Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:51 AM
Connect Directly

The Five Coolest Hacks of 2007

Nothing was sacred - not cars, not truckers, not even the stock exchange

Hackers are creative folk, for sure. But some researchers are more imaginative and crafty than others. We're talking the kind of guys who aren't content with finding the next bug in Windows or a Cisco router. Instead, they go after the everyday things we take for granted even more than our PCs -- our cars, our wireless connections, and (gulp) the electronic financial trading systems that record our stock purchases and other online transactions.

Not that there's anything wrong with a new Windows or Vista flaw. But you can't help but secretly admire the ingenuity and persistence it takes to hack something that we hadn't thought of as hackable -- or that maybe that we just didn't want to think was. These are the kinds of hacks that pierce the mainsteam consciousness: Your mom's eyes may glaze over when you warn her about the risk of her PC becoming a bot, but you can bet you'll have her full attention when you show how a hacker could redirect her brand-new car navigation system to a deserted dead end street far from her intended destination.

We've selected five of the coolest hacks we covered here at Dark Reading in 2007 -- unusual vulnerabilities that were exposed and exploited this past year by researchers who don't just do Windows. So raise your glass to some innovative, and sometimes wacky, hacks that we won't soon forget (nor maybe will Mom):


Next Page: The car navigation system

A pair of Italian researchers earlier this year drove right through holes they discovered in some car navigation systems -- vulnerabilities that would let an attacker inject phony messages into the system or launch a denial-of-service attack against it. (See Hacking the Car Navigation System.)

Andrea Barisani, chief security engineer of Inverse Path, and Daniele Bianco, hardware hacker for Inverse Path, built tools for hacking satellite-based navigation systems that use Radio Data System-Traffic Message Channel (RDS-TMC) to receive traffic broadcasts and emergency messages. RDS-TMC is popular in vehicle navigation systems sold in Europe, and has been catching on in North America as well.

RDS-TMC provides broadcasts on traffic conditions, accidents, and detours for the driver. Its main weakness: It doesn't authenticate where the traffic comes from, the researchers say. That leaves the door wide open for a bad guy to reroute drivers to a detour, or to overwhelm it with a DDOS, killing the navigation system as well as its climate-control system and stereo.

The researchers tested their hardware and software tools with a one- to five-kilometer radius of the targeted vehicles, but they say an attacker could target a specific vehicle by adding a directional antenna, for instance. The good news is there are some emerging navigation-system technologies that may be safer -- including one that will include encryption, although that's at least five years out.

So how can you tell if your navigation system has been hacked? There's not much you can do until it's too late and your AC and stereo are out, and you're sitting on a hot and dusty, deserted road nowhere near Starbucks.

Next Page: WiFi 'sidejacking'

First it was the Ferret, then the Hamster: WiFi will never be safe again. Researcher Robert Graham, CEO of Errata Security, wowed (and in some cases, shamed) the Black Hat DC and Las Vegas crowds this year with live hacks of attendees who dared to use the WiFi network unprotected, using his homegrown WiFi sniffing tools that basically sniff and grab WiFi traffic out of the air.

Yes, some of us got a firsthand lesson in "it can't happen to me." (See Joke's on Me.) As I checked my email during a session at Black Hat DC last February, little did I know that as Graham and colleague David Maynor were demonstrating Ferret next door, the tool was blasting my username and password up on the screen for all to see.

But Graham turned his WiFi hack up a notch in Vegas in August, with a more powerful version of Ferret -- Hamster -- that "sidejacks" machines using WiFi and accesses their Web accounts. Hamster grabs users' Gmail, Yahoo, and other online accounts. It basically clones the victim's cookies by sniffing their session IDs and controlling their Website accounts. (See 'Sidejacking' Tool Unleashed.)

"You can be in a café and see a list of people browsing [over WiFi]. And you can hijack and clone their Gmail system," for example, Graham says. And it's very easy to do, he says.

Hamster doesn't hack passwords, just the cookies and URL trail left behind by a WiFi user. The attacker then can pose as the victim and read, send, and receive email on his or her behalf. It does not, however, see the victim's actual email messages (phew).

Interestingly, Graham had a little trouble finding many users in Vegas who dared to go WiFi unprotected. Still, he recommends logging out of your Web session to wipe out your cookie trail when you're using WiFi.

Next Page: Eighteen-wheelers

Truckers are sleep-deprived enough without having to worry about their RFID-based electronic product code (EPC)-based load of plasma TVs getting hacked while they park and snooze at a truck stop. But researchers from PacketFocus Security Solutions have shown that's a very real threat. (See Hacking Truckers.)

