The Coolest Hacks of 2007 - Part II

Just when you thought it was safe to go back online, we offer a new round of offbeat attacks that might make you think twice

Bluetooth, taxicabs, printers, unlaunched browsers, toasters, and road signs: Each was hacked in the past year by inventive researchers whose curiosity got the best of them.

The coolest hacks are like that. They get a researcher thinking -- and then hacking -- outside the lines, to root out vulnerabilities and weaknesses in the flashing highway road sign or the unused Firefox browser application on your desktop.

Earlier this year, Dark Reading selected five of the coolest and most unusual hacks we covered in 2007 -- the ones that went beyond your everyday Windows vuln (think hacking truckers, car GPSes, and the stock exchange). (See The Five Coolest Hacks of 2007.)

But there are plenty more creative hacks out there that didn't get a mention in that article, so we decided to take a second look at last year's most unusual exploits: some we've covered, and some we haven't. Here they are, in no special order (with a tip of our hats to some Slashdot readers who weighed in with some hacks deserving of a mention).

Hacked highway signs
Drivers in Sydney, Australia got a bit of surprise in December when a "Police Now Targeting Speeding" flashing digital sign on the Roseville Bridge was hacked to read: "You have been 1337 h4x0r3d...Police now target'g sign hackers."

No word on the hackers and their wireless methods behind the defaced sign, which was documented on YouTube.

Cross-site printing
Printer spam isn’t something you worry about every day, but one researcher has released a proof of concept for a printer hack using JavaScript that lets an attacker remotely "own" an intranet printer for spamming or other nefarious purposes. (See The Five Coolest Hacks of 2007.)

"This kind of added insult to injury: We saw that intranet hacking was possible, and now [attackers] can go after printers to make them perform printer-spamming," says Jeremiah Grossman, CTO of WhiteHat Security, who has done some intranet hacking research of his own.

The attack requires that a user visit a malicious Website that contains the "bad" JavaScript. Then the attacker can use an HTTP Post command to print to the victim's internal networked printer, and even send faxes. "Since most printers don’t have any security set, it is possible to print anything, control the printer, change the print settings and even send faxes," Weaver writes in his paper on the hack.

Burnt by your toaster
Another researcher took a different spin on the legendary toaster hack: But this time, the toaster isn't the hackee, it's the hacker. Dror Shalev, a researcher and security expert who works at Check Point Software in Israel, wrote some code and networked the software with the toaster over a wireless connection. (See Man Uses Toaster to Hack Computer.)

“As soon as the toaster is plugged, the software is activated before it breaks into the user’s computer system. The same software prototype can be networked with any home appliance for stealing the Web secrets,” he said. “With wireless technology available, there is no need for connecting the appliance with the computer.”

Unused but abused browsers
Ask Web app security guru Grossman what one of the coolest Web application security hacks of the year was, and he says the URI handler vulnerabilities discovered by Nathan McFeters and Billy Rios. Grossman says the hacks, which made his Top 10 Web Hacks of 2007 list, were mostly underestimated and are "interesting and dangerous."

McFeters and Rios basically found that they could use Internet Explorer to send URL data to a Firefox app that was sitting idle on machine and not running. "We can supply [it] with a URL... that would then execute arbitrary commands on their OS," McFeters says. "We're talking cross-site scripting as not just about stealing cookies. We're taking control of the victim's computer."

The actual flaw lies in how the operating system (and it's not just Windows, McFeters says) calls a registered URL. "It allows the attacker to communicate through a browser or any app that recognizes URLs with underlying programs it couldn’t [normally] reach," he says. The URL becomes a command on the OS, he says, leaving an attacker a frightening opening into the system and network.

Bluetooth-sniffing via a USB stick
Bluetooth hacking traditionally has been a pricey endeavor, with tools costing around $10,000. But a pair of European researchers looking to make Bluetooth hacking cheap and easy, built a prototype Bluetooth sniffer last year based on a $30 USB dongle. (See Hacking Bluetooth With a USB Stick , New Hacking Tools Bite Bluetooth, and Bluetooth Security Worse Than WiFi.)

The device is based on a Cambridge Silicon Radio (CSR) chip-based USB dongle, flash memory, and Bluetooth 2.X technology. It lets you eavesdrop on a Bluetooth communication session, and combined with a Bluetooth PIN-hacking tool created by one of the researchers -- Thierry Zoller, security engineer for n.runs -- an attacker can access encrypted data and control any Bluetooth devices. The second researcher, Max Moser, founder of, and security analyst and tester for Dreamlab Technologies, spearheaded the development of the USB sniffer.

Cracking wireless devices is all the rage lately. Penetration testing firm Secure Network Technologies Inc., for instance, recently found that those wildly popular wireless headsets are easily hackable. (See Hacking Wireless Headsets.) The firm's hackers-for-hire used a radio scanner and were able to listen in on the employees' conversations from across the street, and digitally record them. Their conclusion: Wireless headsets in your office are actually bugging your office.

Hacking the taxi
An artist and software engineer riding a taxi in New York City in December noticed an error message on the touch-screen video monitor in the back seat. Within a few short minutes, Billy Chasen gained administrative access to the entire taxi PC.

Chasen was able to interact with the error message, and after drilling down a bit was able to access "File -- Open," in the Windows operating system. "It was not only a security flaw, but people also pay with the screen if they use a credit card. That information could potentially be stored locally," Chasen wrote in his blog. He also got an Internet connection via dial-up on the machine (these taxi computers run news segments, ads, and a GPS map). He says he could have installed onto the machine any software that he had online.

"You’re essentially giving strangers access to a computer that is shared with hundreds of customers," he says in his blog. "It also isn’t far-fetched for anyone to do what I did. It was pretty simple."

VeriFone, the supplier of the taxi computers, later said that there may have been a glitch in a software update that was being downloaded to the taxis.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading