You'd think by now with the pervasiveness of inherently insecure Internet of Things things that creative hacking would be a thing of the past for security researchers. It's gotten too easy to find security holes and ways to abuse IoT devices; they're such easy marks.
But our annual look at the coolest hacks we covered this year on Dark Reading shows that, alas, innovation is not dead. Security researchers found intriguing and scary security flaws that can be abused to bend the will of everything from robots to voting machines, and even the wind. They weaponized seemingly benign systems such as back-end servers and machine learning tools in 2017, exposing a potential dark side to these systems.
So grab a cold one from your WiFi-connected smart fridge and take a look at seven of the coolest hacks of the year.
My Robot Pwned Me
Robots aren't going to steal your job (right way, anyway), but popular collaborative robots (aka cobots) can easily be hacked to spy on or wreak physical damage on their co-workers. Call it the new insider threat.
IOActive researchers Lucas Apa and Cesar Cerrudo this year found some 50 security vulnerabilities in these robots built for businesses, industrial sites, and homes, Softbank Robotics (NAO and Pepper robots), UBTECH Robotics (Alpha 1S, Alpha 2 robots), Robotis (OP2 and THORMANG3 robots), Universal Robots (UR3, UR5, UR10 robots), Rethink Robotics (Baxter and Sawyer robots), and Asratec Corp.
The painfully obvious security holes included cleartext or weak encryption between the robot and its components that provide its commands and software updates; a lack of authentication (no credentials required to access a robot's services, for example); and lack of authorization measures, which could leave a robot at the mercy of a nefarious attacker.
An attacker could control a robot in an industrial or office setting to hack other networks or even other robots there. Apa and Cerrudo wrote a script that moves a SoftBank Robotics' NAO robot's camera head and microphone for spying purposes. They say robots with face-recognition features to work with their human co-workers can be hacked and spy on them, for example.
"Some of the robots do not require any exploits. We're just using vendor-supplied tools to manipulate the robot. You can use that to send it an action to move," Cerrudo said, noting that "robots are computers with legs and they are a lot more powerful because they can 'see.'"
In another robot hack this year, researchers at Trend Micro and Italy-based Politecnico di Milano fed an industrial robot a phony configuration file that modified its parameters for drawing a straight line. Instead of a perfectly straight line, the ABB Robotics IRB140 robot drew a slightly skewed one, following the 2mm change in instructions.
That small parameter change could be catastrophic to a manufacturing system, leading to defects or a product recall, they said. The researchers also found more than 80,000 industrial routers exposed on the public Internet via their FTP servers and industrial routers; some of the exposed devices didn't require any authentication to access them.
Hack the Vote
It was arguably the white-hat hack of the year: in just 90 minutes, hackers dug up two zero-day vulnerabilities in a pair of decommissioned voting systems at DEF CON's inaugural Voting Machine Hacker Village in July.
All 30 of the voting equipment in the room ultimately went down to hackers during DEF CON, but the speed at which hackers who had never had the opportunity to poke around at a voting machine found the flaws was eye-popping. And the vulnerabilities were lucrative: They found a remote access flaw in the WinVote voting machine's operating system, and exposed real election data that was still stored there, and an OpenSSL flaw (CVE-2011-4109) in the Express-Pollbook system, exposing the internal data structure, which would allow an attacker to hack the machine remotely.
"What this tells me is hackers in less than two hours can figure something out and a nation-state could have this on their hands for months or years," Jeff Moss, founder of the DEF CON hacker conference, told Dark Reading in an interview at DEF CON. "It doesn't have to be nation-states. It could be criminal organizations; it doesn't have to be limited to Russia."
Moss and his team had purchased the used voting machines on eBay, including Sequoia AVC Edge, ES&S iVotronic, Diebold TSX, Winvote, and Diebold Expresspoll 4000 voting machines. The idea for the voting machine hacking village came out of concerns over Russia's tampering with the 2016 US election.
Moss plans to host a simulated mock election at next year's DEF CON, complete with not just voting machines, but back-end systems as well. "There's never been a security test of a complete voting system … We're trying to build a whole system, but it's hard to get the back-end pieces," he said. "I have confidence by next year we will have a complete end to end voting system set up. We'll have fake elections and people can attack it and at the end of the con," we'll share the results, he said.
The ease at which hackers cracked voting machines at DEF CON this year intensified calls for replacing computer-based voting systems with paper-based voting, or at the least, paper trail-based systems with optical character readers (OCRs).
