Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/30/2019
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

The Coolest Hacks of 2019

A FaceTime fail, weaponized sound, a 'Prying Eye,' and a wearable fingerprint ring, were among the more novel and odd hacks this year.

In a year punctuated by endless reports of leaky cloud storage buckets, firmware flaws, and the resurgence of ransomware into a full-blown epidemic, security researchers still found innovative hacks to keep one step ahead of cybercriminals and (maybe) nation-states.

They weaponized sound, hijacked building automation systems, and found security holes in the Boeing 787 airplane's on-board network. Internet of Things devices and mobile apps continued to be a pathetically easy mark for vulnerability hunters, but it was an accidental finding by a 14-year-old Fortnite gamer that rocked the mobile sector: a flaw in Apple iOS's Group FaceTime app that activated the microphone on an iPhone even if the user doesn't answer the call.

And in a creepy but creative project on the defender side, security researchers teamed up with a jeweler to develop a wearable ring that stores a user's "fingerprint" for authenticating to biometric systems.

So take a break from sifting through the false positives and stressing over the elusive needle in the haystack, and peruse some of the most creative hacks by security researchers that we covered this year on Dark Reading.

FaceTime Fail

Grant Thompson was doing what many teenagers do when they game together online: the Tucson, Ariz., 14-year-old was getting his friends together for Fortnite on a group call, using Apple's Group FaceTime feature. After trying to ring one friend via FaceTime who didn't pick up and then adding a second friend to the call, he was able to hear the microphone of his first friend, even though the boy hadn't picked up. He could hear the ringing sound on the first friend's phone, he told NBC News.

Grant's mom tried to reach out to Apple support via Twitter and word soon began to spread online of the bug, as well as handy how-to's on exploiting it. Security experts warned iOS users to immediately disable FaceTime on their devices, and Apple subsequently disabled the Group FaceTime service. The company later issued an update to iOS 12.1.4 and for MacOS Mojave 10.14.3 for the flaw, and gave Thompson an official acknowledgement for his find. Apple described as a logic issue in how Group FaceTime handles calls.

Grant's opportune catch even earned him the coveted Pwnie Award for Best Client-Side Bug, along with software developer Daven Morris, 27, of Arlington, Texas, who separately reported the bug to Apple a few days after Thomas and his concerned mom did in January. "Exploiting this issue required no heap manipulation or even understanding what a CPU or a buffer is," the judges said in nominating Thompson and Morris. "Don't look up how old Grant Thompson was when he found this. It'll make you insecure," they added.

Noise Hack

Researcher Matthew Wixey calls them acoustic cyber weapons: the PWC UK researcher wrote custom malicious code that forces Bluetooth and Wi-Fi-connected embedded speakers to emit painfully high-volume sound or even high intensity and inaudible frequency sounds that can possibly produce destructive sound levels to the speakers - and to the ear.

The research was part of his PhD work at UCL, and he described it as an example of cyber-physical malware.

Wixey was able to hack into volume controls for various speaker devices - including a laptop, mobile phone, smart speaker, Bluetooth speaker, and headphones - that could irritate or hurt hearing in humans with just a short exposure period, and even destroy or damage the speakers themselves. He reported his findings to the affected device makers, whose names he didn't disclose.

No human ears were tested in his research for obvious reasons, but he and his team did find that a component in a smart speaker burnt and ultimately permanently damaged the speaker after just 10 minutes of testing frequencies.

'Prying Eye'

Just how secure is your online videoconference, anyway? Well, if you forgo passcode protection, you could be inviting trouble.

Researchers from Cosequence discovered a major vulnerability in the wildly popular Cisco Webex and Zoom online meeting platforms that could allow an attacker to scan for and attend videoconference meetings set up without password protection.

The so-called Prying Eye flaw could be exploited to execute an enumeration attack, where it automatically detects numeric or alphanumeric sequences used to identify applications on the public Internet. The researchers created a bot using the Web conferencing platform APIs to find WebEx and Zoom call meeting IDs, and join, view, or listen in.

But the good news is that even if an attacker was able to sneak into the meeting via a Prying Eye attack, he or she would be likely get found out since attendees get announced when they join meetings.

Cisco and Zoom both issued fixes for the issue and provided more stringent password-use settings for online meetings.

Building a Building Worm

For about $12,000 in code development costs and building automation system equipment, researcher Elisa Costante and her team from ForeScout developed an attack framework that included a worm, first infecting an IP camera and then spreading to the PLC that controls building automation system processes. The researchers wanted the malware to be stealthy and untraceable via forensics investigations.

The hack exploited a buffer overflow vulnerability in the Windows-based workstation, and could, for instance, be used by an attacker to open up the restricted physical access to a specific area in a building. But an attacker could well have used any other of 10 different security flaws in popular BAS systems - including protocol gateways, PLCs for HVACS and access control - the team had pinpointed.

