Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:40 PM
Connect Directly

The Coolest Hacks Of 2016

No 400-pound hacker here: Lightbulb and 'do-gooder' worms, machines replacing humans to hack other machines, and high-speed car hacking were among the most innovative white-hat hacks this year.

In a year when ransomware became the new malware and cyber espionage became a powerful political propaganda tool for Russia, it's easy to forget that not all hacking in 2016 was so ugly and destructive.

Sure, cybercrime and cyber espionage this past year turned the corner into more manipulative and painful territory for victims. But 2016 also had its share of game-changing "good" hacks by security researchers, with some creative yet unsettling ways to break the already thin-to-no defenses of Internet of Things things, as well as crack locked-down computers and hijack computer mice. Hackers even took a back seat to machines in the first-ever machine-on-machine hacking contest this summer at DEF CON.

So if you're still confused about that elusive "400-pound" hacker in his bedroom, or just sick of hearing about Bitcoin ransoms and fancy and cozy Russian "bears," here's a look at some of the coolest hacks by the good guys this year.

'MouseJack' Attack Bites Non-Bluetooth Wireless Mice
With a $15 dongle, researchers at Bastille were able to sniff traffic from PCs, Macs, and Linux machines that use non-Bluetooth wireless mice and keyboards, thanks to the unencrypted communications employed by seven different wireless dongle vendors.

The so-called "MouseJack" attack exploited nine vulnerabilities across devices from Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, and AmazonBasics. The researchers could take control of the input devices and ultimately infiltrate the machines and their networks — from a distance of 100 meters from the victim's machine.

MouseJack exploits wireless proprietary protocols that operate in the 2.4GHz ISM band and don’t encrypt communications between a wireless mouse and its dongle. An attacker then could spoof a mouse and insert his own clicks and inputs to the dongle, and generate keystrokes instead of mouse clicks on the victim’s computer.

"If an attacker sitting in the lobby of a bank could get the wireless dongles [via MouseJack], all of a sudden you’ve got an APT [advanced persistent threat] inside a bank,"  said Marc Newlin, the Bastille engineer who found the flaws that lead to MouseJack. An attacker could install rootkit, for instance, he noted.

Lights-Out Worm
Who needs to hack the power company when all it takes is one "smart" lightbulb rigged with a worm to spread to nearby lights within minutes? At Black Hat USA this summer, researcher Colin O'Flynn, who is CTP of NewAE Technology Inc., outlined work he and fellow researchers Eyal Ronen, Adi Shamir, and Achi-Or Weingarten conducted with the Philips Hue smart lighting system to demonstrate how a worm could be unleashed to turn out (or on) the lights in a city or local area, or even to wage a distributed denial-of-service attack.

"The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity," the researchers wrote in a research paper.

They wanted to illustrate how plugging in just one infected bulb anywhere in a city using the smart lights could then spread to adjacent lights throughout the city.

While the attack sounds simple on paper, it was actually quite sophisticated. The researchers discovered and exploited a vulnerability in the Touchlink element of the ZigBee Light Link protocol, as well as devised a type of side-channel attack to grab Philips' global AES-CCM key that encrypts and authenticates new firmware so they could inject their own firmware with the worm.

"To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates," they wrote.

Stuxnet's Silent Successor?
Stuxnet, the destructive attack that sabotaged and ultimately damaged centrifuges in Iran's Natanz uranium-enrichment facility, met its demise and was outed when the self-propagating worm spread outside the facility to other Windows machines.

A pair of researchers this year at Black Hat Europe in November demonstrated what they describe as a "silent" rootkit for the programmable logic controllers (PLCs) that control physical processes such as water and power in an industrial network. Researcher Ali Abbasi, a Ph.D. candidate in the distributed and embedded system security group at University of Twente, Netherlands, and Majid Hashemi, a system programmer and independent security researcher at the time of their research, say their rootkit, unlike Stuxnet, can't be detected. That's because their creation sits directly on the PLC, at the lower-level of the system – in dynamic memory – where it's less likely to be spotted.

Abbasi and Hashemi's PLC rootkit manipulates the PLC I/O process, so if a plant's parameters require that a gate be opened to relieve pressure if a boiler temperature reaches 80 degrees Celsius, the rootkit attack could manipulate the temperature values and cause the boiler to overheat and explode, according to Abbasi. He says that "in PLCs, the I/O operations are one of the most important tasks." 

The attack basically exploits inherent security weaknesses in the PLC hardware.

Machines Hacking Machines (No Human Hacker Required)
DARPA hosted one of the most intriguing contests at DEF CON this year: the first-ever all-machine Capture the Flag contest. Teams of researchers brought their hacking machines to the ring to go at it in a live forum against the contest's testbed of challenges as well as their opponents' machines.

The so-called Cyber Grand Challenge featured high-performance autonomous systems – aka "cyber reasoning systems" – were tasked with finding and fixing security flaws in the contest's air-gapped network.

Seven teams associated mainly with various universities for 12 hours watched their machines reverse-engineer binary software, write new intrusion detection system signatures to protect themselves from opposing teams, and patch and defend their own machines.

A machine called "Mayhem" won and the team, which has ties to Carnegie Mellon University, took home a $2 million prize for their efforts.

