There are hacks, and then there are cool hacks. For the sixth year in a row, Dark Reading has selected the most creative, unique, and memorable hacks of the year that captured our attention and, in some cases, scared the heck out of us.
They spoofed airplanes via weaknesses in a new FAA air traffic system, peered into the infrared port on a home smart meter, broke into a videoconference, and even turned the tables on the bad guys, poking holes in popular cybercrime tools and fooled and exposed fake antivirus scammers who unknowingly dialed the wrong number (a white hat hacker's).
So kick back with a cup of holiday cheer and join us for a nostalgic look back at some of the most extreme hacks of 2012.
1. Beating Cybercriminals At Their Own Game
Let's just say the phony antivirus scammers dialed the wrong number.
Noah Magram, principal software engineer with Sourcefire, in May did what he wouldn't normally do one night when the phone rang at dinner time: He answered it. Magram says it was his local area code in Oregon and "Borders" showing up on caller ID that tempted him to pick up.
The caller said he was from Microsoft, and that Magram's computer was infected and had been sending error messages to the software firm. Magram immediately knew it was a scam, but the researcher in him led him to see just how far these scammers would go. "I wanted to see if they would send me to any websites or get me to download any malware, something that we could analyze. I was really curious about what their script was," Magram says.
He knew he was onto something as it became obvious the agent on the line wasn't technology-savvy. So he played along for a while, and then decided this was too good to pass up to get a rare, firsthand look at a fake AV scam. So he started up a VMware virtual machine on his Windows PC. "I realized I could give them an environment to bang around in," Magram says. At the urging of the scammers, he installed LogMeIn, a legitimate remote access tool, and "Victor," the technician, was then inside the machine. Magram recorded every click the scammers made via this impromptu honeypot.
The scammers brazenly deleted Windows services off Magram's "PC," but had no clue they were actually trapped inside a virtual machine, even when VMware services appeared on the screen.
"I had always wondered what their capabilities are" in these scams, he says. "But I was shocked how clueless and clumsy there were. They are placing thousands of these calls, and they are not sophisticated."
Magram recorded a video of the episode, which he posted online.
2. Airplane Hack
The FAA's new air traffic control system has holes so big that a fake plane could fly through them.
A researcher at Black Hat USA in July gave a chilling presentation revealing several weaknesses in the key component of the FAA's next-generation Automatic Dependent Surveillance-Broadcast (ADS-B) system, the replacement for the agency's decades-old ground radar system for air traffic control. The flaws could allow someone to inject their own messages into the system, posing as an aircraft, and these messages are unencrypted and therefore wide open to snooping.
Andrei Costin, a computer scientist and graduate student at Eurecom, says the system has no authentication feature for messages. "Any attacker can pretend to be an aircraft" by injecting a message into the system, he says.
Air traffic messages, such as the location of an aircraft in flight, could be read by anyone. Costin showed an air traffic screen capture that appeared to be the in-flight location of Air Force One, the airplane that transports the President -- an illustration of the national security implications of the system's weaknesses.
It could also represent a spoofed aircraft, he says. "If the data is false, somebody is spoofing the system," he says. A fake aircraft showing up on the system could force the system to adjust to flights that weren't really there and wreak havoc in the skies. One scenario would be akin to a denial-of-service attack on the air traffic control system, he says, with a million phony planes.
He also demonstrated how cheap, software-defined radios could attack the ADS-B system.
3. Infiltrating The Smart Meter
All eyes have been on the smart grid, with its state-of-the-art technology and potentially more secure infrastructure than legacy critical infrastructure systems. But like any new technology, it has its flaws security-wise, and in one case, in the infrared "eye" in the smart meter itself.
Researchers at InGuardians this summer finally demonstrated their OptiGuard tool for helping vendors and utilities assess just how the bad guys can or can't get into their networks and systems, after having to put it on hold amid vendor concerns. The Python-based tool basically demonstrates ways the infrared port on a smart meter can be penetrated, looking for vulnerabilities and possible attacks. "There's no third-party software to interact with individual meters [today]. There wasn't a way for utilities to test the implementation of their meters or for vendors to see what others are going to throw at their meters," says Don Weber, the researcher with InGuardians who built the tool.