"It's undeniably true that systems that depend on software running in a touchscreen voting machine can't be relied on," Voting Village organizer Matt Blaze said in a Facebook Live feed hosted by US congressmen Will Hurd (R-Texas) and James Langevin (D-R.I.), in the aftermath of the DEF CON hacks. "We need to switch to systems that don't depend on software," said Blaze, a a computer science professor at the University of Pennsylvania.
Hack Like the Wind
For the better part of two years, Jason Staggs, a security researcher at the University of Tulsa, traveled from wind farm to wind farm around the US and hacked the control systems that run wind turbines, which convert wind energy into electrical power.
Staggs found major security holes in the wind energy control networks, and the vulns were typical of many ICS/SCADA systems: easy-to-guess or default passwords, weak and insecure remote management interfaces, and no authentication or encryption of control messages. The flaws could allow an attacker with physical access to one turbine at a farm to also take over all of the turbines on that wind farm - to sabotage the operation, or wage a cyber extortion operation, for instance.
The wind farms allowed Staggs to test the security of a single turbine at their sites, but for security reasons, he wasn't allowed to disclose the names, locations, or products.
Staggs in his test plugged a homegrown Raspberry Pi-based tool onto the control system network that gave him control over other turbines in the farm. It's a matter of having "physical access to [inside of just one] turbine to rule them all," he says. Not all wind farms nor turbines are affected by these attacks, though, he said.
Wind today represents 5.6% of electricity generated in the US. But by 2030 wind could provide 20% of the nation's electricity, according to the US Department of Energy. "The more devious thing to do would be to gain access [to the wind turbine automation control system] and wait for years until we're more dependent on wind and then do bad things" with the systems, Staggs said.
The wind-turbine automation controllers sat at the base of the turbines, with just a padlock protecting them. All Staggs had to do was break the lock and he was in. "You can pick [the lock] or cut it with bolt cutters, open the door, and have complete access" to the wind farm control network, he says.
In one simulated attack, Staggs loaded a malicious binary on the automation controller that sends commands to other controllers in the turbine. That allowed him to alter process-control variables for the power and motors in the wind system.
Out of Sight, Out of Mind = Danger
Turns out those often-forgotten back-end servers of a public website infrastructure can be used to hack into an organization's internal network. UK researcher James Kettle, head of research at PortSwigger Web Security, found that minor flaws in Web caching, Web analytics, proxy, and load-balancing servers, can be exploited to allow an attacker to hack into an organization's internal network via its public website.
Kettle first discovered how websites can be vulnerable to their own back-end servers when he hacked the public websites of the US Department of Defense and several high-profile commercial organizations, which won him $30,000 in bug bounty rewards.
He used homegrown hacking tools to root out vulns in the public websites, and to drop payloads of malformed Web requests and phony headers that helped him worm his way into the back-end servers.
"People are basically just plopping down really complex servers to do caching, analytics, and loads of fancy complex functionality in front of their Web server without much thought as to whether these features might carry risks," Kettle said.
"I found that a large number of these systems are really easy to exploit because they are built to stay out sight," he said. "So when people have a penetration test or an audit, they don't think the infrastructure around the app matters very much: 'It's not going to get targeted because nobody looks at it.'"
Kettle broke into at least 70 servers in all, and found that Web analytics systems, for example, contain useful information for breaking into the internals of an organization. Misconfigured servers were the among the most common security issues he discovered.
His hack hit a bit too close to home at one point: Kettle inadvertently hacked his own ISP while conducting his research against one of his target websites. "My own ISP routed it [the payload] into its own system and got exploited by it, which was quite shocking," he said. "I wasn't authorized to hack the ISP, so I kind of panicked."
Famed researcher Ruben Santamarta decided to investigate the security of radiation monitoring devices after he began to wonder what would happen if a hacker sent phony monitor readings to an operator in a nuclear plant. The real-world nuclear facility incidents, Three Mile Island in 1979, and the 2007 theft of fuel pellets of uranium oxide from a Spanish nuclear fuel facility were the inspirations for his research.
"They were receiving false information," he said. "So I wondered, what happens if someone tries to send false information that's then consumed by operators? What could happen?"
Santamarta, principal security consultant at IOActive, found major design flaws in two different radiation monitoring devices that leaves them open to hackers. He reverse-engineered the firmware of two different brands of radiation monitoring devices, and analyzed their hardware and a proprietary radio frequency (RF) protocol used for communicating with those devices, which are used to monitor radiation levels in nuclear plants, hospitals, and seaports, for example.