In case you're wondering how the machines did: six of the seven machines patched the contest's SQL Slammer flaw/flag, and six of the seven did the same with Heartbleed – all within a matter of minutes.

"This is a huge deal,” said "Visi," a white hat hacker who helped with the play-by-play commentary during the DEF CON contest. “In the past, patching these vulnerabilities took humans days and weeks of doing the work by hand."

An IoT Security 'Vigilante' Writes a Worm to Infect and Fix Lame Passwords
Weak, default passwords are notoriously common among Internet of Things devices. The danger of these passwords became painfully obvious with the arrival of the Mirai botnet, a bot army of IoT devices used to wage distributed-denial-of service (DDoS) attacks against a DNS domain provider this year.

So Leo Linksy, a software engineer and researcher with network monitoring company PacketSled decided to take a more aggressive approach to securing All The Things: he wrote what he called an "anti-worm" worm that hacks into IoT devices using their default credentials and then changes their passwords to strong credentials. Linsky's vigilante worm was a proof-of-concept for academic purposes only, although he published the PoC on GitHub.

"The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device-specific or random," he wrote.

"Such a tool could theoretically be used to reduce the attack surface," he said, but should only be tested in closed research labs.

The worm cause some uproar, with ethical and legal concerns over how the worm could be fail or get abused. But it also spurred discussion over more proactive ways to lock down vulnerable digital video recorders, routers, and IP cameras from Mirai and other threats.

"This is the cybersecurity equivalent of vigilante justice," Jonathan Sander, vice president of product strategy at Lieberman Software, told Dark Reading. "People love a vigilante while what they are doing works. The moment a vigilante does something wrong, however, the public tends to turn against them."

$5 'Poison Tap' Tool Hacks Locked Windows, Mac Machines
White-hat hacker Samy Kamkar built a Raspberry Pi-based tool for a mere $5 that can hijack Internet traffic from a password-locked computer. The so-called PoisonTap tool, which plugs into a USB port, installs a persistent Web-based backdoor on the Windows or Mac OS X machine.

It's not using a security bugs but instead the inherent trust in USB, HTTP, DCHP, and DNS. PoisonTap basically emulates an Ethernet device so Windows and OS X automatically load it, even on a locked machine. The hack fools the machine into prioritizing it over the existing Internet connection.

"Normally it would be irrelevant if a secondary network device connects to a machine as it will be given lower priority than the existing (trusted) network device," Kamkar said. PoisonTap then gets all the network traffic and is able to intercept HTTP requests and steals cookies, for instance.

It's actually easy to defend against this attack, though: Kamkar says it doesn't work against HTTPS, for example, and enabling Secure Flag on cookies.

Gone in 6 Seconds: a 'frighteningly Easy' Visa Credit Card Hack
European researchers from the UK's Newcastle University devised a technique for bypassing the security features for online payments that allowed them to guess full credit-card details in six seconds.

The so-called Distributed Guess Attack nabs the credit or debit card number, security code, and expiration date of Visa payment cards, literally via guesswork.

The attack automatically generates and verifies different combinations, and exploits the reality that in many cases online sites have no way to detect multiple invalid payment requests by the same card on different sites. It also takes advantage of the fact that not all websites require the three-digit security code on the back of the Visa card, nor the address and other information.

An attacker then can get card details one field at a time by automatically generating and verifying various combinations. "The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time," said Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science.

The hardest part was getting the cardholder's address,

Visa, meanwhile, maintains that the research doesn't "take into account" fraud-prevention measures employed by the payments system.

Car Hackers Miller & Valasek Literally Accelerate their Epic Jeep Hack
Car hacking research is all the rage now and not much about gaping security holes in vehicles is really surprising anymore. But famed car hackers Charlie Miller and Chris Valasek this year still were able to top their epic 2015 remote-hack of the Jeep Cherokee traveling at low speed: this time, they hacked and wrested control of the Jeep's accelerator, brakes, steering, and electronic parking brake at more dangerous high speeds of travel.

Miller and Valasek wowed - and mortified - the industry with their 2015 hack recorded on video of how they could control the 2014 Jeep Cherokee's electronic functions while sitting on Miller's couch with their laptops 10 miles away. The hacks were limited to the Jeep traveling at about five miles-per-hour.

At Black Hat USA in August of this year, the pair "fine-tuned" their original hacks and tricked the Jeep's controls by impersonating CAN bus messages to it. "This is a new class of attacks against CAN messages," Miller said.

Unlike their previous live hack, when they remotely controlled the Jeep while Wired journalist Andy Greenberg was at the wheel, this time they physically plugged into the diagnostic port of the vehicle to hack it.

They spun the steering wheel 90 degrees while traveling at 60 mph in one attack, and were able to permanently immobilize the electronic parking brake. "We disabled all aspects of steering, so it’s super-hard to turn the wheel and even harder if you drive the car without steering [capability] … at any speed," Miller said.

But the researchers warned that their latest research doesn't just apply to the Jeep; other vehicles are vulnerable to this type of attack.

Jeep maker FCA US LLC said Miller and Valasek's attacks in reality would be difficult to pull off and would require "extensive technical knowledge" of the vehicle. "Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles."

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...