (USRP E310) that will be available in a couple of months. Anyone could connect to a “local” China Mobile network, get a phone number assigned and send/receive SMS as well as making mobile phone calls with anyone using that GSM network.
This provided a very practical way to create a rogue GSM network and brought the risks highlighted in a previous related talk to reality (See 4.2).
It was also amazing to hear the story about how he was allowed by NASA to interact with a lost “Space Probe” when it came back near earth!
FIRMWARE.RE: FIRMWARE UNPACKING, ANALYSIS AND VULNERABILITY-DISCOVERY AS A SERVICE
The first part of the presentation discussed the fact firmware code may be re-used among different manufacturers, and with that, any security issues contained in that code might also be replicated. Furthermore, different vendors may use the same electronic components in different products; those components may have the same vulnerable Firmware. For example a Webcam from vendor X might have the same vulnerability as a different Webcam model from vendor Z. Unless you look for the same issue on both models such vulnerability might be left unknown to the public even though if you were to look at the component level it would be obvious.
The second part of the presentation discussed the lack of central repository for those issues and the fact it was very hard to automate the study/detection of firmware issues. The team who presented is working on their PHD and have created a framework to automatically get firmware images from the web, filter for interesting files, analyse, unpack and check for vulnerabilities. They collected 800K files, analysed 32K and found 700 firmware files with vulnerabilities which resulted in 38 new CVE.
Although their work is great, its usefulness for the community is very limited as they do not share their detailed result with anyone!
PDF ATTACK: A JOURNEY FROM THE EXPLOIT KIT TO THE SHELLCODE
The creator of a tool called peepdf, used to analyse and create malware based PDF, provided an overview on how to use his tool followed by a workshop to practise the discussed technics.
This session highlighted how surprisingly easy it is to create complex embedded malware within PDF which could evade Anti-Virus detection and provide an efficient way to deliver malware to a victim. The tool also provides a great framework for analysing malware within PDF files.
COUNTERFEITING THE PIPES WITH FAKENET 2.0
FakeNet is a software currently running on Windows XP that can intercept all network traffic initiated from that host and respond to network queries with fake answers (HTTP, FTP, Telnet requests, etc). It also provides a framework to monitor the different host processes to analyse malware behaviours when they can successfully “call home”.
Although it is currently only working on XP, the developers are planning to bring Windows 7 and 8 supports shortly. They also announced the release of their version 2.0, bringing better stability and a lot more functionality.
The presentation was followed by a workshop where participants could try their software against real malware. Knowledge of the assembly language is a must to get the most value!
INDUSTRIAL CONTROL SYSTEMS : PENTESTING PLCS 101
Arnaud Soullie explained how many Programmable Logic Controllers (PLC) used in the energy industry have either none or weak security controls. Those PLC, if compromised, can have consequences in the physical world, i.e.: Lights, switch, valves can be turned on/off or their status changed.
This is mainly because those PLC were designed to operate in a segregated and safe environment where security was not considered an issue. However, such environments are now increasingly interconnected with companies’ Intranet and even Internet in some cases (intentionally or not).
During a live demonstration, Arnaud scanned for Internet facing PLC and found 100 of them. Those PLC can be modified/turned off by anyone on the Internet.
The second part of this session was a workshop where participant were taught how to control and attack a type of PLC commonly used by Electrical companies by practising against a live environment setup for the presentation. This escalated into a “cyberwar” between two “unknown” participants to control a set of traffic light, one fighting to keep the lights off and one to keep them on. I won ☺
EXPLORING YOSEMITE: ABUSING MAC OS X 10.10
Team T5 explained how rootkits on Mac currently had limited success, specifically the most popular Mac OS X rootkit called Rubilyn, which hasn’t been updated in a while and can now be easily detected by security tools such as Volatility. However, this does not have to be the case and many technics used in Windows to evade rootkit detection could be re-used on the Mac. They demonstrated a new rootkit framework they created that can evade detection even on the latest Mac OS X 10.10. They have also announced a software called System Virginity Verifier (SVV-X) to check for Mac OS X security issues.