12/17/2008
10:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail

The Five Coolest Hacks Of 2008

Not even your psyche was safe from hacking this year -- hackers found holes in the highway toll system, building security -- and, yes, your head



Hacks are a dime a dozen. But the hacks that stand out are the innovative and imaginative ones that infiltrate and haunt our daily lives -- the ones that make you think twice before you zip through the electronic toll fast-lane on the highway, scan your fingerprint on your office building's entry system, or post your status on Facebook for fear that an attacker is lurking and able to abuse your privacy on these systems.

Sure, your iPhone might get cracked someday, and your Website could get temporarily knocked offline by a denial-of-service (DoS) attack. But what if an attacker used your own iPhone to hack you, or used a special kind of DoS attack to shut down your hardware permanently? That's the kind of ingenuity we're talkin' about.

We've selected five of the coolest hacks we covered here at Dark Reading in 2008 -- unusual and sometimes off-the-wall vulnerabilities that were exposed and exploited this past year by researchers who, driven by their curiosity and imagination, had some fun (possibly at your expense), but all for the ultimate purpose of making daily life more secure. So read on -- and don't stop looking over your shoulder.

Contents:

1. Highway to Hell: the electronic toll system hack
2. Psyche-cracking
3. iPhone as a hacking tool
4. Permanent denial-of-service
5. "Gecko" and the building system hack

Next: Highway to Hell: hacking the electronic toll system



Highway To Hell: The Electronic Toll System Hack

Researcher Nate Lawson wasn't about to slap one of those popular RFID-based FasTrak toll tags on his windshield for prepaying highway tolls in the San Francisco Bay Area until he knew for sure just what private information could be exposed. So Lawson did what any good hacker would do: He ripped the tag apart and studied the innards.

"The thing that motivated me to take the transponder apart was that [California transportation officials] added onto the system an information line to get information about Bay Area traffic...it provides really accurate drive times to the airport, etc. They added readers for the transponders all over light poles on the highways," says Lawson, principal with Root Labs. "So in real-time, they are tracking all cars going past [with FasTrak tags]. Most likely, [the data] appears there for a while, so the transponder is subject to hacking." It coulod also be subpoened in court, he adds.

After reverse-engineering the FasTrak tag, Lawson discovered it had some major security holes (like no encryption) that left it vulnerable to sniffing, cloning, and surreptitious tracking of a driver's movements.

The FasTrak transponder basically contains the user's unique identification code, which is tied to back-end servers that store the driver's toll balance and other financial and personal data. There's a placeholder of sorts for an encryption key, but no sign of encryption. "It amazes me there has not already been widespread fraud, cloning, and selling of 'free transponders' that [were hacked and reprogrammed]," he says. "There's nothing there technically to prevent it."

Lawson also is looking at whether malware could be inserted on a FasTrak transponder. "Because of the proprietary extensions [the vendors] added to support the parking lot stuff and other future uses," the devices could possibly be vulnerable to malware-borne hacks as well, he says.

Next: Psyche-cracking

Psyche-Cracking

If you worry that your online postings could somehow reveal more about you than you'd like, it's not all in your head: A pair of researchers this year began building a prototype "emotion dashboard" that gathers feeds from a user's online presence and can be used to figure out where his head's at.

The idea is to gather feeds from a user's social networking profiles, blogs, Flickr, etc., into a single RSS feed that populates the dashboard. The tool then basically gleans a person's emotions based on correlations in his online postings and activities.

"This is the next generation of hacking: 'I want to hack you, not your app,'" says Nitesh Dhanjani, one of the researchers on the project and a senior manager with Ernst & Young.

Dhanjani and fellow researcher Akshay Aggarwal studied how your online activity can be used to hack into your psyche for intelligence-gathering and as a way to influence your behavior. Their emotion dashboard prototype was aimed at tracking and graphing a user's moods online during a period of time.

