Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/7/2008
06:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Coolest Hacks of 2007 - Part II

Just when you thought it was safe to go back online, we offer a new round of offbeat attacks that might make you think twice

Bluetooth, taxicabs, printers, unlaunched browsers, toasters, and road signs: Each was hacked in the past year by inventive researchers whose curiosity got the best of them.

The coolest hacks are like that. They get a researcher thinking -- and then hacking -- outside the lines, to root out vulnerabilities and weaknesses in the flashing highway road sign or the unused Firefox browser application on your desktop.

Earlier this year, Dark Reading selected five of the coolest and most unusual hacks we covered in 2007 -- the ones that went beyond your everyday Windows vuln (think hacking truckers, car GPSes, and the stock exchange). (See The Five Coolest Hacks of 2007.)

But there are plenty more creative hacks out there that didn't get a mention in that article, so we decided to take a second look at last year's most unusual exploits: some we've covered, and some we haven't. Here they are, in no special order (with a tip of our hats to some Slashdot readers who weighed in with some hacks deserving of a mention).

Hacked highway signs
Drivers in Sydney, Australia got a bit of surprise in December when a "Police Now Targeting Speeding" flashing digital sign on the Roseville Bridge was hacked to read: "You have been 1337 h4x0r3d...Police now target'g sign hackers."

No word on the hackers and their wireless methods behind the defaced sign, which was documented on YouTube.

Cross-site printing
Printer spam isn’t something you worry about every day, but one researcher has released a proof of concept for a printer hack using JavaScript that lets an attacker remotely "own" an intranet printer for spamming or other nefarious purposes. (See The Five Coolest Hacks of 2007.)

"This kind of added insult to injury: We saw that intranet hacking was possible, and now [attackers] can go after printers to make them perform printer-spamming," says Jeremiah Grossman, CTO of WhiteHat Security, who has done some intranet hacking research of his own.

The attack requires that a user visit a malicious Website that contains the "bad" JavaScript. Then the attacker can use an HTTP Post command to print to the victim's internal networked printer, and even send faxes. "Since most printers don’t have any security set, it is possible to print anything, control the printer, change the print settings and even send faxes," Weaver writes in his paper on the hack.

Burnt by your toaster
Another researcher took a different spin on the legendary toaster hack: But this time, the toaster isn't the hackee, it's the hacker. Dror Shalev, a researcher and security expert who works at Check Point Software in Israel, wrote some code and networked the software with the toaster over a wireless connection. (See Man Uses Toaster to Hack Computer.)

“As soon as the toaster is plugged, the software is activated before it breaks into the user’s computer system. The same software prototype can be networked with any home appliance for stealing the Web secrets,” he said. “With wireless technology available, there is no need for connecting the appliance with the computer.”

Unused but abused browsers
Ask Web app security guru Grossman what one of the coolest Web application security hacks of the year was, and he says the URI handler vulnerabilities discovered by Nathan McFeters and Billy Rios. Grossman says the hacks, which made his Top 10 Web Hacks of 2007 list, were mostly underestimated and are "interesting and dangerous."

McFeters and Rios basically found that they could use Internet Explorer to send URL data to a Firefox app that was sitting idle on machine and not running. "We can supply [it] with a URL... that would then execute arbitrary commands on their OS," McFeters says. "We're talking cross-site scripting as not just about stealing cookies. We're taking control of the victim's computer."

The actual flaw lies in how the operating system (and it's not just Windows, McFeters says) calls a registered URL. "It allows the attacker to communicate through a browser or any app that recognizes URLs with underlying programs it couldn’t [normally] reach," he says. The URL becomes a command on the OS, he says, leaving an attacker a frightening opening into the system and network.

Bluetooth-sniffing via a USB stick
Bluetooth hacking traditionally has been a pricey endeavor, with tools costing around $10,000. But a pair of European researchers looking to make Bluetooth hacking cheap and easy, built a prototype Bluetooth sniffer last year based on a $30 USB dongle. (See Hacking Bluetooth With a USB Stick , New Hacking Tools Bite Bluetooth, and Bluetooth Security Worse Than WiFi.)

The device is based on a Cambridge Silicon Radio (CSR) chip-based USB dongle, flash memory, and Bluetooth 2.X technology. It lets you eavesdrop on a Bluetooth communication session, and combined with a Bluetooth PIN-hacking tool created by one of the researchers -- Thierry Zoller, security engineer for n.runs -- an attacker can access encrypted data and control any Bluetooth devices. The second researcher, Max Moser, founder of remote-exploit.org, and security analyst and tester for Dreamlab Technologies, spearheaded the development of the USB sniffer.

Cracking wireless devices is all the rage lately. Penetration testing firm Secure Network Technologies Inc., for instance, recently found that those wildly popular wireless headsets are easily hackable. (See Hacking Wireless Headsets.) The firm's hackers-for-hire used a radio scanner and were able to listen in on the employees' conversations from across the street, and digitally record them. Their conclusion: Wireless headsets in your office are actually bugging your office.

Hacking the taxi
An artist and software engineer riding a taxi in New York City in December noticed an error message on the touch-screen video monitor in the back seat. Within a few short minutes, Billy Chasen gained administrative access to the entire taxi PC.

Chasen was able to interact with the error message, and after drilling down a bit was able to access "File -- Open," in the Windows operating system. "It was not only a security flaw, but people also pay with the screen if they use a credit card. That information could potentially be stored locally," Chasen wrote in his blog. He also got an Internet connection via dial-up on the machine (these taxi computers run news segments, ads, and a GPS map). He says he could have installed onto the machine any software that he had online.

"You’re essentially giving strangers access to a computer that is shared with hundreds of customers," he says in his blog. "It also isn’t far-fetched for anyone to do what I did. It was pretty simple."

VeriFone, the supplier of the taxi computers, later said that there may have been a glitch in a software update that was being downloaded to the taxis.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...