Vulnerabilities / Threats
12/22/2014
04:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

The Coolest Hacks Of 2014

TSA baggage scanners, evil USB sticks, and smart homes were among the targets in some of the most creative -- and yes, scary -- hacks this year by security researchers.

It's easy to forget some of the more innovative and eye-popping hacks by the good guys in 2014 amid the painful and unprecedented wave of cybercrime, cyber espionage, and cyber mayhem that the world has witnessed the past 12 months.

But the lessons learned from the epidemic of retailer hacks this year starting with Target, and the unprecedented destructive breach and doxing of Sony that to date has come as close to an international incident as any cyberattack, serve as a chilling reminder that any organization's computing infrastructure is breakable by bad hackers. And that raises the stakes in the race to find new security weaknesses before the bad guys do.

The epidemic of real-world breaches this year has lent some blatant and highly tangible credence to the dangers of malicious hacking that white hat hackers for years have been warning about and demonstrating in their own research.

So yes, our annual lighthearted look back at the year's coolest hacks by the good guys has a more profound feel to it now. Even so, kick back with some holiday cheer and have a look at some of the more memorable and creative hacks this year:

A weaponized PLC
Programmable logic controllers (PLCs), the systems that run machinery in power plants and manufacturing sites, are traditionally the target of attackers looking to disrupt or sabotage critical systems. But Digital Bond researcher Stephen Hilt earlier this year decided to rig a PLC with a low-cost hacking tool that would allow the system to shut down a process control network via a text message.

The so-called "PLCpwn" hacking tool cost Hilt about $400 and a couple of weeks to build, and lets an attacker bypass perimeter security and air gaps to wreak havoc on the plant floor. "It can cause a large disruption with a single text message," Hilt said. "It will sweep an entire subnet with STOP CPU," and is capable of data exfiltration and injection-style attacks, he said.

Hilt's weaponized PLC uses attack modules previously written by Digital Bond, and is based on a 5-volt Raspberry Pi board with DualComm Tap and a DroneCell card for communications.

Cheating TSA's carry-on baggage scanners
Turns out you can easily sneak a weapon or a banned substance past US airport security by exploiting "lame bugs" in a pervasive X-ray scanner for carryon baggage at TSA checkpoints.

That's how renowned researcher Billy Rios described the flaws in the Rapiscan 522 B x-ray system used by the TSA at some major airports. Rios and his colleague Terry McCorkle discovered some painfully wide open holes in the scanners, including user credentials stored in plain text, the outdated Windows 98 as the underling operating system, as well as a training feature for screeners that injects .bmp images of contraband, such as a gun or knife, into a passenger carry-on in order to test the screener's reaction during training sessions. The researchers say the weak logins could allow a bad guy to project phony images on the X-ray display.

They were able to easily bypass the login screen and see the stored user credentials sitting the database store. "These bugs are actually embarrassing. It was embarrassing to report them to DHS -- the ability to bypass the login screen. These are really lame bugs," Rios said.

Hacking satellite ground terminals by air, sea, land
Ruben Santamarta found critical design flaws in the firmware of popular satellite land equipment that could allow attackers to hijack and disrupt communications links to ships, airplanes, military operations, industrial facilities, and emergency services.

An attacker could install malicious firmware or even send an SMS text message to spoof communication to a ship, for example. Another even scarier possibility: he could wrest control over the Satellite Data Unit or SwiftBroadband Unit interface in the satellite terminals sitting on an airplane's in-flight WiFi network via its weak password reset feature, hardcoded credentials or the insecure protocols that support the so-called AVIATOR 700 satellite terminal, as well as compromise control of the satellite link communications channel used by the pilot.

"We're not crashing planes here," Santamarta said of the potential danger, but some of the vulnerabilities could pose a safety risk, he said.

In many cases the attacker would need physical access to the ground equipment, as well as knowledge of the firmware and its security weaknesses.

Smart home devices not so savvy
If an attacker has physical access to your Nest Learning Thermostat or your DropCam camera, bad things can happen easily -- and fast. Two groups of researchers this summer demonstrated the ease with which an attacker can turn the devices against their owners to spy on them, attack other devices on the network, or spoof their activities.

University of Central Florida researchers Grant Hernandez and Yier Jin and independent researcher Daniel Buentello showed at Black Hat USA how in less than 15 seconds a bad guy can rig a Nest with a micro USB cable and backdoor to spy on the owner, capture wireless credentials, as well as attack other home network devices. Another risk would be Nests backdoored and then returned to a store or resold on Craigslist to target a neighborhood, for example.

DropCam, the plug-and-play webcam-based video monitoring system used for watching over your house while on vacation or the on the kids at daycare, can be similarly abused. Synack researchers Patrick Wardle and Colby Moore at DEF CON this summer demonstrated holes in the WiFi security cameras, such as intercepting video and hot-miking audio for spying purposes. Wardle and Moore inserted a malware "implant" that can infect computers used to configure a DropCam camera.

"Don't trust a camera from strangers," Wardle said, a theme echoed by the Nest hackers on the potential for rigged smart thermostats.

Meanwhile, security researcher David Jacoby of Kaspersky Lab recently put his own smart home to the test. That's right -- he hacked his own home, specifically his smart TV, satellite receiver, DVD/Blu-ray player, network storage devices, and gaming consoles. "Before I started, I was pretty sure that my home was pretty secure. I mean, I've been working in the security industry for over 15 years, and I'm quite paranoid when it comes to such things as security patches," Jacoby wrote in a blog post on Dark Reading sharing his findings.

But Jacoby quickly found flaws in his network-attached storage systems, smart TV, and in his home router, including weak default passwords, incorrect permissions in configuration files, and plain text passwords. "The DSL router used to provide wireless Internet access for all other home devices contained several hidden dangerous features that could potentially provide the Internet service provider remote access to any device in my private network. The results were shocking, to say the least," Jacoby said.