The weak RF protocols and firmware could allow an attacker to inject fake radiation readings, so that if there were a radiation accident or leak, it couldn't be detected, for example. Or the reverse: it could send phony readings of high radiation levels when none were actually present, he says.
Among the flaws: the RF protocol used for the devices lacks encryption or employs weak crypto algorithms. An attacker could exploit those design flaws to inject phony radiation readings. Design flaws are not patchable. "There's no solution for these issues," Santamarta said. "You can't patch them because it's the way they are designed."
"Potentially false readers can trick operators into performing actions" that aren't correct if they incorrectly are alerted that radiation exposure has occurred, for example, he says. "An attacker could inject false readings into a nuclear power plant's radiation monitoring device simulating a massive radiation leak … How is the operator going to react?"
Drone Attack on the Air Gap
By now most savvy security pros know that an air-gapped network – or if it is isolated from the Internet – still doesn't mean a hacker can't attack it.
Researchers from CyberX came up with a stealthy new way to wage a reconnaissance attack on an industrial network that's offline from the Net. They dropped malicious ladder logic code onto a Siemens S7-1200 programmable logic controller to siphon sensitive plant data, and then exfiltrated it via a Radio Frequency (RF) connection.
"We know that two-thirds of industrial networks are air gapped," said David Atch, vice president of research for CyberX, who along with CyberX researcher George Lashenko conducted the research. "We decided to look for a way to [exfiltrate data from] the air-gapped network and we decided to try something more unique and with more of a cover" to avoid detection, he said.
The attack generates RF signals that encode the stolen information about a plant, and the data later gets decoded via a Software Defined Radio and PC linked to the targeted site via an antenna. Atch and Lashenko said the attack could be executed using a drone flying over the plant.
The malicious code is written to the storage architecture of the PLC so that it remains on the device even if the PLC gets rebooted. "These devices don't have radio transmitters," Atch notes, but the ladder-code logic makes the device generate a radio frequency.
There are no vulnerabilities per se that the researchers exploited, and it's an attack that could be waged on any vendors' PLC. Their attack basically takes advantage of the architecture and inherent weaknesses in industrial networks, which typically have weak or no authentication, for example. PLCs, which control physical processes such as water and power generation, don't run anti-malware due to their embedded real-time operating systems and limited memory and CPU, so they can be easily infiltrated with malicious logic code, the researchers note.
They conducted the attack one meter away from the PLC, but Lashenko said an antenna could extend the distance for an attacker to 10 meters. But before the drone gets involved, an attacker must first insert the ladder logic onto the PLC, either via a USB device or a compromised laptop that connects to the PLC.
Machine Learning Goes Rogue
Popular and easily accessible password-cracking tools such as HashCat and John the Ripper should be enough of a threat to give organizations password best-practices religion. But password hygiene remains a challenge for many end users at home and at work, and now there's a new password hack that uses machine learning to conduct password-cracking on steroids.
Researchers at the Stevens Institute of Technology in New Jersey and the New York Institute of Technology created a new technique for guessing passwords that taps a deep learning tool called a Generative Adversarial Networks (GAN). GANs are neural networks that create data similar to, or nearly identical with, data they are fed. They've been used for generating images of people, for example, based on real image datasets.
Paolo Gasti, of the New York Institute of Technology's Computer Science Department, and Briland Hitaj, Giuseppe Ateniese. and Fernando Perez-Cruz from the Stevens Institute of Technology, fed a GAN millions of leaked passwords to see if would generate passwords on its own.
The idea was to determine whether machine learning can build its own rules for creating passwords by learning from real ones. Existing password crackers rely on set rules.
The so-called PassGAN tool was more powerful and efficient than John The Ripper and HashCat: they input 80% of the leaked passwords from the 2010 RockYou breach, and 47% of the passwords PassGAN created would have worked against the RockYou accounts.
PassGAN beat out John the Ripper by a factor two, and was a close match with HashCat. The researchers combined PassGAN's output with HashCat's, and they were able to match 24% more passwords than they could with HashCat alone.
Gasti said while machine learning password-cracking would threaten organizations that rely on passwords, it also could prompt them to impose strong authentication. "We figured this out, and there's no reason that someone else won't do it," either now or in the next few years, Gasti said.