Some hacks are epic not merely for their significance in IT security, but for their sheer creativity and novelty. They're those in-your-face hacks that both entertain and educate, and crack those things we take for granted in our everyday lives.
For the fifth year in a row, Dark Reading has compiled an end-of-the-year list of the coolest hacks executed by those imaginative, inquisitive, and resourceful hackers who dare to go the distance to try some of the most unique -- and sometimes bizarre -- hacks.
Some of this year's coolest hacks are downright chilling in that they could mean life or death, like the ones that tampered with the dosage dispensed by popular insulin pumps, or that remotely shut down the power on industrial control systems that run power plants. Others were both charming and precocious, like the 10-year-old hacker who found a major flaw in her favorite mobile gaming app after getting bored and looking for a way to progress further with it.
So grab a cup of eggnog, kick back by the fireplace, and time-travel back -- to some of the coolest hacks of the year.
1. Remotely starting a car via text message.
There's war driving, and then there's war texting. Security researcher Don Bailey discovered how simple it is to remotely disarm a car alarm system and control other GSM and cell-connected devices: He showed off his find by remotely starting a car outside Caesars Palace in Las Vegas during the Black Hat USA and DefCon shows.
It took Bailey, a security consultant with iSec Partners, only two hours to first hack into a popular car-alarm system and then start the car from afar with a text message. He and fellow researcher Mat Solnick later re-enacted the hack via video in Vegas.
The problem: Physical security systems attached to the GSM and cellular networks, such as GPS tracking devices and car alarms, as well as traffic control systems, home control and automation systems, and SCADA sensors, are vulnerable. Once these devices have been discovered on the network, an attacker can abuse them. Take the car alarm, which sites on cellular networks and receives messages from control servers: Attackers now can reverse-engineer and commandeer them, as Bailey demonstrated. GSM basically gives them a foot in the door.
"Their proprietary protocols [traditionally] were insulated and so obfuscated that you wouldn't necessarily know what was going on under the hood," Bailey said. "[But] car-alarm manufacturers now have to worry about reverse-engineering of their proprietary protocols."
Starting a car from afar is one thing, but even more disconcerting is the possibility of SCADA systems similarly being sniffed and reverse-engineered, Bailey pointed out.
2. Powering down the power plant -- literally.
Speaking of SCADA, researcher Dillon Beresford this summer at Black Hat USA gave one of the most graphic and alarming public demonstrations of the fragility of security in power control systems. Beresford, a researcher with NSS Labs, demonstrated how a backdoor in Siemens S7-300, S7-400, and S7-1200 devices let him get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash. He had initially postponed a presentation earlier in the year on his vulnerability finds due to concerns about possible risk to human life. Yikes.
Even scarier is that it took Beresford, who admits he's no SCADA expert, only about two-and-a-half hours to write code that exploited the backdoor in the Siemens PLCs. He also discovered a hard-coded password in the systems that let him open a command shell: "That allowed me to do other things," such as perform a memory dump, capture passwords, and reprogram the programmable logic, he said. Beresford wrote a Metasploit module for the hack.
His hack was all about demonstrating how it's not that hard to take control of these devices running our critical infrastructure. "I'm not here to freak you out. But an attack on PLCs for 24 hours could cause it to blow up a plant," he said in his demo. "This creates an awareness that not only nation-states [can hack SCADA systems], but it's now in the hands of researchers, and it's only a matter of time," Beresford said. "Someone could use it to cause damage to control systems."
And it's not just Siemens' products that are at risk of these types of attacks. At the heart of the holes in the Siemens devices are the lack of access control to them, which, like other PLC systems, use the 802.3 Ethernet Profibus and Profinet LAN protocols, which communicate via TSAP over TCP Port 102. TSAP transmits packets in plain text, too. TSAP, like TCP, is an older protocol that was not created with security in mind. The PLC manufacturers need to better secure them, experts say.
3. Mini-hacker time-travels.
A 10-year-old girl who attended the inaugural DefCon Kids conference within the DefCon show this year nearly stole the show with her hack. "CyFi" said she was getting bored with her favorite mobile gaming app, so she came up with a neat trick to switch the time on her device to make it more challenging.
What she didn't realize at first was that she had actually discovered a whole, new class of zero-day bugs across multiple tablet and smartphone operating systems.
"I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said.
It wasn't until her mom caught wind that CyFi had found a way to game her game that things got real. Her mom, a seasoned DefCon attendee, knew this was more than just a clever child's trick: CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom said.
CyFi had found the same bug on multiple games, not just the one app, and CyFi and her mom then consulted with a seasoned hacker friend, who checked out the bug and found it in yet another OS. Other professional hacker friends verified it, and now the mini-hacker is working on the responsible disclosure process.
"The mobile app world is different -- you have all these different, tiny companies making games. You don't just have Oracle and Microsoft, so that's why there were so many zero-days," CyFi's mom said.
CyFi got props from famed security researcher Dan Kaminsky, too. "It's legitimately cool work," Kaminsky said. "We've known for years that games suffer security risks, for reasons of time, budget, and, to be honest, lack of consequence … Time acceleration is extremely rare -- I know of only one other use, and that's to locate 'phone homes' where an application or operating system sends traffic to a manufacturer, months, or years after installation. Seeing the 'phone home' trick used successfully against mobile games -- en masse -- is impressive, particularly since it apparently works against some online games."