Weber and his team found some major vulnerabilities in the devices; the tool is aimed at helping a utility spot those holes, such as being prone to a brute-force password attack on the infrared smart meter. An attacker then could grab configuration data and shut off the device or perform other sabotage. "Once you can talk to the meters, you can program them to do anything you want," Weber says.
The good news is that for now, these attacks would be on a single meter at a time, not the overall grid. The Python-based tool plugs into a laptop and includes a serial port client that interacts with the optical infrared functionality.
InGuardians wasn't the only firm looking at these issues. Spencer McIntyre, a member of SecureState's Research & Innovation Team, unleashed an open source smart meter hacking tool this summer. The so-called "Termineter" also tests for vulnerabilities via the device's infrared port, uses a Metasploit Framework interface, and is open-source. InGuardians' tool has its own interface, is meant for the smart grid industry, and is not open-source.
SecureState's McIntyre says authentication is a big problem with the meters. "Being able to write and read from a meter while being authenticated as an underprivileged user or to not have to authenticate at all," he says, "that could be used for fraud, which is a large concern for power companies."
4. RATs With Bugs
Remote access Trojans/tools -- a.k.a. RATs -- are a cybercriminal's best friend. These remote administration tools help bad guys spy on and wage targeted attacks. A pair of interns for Matasano Security discovered that some popular RATs can actually be exploited to help turn the tables on the attackers behind them.
DarkComet, Bandook, CyberGate, and Xtreme RAT, which are used to exploit victims, can be exploited themselves, according to Shawn Denbow of Rensselaer Polytechnic Institute and Jesse Hertz of Brown University, both undergraduate computer science students now in their senior year. The researchers found that the RATs contain flaws common in mainstream software, such as SQL injection, arbitrary file reading, and weak encryption.
RATs typically conduct keylogging, screen and camera capture, file management, code execution, and password-sniffing. But it turns out these tools can be just as vulnerable as the systems they target. "This shows that it is possible, and that it's not hard, to pick apart attacker tools and come up with proactive defenses against them," says John Villamil, senior security consultant with Matasano, who was Denbow and Hertz's adviser for the project. "If nothing else, it can help forensics companies analyzing traffic from compromises ... and help build tools that analyze these Trojans, and provide signatures [to detect them]."
At a time when offensive defense is becoming the new battle cry, the concept of poking holes in black hat tools is attractive. But hacking back remains taboo.
The researchers released homegrown tools that decrypt RAT traffic and proof-of-concept exploits for the bugs they found. Most RATs include weak encryption, or no encryption at all, they found.
"The people using those tools either don't realize how weak they are, or they don't care," Villamil says. The bottom line is that RATs are powerful cyberespionage and other persistent attack tools.
5. Videoconference Bugs The Boardroom
Renowned researcher and Metasploit creator HD Moore late last year scanned a snapshot of addressable Internet space in search of high-end videoconferencing systems that might be found in corporate boardrooms. What he found was unnerving: a quarter of a million systems that spoke H.323, the protocol used by videoconferencing systems.
He then used a Metasploit module to call up each server and to connect for just enough time to get the public-handshake packets before disconnecting. "Any machine that accepted a call was set to auto-answer," Moore says. "It was fairly easy to figure out who was vulnerable because if they weren't vulnerable, then they would not have picked up the call."
Moore and Rapid 7 CEO Mike Tuchen were then able to pinpoint some 5,000 videoconferencing systems that auto-answered the calls. That means those systems could be abused by an external hacker who could surreptitiously join the videoconference, record video, and read email from a laptop screen of one of the attendees -- something Rapid 7 simulated in its lab.
"What made this interesting is that you are only going to find places that can afford $25,000 videoconferencing systems, so it's a pretty self-selecting set of targets," Moore says.
Moore and his fellow researchers found mostly Polycom videoconferencing systems, most of which ship with auto-answer on by default.
[Evil insulin pumps and laptop batteries, war texting, and a 'tween' hacker captured our imagination -- and our attention. See The 7 Coolest Hacks Of 2011.]
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.