Building systems often don't fit neatly into a cybersecurity strategy, and they rarely get software updates or security checks. Nor does IT typically have access to them. "They're not behind the firewall or [part of] ICS ... and they're not run by IT. It's a little group doing their own thing," said Dale Peterson, CEO of Digital Bond.

It's typically older equipment with dated software, too. "You still have a lot of [BAS] devices running on old firmware," Costante said.

'Mac-O' Attack

Apple Mac users often harbor a false sense of security. Take code injection attacks: Windows machines are more prone to this breed of attack than the MacOS, where this threat hardly registers on the radar screen. But researchers from Deep Instinct shook the Mac world earlier this year with a hack that employs code injection - using a customized Mach-O loader. Mach-O is the format used by MacOS and iOS for executable files.

Shimon Oren, head of threat research at Deep Instinct, dubbed the attacks as Hook-Inj, named after the remote-process hooking method they employ to run code remotely. There's no vulnerability in Mach-O per se; the attacks basically abuse its functions and bypass detection by multiple MacOS security tools.

"Right now if an attacker wants to use these mechanisms, there is no solution in the marketplace that can protect against it," Oren told Dark Reading in April when he went public with his research.

Bad news: there's no vuln for Apple to patch. "In general, the whole code injection execution area is still somewhere that's more in the courts of security vendors than in the courts of the operating system vendors," Oren said.

787

Security researcher Ruben Santamarta was shocked when he came across an exposed Boeing server online last year that contained firmware specifications for Boeing's 787 and 737 plane networks. Santamarta, who had been studying airplane cybersecurity for years, reverse-engineered the binary code and studied the configuration files. He found that the firmware, a version of VxWorks in a Honeywell network component, harbored multiple security flaws that could give an attacker remote access to the sensitive avionics network on the plane.

But Boeing pushed back hard when Santamarta went public with his findings at Black Hat USA this summer, arguing that its network defenses would block any such attack and potential threat to its avionics system. That, even after Santamarta and his company IOActive had worked closely with Siemens on the disclosure process and analysis of the findings.

Santamarta had framed his research with the caveat that the ultimate effect on the avionics system is unclear without him getting access to an actual 787 aircraft. Even so, he argued, an attacker exploiting the firmware could bypass security controls on the network and reach the avionics network. He or she then could attempt to update firmware of avionics systems, for instance.

Lord of the Ring

Fingerprint biometrics are increasingly becoming more mainstream thanks to Apple's fingerprint authentication option on some of its iPhones, but security experts worry about privacy and security risks of lost or "lifted" fingerprint data. That's what inspired researchers at Kaspersky to design a wearable ring with a stone that stores your unique "fingerprint" for authenticating to biometric systems.

The ring, which the security firm co-developed with a 3D accessory designer, is just a prototype aimed at raising awareness of security risks in biometrics. The stone stores a unique fingerprint made from conductive fibers embedded in a rubber compound: a smartphone reads the stone, which is (eek) the shape and texture of a finger.

"That ring can be used to authenticate the user with biometric systems, such as a phone or a smart home door lock. And if the data of the ring fingerprint leaks, the user can block this particular ring and replace it with a new one — and their own unique biometric data won't be compromised," the company said in blog post announcing it.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
amir1einav
50%
50%
amir1einav,
User Rank: Apprentice
1/13/2020 | 9:25:26 AM
IoT dominates this list
Indeed 4 out of the 6 "cool" hacks are looking at actual product security issues.

This is aligned with the trend- the proliferating IoT scene is where hackers are finding the blind spot of the enterprise and consumer.

Some hacks here are "for shows" but some clearly indicate the risk of product security- it provides access into the data center and it can impact life and business continuity 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/31/2019 | 7:39:07 AM
Re: Lord of the Ring
I confess that at first I thought it was an out-of-band April Fool's prank, but they really did build this prototype. Creepy yet cool at the same time. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:33:55 PM
Lord of the Ring
This is an interesting premise but still falls into the "What you have" portion of authentication even if it contains a subset of "What you are" (biometrics).

I'd be interested to see how heaviliy this would be adopted in light of other mechanisms we carry around for MFA that don't require an additional piece.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:30:05 PM
FaceTime Fail
This was an interesting one that could have been definitely been used for spying if it had fallin into more nefarious hands.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15789
PUBLISHED: 2020-04-08
Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.
CVE-2020-10633
PUBLISHED: 2020-04-08
A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway before the attack can...
CVE-2020-10366
PUBLISHED: 2020-04-08
LogicalDoc before 8.3.3 allows /servlet.gupld Directory Traversal, a different vulnerability than CVE-2020-9423 and CVE-2020-10365.
CVE-2020-11543
PUBLISHED: 2020-04-08
OpsRamp Gateway 3.0.0 has a backdoor account vadmin with the password [email protected] that allows root SSH access to the server.
CVE-2020-11626
PUBLISHED: 2020-04-08
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Two Cross Side Scripting (XSS) vulnerabilities have been found in the Public Web and the Certificate/CRL download servlets.