4. Insulin pumps go rogue.
SCADA security expert Jerome Radcliffe, a diabetic, had become curious about the security of the devices that keep his blood sugar in check. So he started studying how continuous glucose monitors (CGM) and insulin pumps could be hacked, and discovered that at least four models of insulin pumps sold by Medtronic can be hacked wirelessly.
An attacker could remotely disable the pumps or alter the insulin dosage that's automatically delivered to the user. Radcliffe demonstrated that a hacker could illicitly turn off the pump remotely, with the device offering only a small chirp as a response, and also remotely manipulate any setting on the pump without the user's knowledge. "It's basically like having root on the device, and that's like having root on the chemistry of the human body," he said.
It was a frightening but enlightening find given the life-or-death consequences. Radcliffe was also able to disrupt and jam the GSM devices.
And later this year, Barnaby Jack, a security researcher with McAfee, at the Hacker Halted conference demonstrated an exploit he wrote that could deliver a deadly dose of insulin to patients using Medtronic's embedded insulin pumps.
Jack rigged an antenna and some software in a wireless exploit that wrested control of the insulin pumps and administered what would be a fatal dose of insulin. His hack took Radcliffe's a step further, demonstrating how to wirelessly crack the pump without knowledge of its device identification code.
5. 'Warflying': Hacking in midair.
For a little more than $6,000, a pair of researchers built a radio-controlled model airplane with an onboard computer and 4G connectivity that could be used as a hacking "drone" to wage aerial attacks on targets that are basically unreachable on land. Mike Tassey and Richard Perkins brought their so-called Wireless Aerial Surveillance Platform (WASP) to Vegas for Defcon to demonstrate the potential threat of "warflying."
The 6-foot long, 14-pound WASP is made from all off-the-shelf equipment and open-source software, and was built on top of a surplus Army drone Perkins had stored in his basement. It contains wireless antennae, GPS, wireless sniffing tools, and a Backtrack penetration testing toolkit. A base station controls the plane via Google Earth and an autopilot software tool, and it can fly above 20,000 feet, although FAA regulations don't allow it to go above 400 feet.
WASP can sniff wireless networks, spoof cell-towers, track and intercept cell phone calls, steal data, and conduct video surveillance. A back-end PC handles most of the heavy processing requirements.
All in all, it wasn't that difficult to build. "You don't need a Ph.D. from MIT to do this," Perkins said.
What's not so simple is how to defend against such a drone hack. "So how do you defend against this? I don't know. That's what you guys are for. We need the right people to start thinking about this. How would you defend against something like this?" Perkins said. "Because if we thought of it, someone else has, too. They're just not telling you about it."
6. When laptop batteries turn against you.
You probably don't worry much about your laptop battery until it runs out of juice and you scramble for the power plug. But what if your battery could hack you?
Turns out the embedded controllers on laptop batteries are hackable, renowned security researcher Charlie Miller demonstrated this year. Miller found that Apple's laptop battery has two fixed passwords that could be exploited to make changes to the smart battery system's firmware. The passwords are basically a way for Apple to update the firmware, but they also leave it wide open for abuse.
Miller disassembled his MacBook's batteries and found that Apple uses one default password to unlock the battery and another to access the firmware. If an attacker were to obtain those passwords, then he could eavesdrop on any communication between the battery and the laptop, as well as inject malicious code.
"I definitely completely destroyed that first and most important layer of defense," Miller said. "The main brains of the operation is this chip, and I can control that now."
He reverse-engineered a MacBook battery update and got the password that gave him access to the system, and found he could manipulate the battery's firmware. So an attacker could theoretically inject malicious code onto the battery -- a clever hideout that could be used to harbor stealthy attacks trying to remain under the radar.
Miller's original goal was to make the batteries overheat or explode, but in the end he wasn't able to do so. He did successfully brick them, though: "I can definitely make it so the battery doesn't respond anymore," he said. "I did that seven times already."
7. Hot 'Diggity' hack.
Remember Google hacking? Well, it's back and it's sexier as a pair of researchers built tools that making Google-hacking yourself faster and more efficient.
Fran Brown and Rob Ragan, researchers for Stach & Liu, wrote a series of tools called Diggity that speed up the process of detecting security vulnerabilities via Google or Bing searches. The goal is for enterprises to find those bugs -- SQL injection, cross-site scripting, etc. -- in their servers before attackers do.
"We wanted to find a way to bring search engine hacking back into light because it's a pretty effective method of finding vulnerabilities, and we see it being used more and more [by malicious attackers]," Ragan said.
DIY Google-hacking typically requires searching one domain at a time, and that just doesn't scale when you're talking an enterprise of hundreds of domains. Brown says Diggity tools are akin to an IDS that sniffs out known attacks. The tools are compromised of databases of known Google and Bing hacks, Foundstone's repository of search engine hacks, and Stach & Liu's own database of known vulnerabilities and hacks.
It works like this: When a tool finds a potential hack, they send a Google alert to the enterprise, which then can have Google halt indexing them. That gives them time to fix the flaws offline.
Brown says Diggity could prevent disasters such as when the user database of Groupon's Indian subsidiary Sosata.com was inadvertently published online and exposed emails and passwords of its 300,000 users. "To put it in perspective, if Groupon.com had been using our tools, they would have gotten an alert via iPhone or Droid and found the vulnerability before anyone else did," Brown said.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio