The 9 Coolest Hacks Of 2009
Digital faces, missile defenses, iPod Touches, and even texting teens all were the subject of extreme hacks
December 22, 2009
Hackers are always probing for ways to crack new technology, even elements so personal you would never imagine they could be hacked -- like, well, your face. Extreme hacks that hit close to home and we can see in the mirror remind us of just how much technology has infiltrated the everyday, and how fragile it ultimately can be at the hands of the bad guys.
This year saw some creative and unusual hacks that gamed biometric facial identities, weaponized iPod Touches, dug up actual missile defense data on a second-hand hard drive, replaced application updates with malware in midstream, and even found a way to silence a teenager's frenzy of text messaging. And don't get us started on a phony Bill Gates "LinkedIN" e-vite that landed in multiple corporate emailboxes unscathed.
These are among the hacks we have selected as nine of the coolest hacks covered here at Dark Reading in 2009 -- sometimes off-the-wall and in-your-face (pun intended) vulnerabilities that were exposed and exploited by creative and imaginative researchers who are all about staying one step ahead of the bad guys, and maybe having a little fun along the way.
So kick back, relax (if you can), and take a look back at the more offbeat yet profound hacks of the year.
Biometrics may be the wave of the future in authentication, but Vietnamese researchers earlier this year showed how even your facial scan can be abused by a hacker for access to a system.
The researchers were able to easily spoof and bypass the biometric authentication that comes embedded in Lenovo, Asus, and Toshiba laptops by using just a photo of an authorized user, as well as by brute-force hacking using fake facial images. One of the researchers, Nguyen Minh Duc, manager of the application security department at the BKIS (Bach Khoa Internetwork Security Center) at Hanoi University of Technology, demonstrated the hack at Black Hat DC in February.
"Contactless" biometric technologies, such as facial, iris, and palm-vein scans, are emerging as preferred methods of authentication over fingerprint scans, which have been shown to leave behind a digital "footprint" that can be abused.
The researchers were able to authenticate to Lenovo's Veriface III, Asus' SmartLogon V1.0.0005, and Toshiba's Face Recognition 2.0.2.32, with each set to its highest security level, using phony facial scans. "One special point we found out when studying those algorithms is that all of them work with images that have already been digitized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly," Duc says. There's something reassuring about an application update -- after all, you're getting a more secure, up-to-date version of the app. But researchers shattered that secure image by showing how they could replace an update with malware via a WiFi connection.
Itzik Kotler, security operation center team leader at Radware, and Tomer Bitton, security researcher at Radware, said the hack could be used against most of today's client-application updates. At Defcon17 this summer, they released their so-called Ippon tool (Japanese for "game over"), which can either inject a phony but realistic-looking update alert or silently hijack an ongoing update session and force the user to instead download malware.
While the researchers wouldn't name the 100 apps they found vulnerable to their attack, they did say it spans CD burners, video players, and other popular apps. Microsoft is immune because its apps are digitally signed. The attack exploits unsecured WiFi in addition to the way the app update processes operate.
"Most applications do simple HTTP transactions that download a file with the newer version ... We can hijack the session and respond ourselves with an 'application update,' and it takes place on our malicious Website," Kotler says. "They are then going to download an update, and voila: It's malware." You never know what you'll find on a used hard drive, and researchers at the University of Glamorgan in Scotland dug up details of test-launch procedures for a U.S. defense missile. Really.
The research revealed in May was part of a five-year study to demonstrate the lack of or inadequate hard drive, device-wiping, and disposal practices by organizations. Edith Cowan University of Australia and BT also worked on the project.
Overall, they discovered personal or sensitive data on 34 percent of 300 hard disks purchased at various computer fairs and online auctions in the U.S., U.K., Germany, France, and Australia. But it was the U.S. Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system information on a disk purchased on eBay that revealed the magnitude of the problem.
The data on the disk included security policies and blueprints at Lockheed Martin's facilities (Lockheed is the contractor that built the missile system), as well as personal data on its employees.
"It is clear that a majority of organizations and private individuals still have no idea about the potential volume and type of information that is stored on computer hard disks," says Andy Jones, head of information security research at BT. You'd never suspect the iPod Touch in the office as being the intruder. That's why the music player with browser and email access makes a handy covert hacking tool.
Thomas Wilhelm, associate professor of information system security at Colorado Technical University, outfitted the an iPod Touch with Metasploit penetration testing software for exploiting vulnerabilities, a password-cracking app, and a Web app hacking application he downloaded onto the device.
"Because of its size and ability to connect back to a more robust attack platform, the iPod Touch can go anywhere and get [penetration testers] into areas where we couldn't before," Wilhelm says. "If I walked into a bank with a laptop, people would be suspicious. If I were to walk in with something like an iPhone, people would accept it. I could hack for hours in a bank or coffee shop, and no one would [suspect]."
Willhelm demonstrated his rigged iPhone Touch at Defcon this summer. He says it's cheaper to use an iPod Touch as a portable hacker than the iPhone because there's no monthly subscription fees attached, and it lets the hacker control which network the device connects to, which is not really possible with the iPhone. Who wouldn't want to join Bill Gates' LinkedIn network? In a recent test a hacker was able to slip a phony but very realistic-looking invite from "Bill Gates" to his LinkedIN network (the capital "N" should have been the giveaway) past email security 100 percent of the time.