"The pulse would show that in the past six months, this user has been upset, and now it looks like something happened," Dhanjani says. "If you are extremely angry, I can see it in real-time. And you can make that person even more upset by leaving a comment on their blog that says, 'I agree with you and I understand because that person pissed me off, too.'" That could lead the person to think about the situation more and incite the emotion or encourage an action, he says.

There are obvious malicious social engineering implications of hacking someone's psyche, of course, but the researchers hoped to show this behavior analysis could be used for good in, for instance, a criminal investigation.

Dhanjani also recently blogged about his psyche hack.

Next: iPhone as a hacking tool

iPhone As A Hacking Tool

They call it "bringing sexy back" to hacking: A pair of researchers turned iPhone hacking on its head this year with a hack that uses the iPhone as a hacking tool.

Robert Graham, CEO of Errata Security, and David Maynor, CTO of Errata, shipped an iPhone equipped with WiFi auditing tools to remotely run elements of a penetration test of a client's wireless network. The hack from afar demonstrated how easy it would be for an iPhone to go rogue.

"We're just saying you have to be a little creative with the tools you have and you can do some fun stuff," Graham says.

The researchers first decided to overnight the iPhone with the TCP dump and Nmap WiFi auditing tools instead of going on-site, mainly for efficiency reasons. "One of our customers that was out of state wanted us to do a wireless audit for them as part of a pen test, but we would have been sniffing packets and then twiddling our thumbs [for the basic audit]," Graham says, plus the client had multiple out-of-state sites. "This was a simple solution that didn't [require] us going on-site."

The iPhone can collect security data on the WiFi network, such as whether encryption is deployed and, if so, what type, as well as detecting rogue access points or laptops vulnerable to WiFi-borne hacks. There's an SSH connection to the iPhone so they can run the tests via a command line, too.

Next, the researchers may attempt WiFi fuzzing on a Nokia N810 smartphone, according to Graham.

Next: Permanent denial-of-service

Permanent Denial-Of-Service

News phlash: You can break a piece of hardware without even touching it.

A researcher earlier this year discovered and demonstrated what he calls a permanent denial-of-service (PDOS), or phlashing, attack that damages a system to the point it must be reinstalled or replaced altogether.

Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, says a PDOS attack is not a distributed denial-of-service (DDoS) attack that takes down a Website. PDOS is all about hardware sabotage. "We aren't seeing the PDOS attack as a way to mask another attack, such as malware insertion, but [as] a logical and highly destructive extension of the DDOS criminal extortion tactics seen in use today," Smith says.

While such an attack would be costly for a victim who has to replace the ruined hardware, it's a relatively cheap way for an attacker to do some major damage " no botnet required.

Smith -- who built his own fuzzing tool, PhlashDance, that can be used to detect PDOS vulnerabilities in firmware as well as to launch a PDOS attack -- says embedded devices are at risk of these types of attacks because they are rarely patched and their remote firmware updates aren't properly secured. They also can contain application-level flaws that can be exploited, he says.

Securing firmware update mechanisms isn't easy, but there are some ways to protect against a PDOS, according to Smith, such as authenticating flash updates.

Next: 'Gecko' and the building system hack

"Gecko" And The Building System Hack

Using your seemingly secure biometric or contactless smart card to get into the building may be the equivalent of leaving the door wide open for an intruder.

A U.K. researcher built a homegrown device called Gecko, which intercepts a user's authentication entry data, letting an attacker steal or clone a user's entry credentials. Gecko, which is built with a Programmable Intelligent Computer (PIC) chip and circuits, targets the Wiegand protocols used by most readers to communicate with the access control systems.

"Wiegand [communicates the data] in plain text, so it's easily intercepted," says Zac Franken, who demonstrated the building system hack at Black Hat DC this year. Many readers can be easily cracked open merely by unscrewing their plastic cover plates, he notes.

Gecko -- which sits between the scanner and back-end access control system -- can capture, record, replay, and even disable the user's credentials after they scan their card through the reader. And that's just in its first version. Franken plans to add some additional features, such as storage in Flash memory for multiple IDs, a Bluetooth interface that can fool biometric scanners, and a GSM interface so the attacker can open the door to the building remotely.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service