Crashing the vehicle traffic control system
Outfitted with a backpack carrying his prototype access point to passively test access to the vehicle traffic control systems in major cities including Washington and New York, researcher Cesar Cerrudo was able to reach from a few hundred yards away traffic control equipment and access points supporting them.

Cerrudo found that hundreds of thousands of road traffic sensors and repeater equipment are at risk of attackers wreaking havoc that could result in traffic jams or even vehicle crashes. In his experiment, Cerrudo discovered the devices communicate traffic information in clear text and don't authenticate the data, opening the door for possible sabotage.

The Sensys Networks sensors he tested detect vehicles and use that data to determine the timing of traffic lights and for issuing electronic alerts of events on the highway. "You can sniff the wireless data, learn how the system was configured, how it was working, and then just launch an attack with fake data," Cerrudo said. The access point will accept the phony traffic data, but an attacker would need to know the where the AP, repeaters and sensors are located at an intersection he or she targets.

Sensys Networks recently updated its software, but Cerrudo said it's difficult to confirm whether the updates fix the security flaws because the nature of the patches wasn't public.

One bad-ass USB
Don't trust that USB stick. Researchers Karsten Nohl and Jakob Lell created "BadUSB," a weaponized USB stick that once plugged into a machine can wage attacks on the network. The pair basically reverse-engineered and retooled its firmware to become an attack tool that among other things steals information or installs malware.

An Android plugged into a computer could intercept all network traffic to and from that machine, for instance, and Nohl said there isn't much you can do to prevent BadUSB attacks. Anti-malware software only scans the data on an USB stick, not the firmware, for example, he noted.

BadUSB can't be cleaned up by reinstalling the operating system, and it can replace the computer's BIOS by posing as a keyboard and unlocking a hidden file on the stick.

A worm in your NAS
Jacob Holcomb this fall constructed a proof-of-concept, self-replicating worm that scans for vulnerable services running on network-attached storage devices and identifies the NAS device. If a NAS is vulnerable, the worm launches an exploit to take over the device and then spread to other NAS devices.

"I wanted to actually develop a POC myself and present it so people can understand the ramifications as my findings are being demonstrated and publicly disclosed, versus six months later when adversarial attackers are trying to exploit it for profit," Holcomb said.

Holcomb, a security analyst at Independent Security Evaluators, has been studying flaws in NAS devices for the past year or so, and the list of vulnerable products is a who's who of the storage market Seagate, D-Link, Lenovo, Buffalo, QNAP, Western Digital, Netgear, ZyXEL, Asustor, TRENDnet, HP, and Synology. "Pretty much everything we do relies on some form of backend storage for access," he said of the problem.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
VanshD250
50%
50%
VanshD250,
User Rank: Apprentice
12/29/2014 | 7:24:12 AM
Smart home devices
I truly agree with you Kelly. Smart home devices are really vulnerable to attacks if an attacker has a physical access to the devices. Not only this, I have even heard once that an attacker has made some changes in a device and made it to blast at the time when any of the buttons is somehow pressed. This site is really amazing and beneficial. One should read it thoroughly and can learn a lot.

Thanks

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/24/2014 | 9:58:48 AM
Re: a more serious cool tone
Yes, that is good. Especially in medical devices, they all need to be HIPAA compliant actually, road ahead is not going to be easy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/24/2014 | 9:56:32 AM
Re: a more serious cool tone
IoT may be a big problem very soon if we continue to miss to start thinking security around them. Most sensors developed now has no consideration for security at all.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/24/2014 | 9:53:34 AM
Re: Sony attack wins
Spectacular is a good adjective here, especially since it was so public. But other corporations get lots of data stolen, too, and it doesn't get doxed, so we don't see the breadth. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/24/2014 | 9:53:12 AM
Re: a more serious cool tone
Sure. If they are able to create this much damage, we should wait and see when all the home appliances could be compromised. There will be more interesting news, you can easily dedicate a news channel for it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/24/2014 | 9:51:19 AM
Sony attack wins
 

I can say Sony attack is more spectacular than others we have ever seen up to this point. The amount of data they were able to compromise is unimaginable .
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/24/2014 | 7:53:23 AM
Re: a more serious cool tone
The good news is that some consumer product companies are "getting it" and trying to get on top of the situation. I wrote a feature piece recently on how a few of them are hiring security researchers to help them find bugs in medical devices/equipment, cars, etc., before the bad guys do. Unfortunately, there are a lot more companies who are not getting it yet, which is very scary.

Here's a link to the piece I referenced: http://www.darkreading.com/vulnerabilities---threats/hiring-hackers-to-secure-the-internet-of-things/d/d-id/1318107
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
12/23/2014 | 11:45:23 AM
Re: a more serious cool tone
You are absolutely correct !  Information Security has long had the challenge that it appeared to be a conceptual issue or an intellectual exercise for something that only happens to the "other guy".  On top of that the popular image of the hackers almost rewards the bad guys by making it appear that they are "Robin Hood" or very bright young people.  The IOT will make this a very personal issue when public safety gets compromised.  I've seen statements in the discussions about IOT that the manufacturers of these devices often see security issues as "someone else's problem to resolve".  I can forsee when the victims of public safety breaches start product liability suits for compensation for their injuries (or worse) for these same manufacturers.  If you can get millions for a spilled cup of coffee in your lap, imagine the settlements for traffic lights being hacked and serious vehicular accidents happen as a result.  Hold on to your hats !!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/22/2014 | 5:21:22 PM
a more serious cool tone
The big theme with some of these hacks was public safety--a big risk with IoT vulnerabilities. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.