Joshua Perrymon, CEO of PacketFocus, sent a spoofed LinkedIn email to users in different organizations who had agreed to participate in the test. Three of the most popular smartphones -- the iPhone, BlackBerry, and Palm Pre -- fell for the spear-phishing experiment. Perrymon tested 10 different combinations of email security appliances, services, and open-source and commercial products; four major client email products; and the three major smartphone brands.
His goal was to measure the effectiveness of email security controls; the experiment basically showed social engineering can be more than technology can handle. And it came as a surprise to him that so few products caught the phony e-vite.
Dark Reading also participated in the test. Sure enough, the phony "Bill Gates" e-vite came through. It's a text-messaging junkie's nightmare, and a dream come true for the parent of a teenager: Hackers were able to shut down SMS texting in certain Nokia mobile phones with an exploit they called the "Curse of Silence."
The Hack, which employs a denial-of-service attack and malicious text messages, was revealed earlier this year at a hacker confab in Germany. Tobias Engel, the researcher who devised the hack, was able to send a malicious SMS text message to the victim's phone that executes a denial-of-service attack on the phone. The hack stops texting on some phones, while locking up others' texting features.
Interestingly, other than crashing SMS/MMS messaging features on the phones, the phones remain operational. And powering off and on the phone doesn't stop the attack.
"At least it is not possible to steal user data from the phones or make calls at other people's expense," Engel says. "But it shows again that mobile phones are just computers which are connected to the network all the time." ATM machines are a conspicuous and popular target. Bad guys break them open, rig them with sniffers, and even spoof them with cloned bank cards. But some black-hat hackers have upped the ante significantly with malware they wrote specifically for one brand of bank machine.
A Trojan specially written to steal information from users was discovered on a Diebold ATM machine, leading Diebold to issue a security update in May for its Windows Opteva-based ATMs, and to reveal that some of its machines in Russia had been physically broken into and outfitted with this sophisticated Trojan.
And not just any cybercriminal could write this Trojan: It took someone with knowledge of the inner workings of the ATM machine's software. "It's fascinating that the hackers went to this extent ... they [knew] the API calls and understood how the cash machine works," says Graham Cluley, senior technology consultant at Sophos. "We haven't seen that before ... This is not something the average hacker on the street would have access to."
The creators of the ATM malware would have had to have physical access to the machine, either inside the organization or during the manufacture of the device.
Diebold at the time said the attackers had been apprehended, but the hack put a whole new spin on ATM risks. Putting a face to a cybercriminal is tough and often impossible. Now there's another way they can remain anonymous -- through a browser-based darknet, an underground Internet community where users can share content and ideas securely and without being identified.
A pair of researchers at Black Hat USA showed how to build a simple darknet within the browser with no other software. Called Veiled, the darknet can be quickly put up or taken down without a trace. It connects the user's HTML 5-based browser to a single PHP file, which downloads some JavaScript code into the browser. Pieces of the file are spread among members of the Veiled darknet. It's not peer-to-peer, but rather a chain of "repeaters" of the PHP file, the researchers say.
The researchers, Billy Hoffman, manager of HP Security Labs at HP Software, and Matt Wood, senior security researcher in HP's Web Security Research Group, say Veiled doesn't require much technical know-how to join. "The coolest thing about this is it lowers the barrier to entry to a darknet," Hoffman says. "You could put some very interesting applications on top of it. It could be a way to do secure whistle-blowing, [for example]. When you have something decentralized like this, no one can control or stop it."
The danger, of course, is that darknets can also be abused by the bad guys as a way to cover their tracks. "The point of our research is not to give bad guys a tool for nefarious use, but to get security researchers discussing and talking about the new concept of browser-based darknets," Hoffman says. Even IP video wasn't sacred this year. Hackers employed a modified man-in-the-middle attack to tamper with IP video surveillance feeds and to eavesdrop on IP video phone conversations.
This summer at Defcon, researchers from Viper Lab used old-school ARP poisoning and a little ingenuity to demonstrate how a criminal could mask a crime by tampering with a company's IP video surveillance system, replacing the video showing him breaking in with a benign clip.
"You can do this with email and VoIP -- we're just doing a new twist on an old attack to show people that these vulnerabilities are out there for IP video," says Jason Ostrom, director of Viper Lab, the research arm of Sipera Systems, which sells security products for VoIP and unified communications technologies.
Only about one in 20 organizations secures its IP video with encryption or other measures, according to Sipera's research, so IP video is ripe for attack. Ostrom and fellow researcher Arjun Sambamoorthy used a pair of homegrown open-source tools to perform the hacks at Defcon: UCSniff tool, which performs video eavesdropping, and VideoJak, which intercepts and replays video.
An attacker needs physical access to the IP network to execute these hacks, the researchers say, as well as access to a VLAN port on which the video application resides.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like
Harnessing the Power of Automation to Boost Enterprise Cybersecurity
Oct 3, 2024DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024