PacketFocus, along with some researchers at Atlas RFID Solutions, were able to read EPC codes using standard EPC Generation 2 readers and antennas on an 18-wheeler they rented from a local freight company. They loaded the rig with EPC-tagged boxes to test out just what data can be intercepted from it, and found it was easy to scan and hack information off the labels.

Joshua Perrymon, hacking director for PacketFocus, and his colleagues used off-the-shelf tools to hack the freight information. "We are showing you can do this with off-the-shelf products, and you don't have to be a super-hacker" to get EPC data off a tractor-trailer, Perrymon says.

EPC provides more detailed information about a product than a standard bar code, with unique tags for each item to improve inventory and shipment-tracking. But that information could also fall into the hands of a malicious competitor or criminal: "Each product has its own EPC number," he says. "If a company is using EPC numbers, we can sit outside the tractor-trailer and scan them, reference them with known EPC numbers, and know the inventory of what's on that trailer."

Aside from the obvious danger of this information falling into a competitor's hands, criminals could sniff the 18-wheeler's payload to better target their holdups: "Unless they had a lot of inside information, they don't have enough information to rob that truck," Perrymon says. "Now they can scan it if it's not secure -- they don't want to rob that toilet paper truck, but if it's got plasma TVs with surround sound, [that's their] target."

Next Page: 'Hacking capitalism'

The financial services industry is typically on the leading edge when it comes to adopting new security technologies and standards. But researchers at Matasano Security this year revealed that one of the most popular application-layer protocols used by financial services firms, stock exchanges, and investment banks for automated financial trading, has some serious security holes. (See 'Hacking Capitalism'.)

Applications written to the FIX (financial information exchange) protocol can be vulnerable to denial-of-service, session-hijacking, and man-in-the middle attacks over the Internet -- and could let an attacker "watch" transactions, according to David Goldsmith, CEO of Matasano Security, who discussed these issues at Black Hat USA in August.

Even scarier is that an attack on a FIX-based app could be silent and by the time it's detected, it may be too late. "If a hacker was monitoring or viewing [the transactions], you may never know they are there," Goldsmith says. "[He] could take that information and use it to their advantage for insider trading... or to cause significant financial damage."

Security tools are mostly ineffective for protecting financial systems from this type of attack, although Goldsmith recommends strong firewalls and external session-layer encryption. But an IDS or a vulnerability scanner isn't going to find FIX bugs, he says, and because these systems are mission-critical and can't be taken offline for testing, it's even difficult to search for vulnerabilities in them.

Goldsmith wouldn't reveal details on the actual vulnerabilities he and his colleagues found in FIX, but he says financial firms should revisit how they secure these applications, looking at changing passwords, for instance.

Next Page: iPhone

Hacking and bypassing the iPhone's exclusive service with AT&T was all the rage when the new device first got into users' palms this year, but it wasn't until researcher HD Moore added an iPhone hacking module to the Metasploit penetration testing tool that the real iPhone hacking could begin. (See Metasploit Adds iPhone Hacking Tools and i Caramba! iPhone Hacked Already.)

Moore released an Apple iPhone shellcode for Metasploit 3.0 in September, with "payloads" for writing exploits using the wildly popular Metasploit framework. "The addition of iPhone payloads to Metasploit makes it easy for a researcher to write exploits," Moore says. "The payloads also provide an example of how to develop new shellcode for the iPhone, which could accelerate exploit development for the platform."

He had a little fun with it, too, creating a payload that lets you make a victim's phone vibrate. But the other payloads are no laughing matter -- they can give the attacker remote shell access. Moore also wrote some exploit modules for the iPhone.

The powerful stuff, of course, comes with the rootkits that attackers could use on an iPhone. "A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with 'always-on' Internet access over EDGE and you have a perfect spying device," Moore said in a Metasploit blog post.

Moore, who is also director of security research for BreakingPoint Systems, says he added the iPhone hacking tools for Metasploit in hopes that it would help researchers discover new attack vectors on the smart phone. Meanwhile, iPhone hacking has made many a 2008 threat prediction list -- so look out in the new year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Errata Security
  • Matasano Security LLC
  • BreakingPoint Systems
  • Apple Inc. (Nasdaq: AAPL)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-04-15
    An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
    PUBLISHED: 2021-04-15
    An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
    PUBLISHED: 2021-04-15
    An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
    PUBLISHED: 2021-04-15
    In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
    PUBLISHED: 2021-04-15
    The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...