2020 unsurprisingly went out with a bang, and not in a good way. The massive cyberattack campaign by Russian nation state-actors shattered hopes for a quiet holiday break for security teams who have been heads-down since March when the COVID-19 pandemic first took hold and rocked SOCs. Workers — including security analysts — were sent home to set up makeshift offices, and existing network architectures were transformed practically overnight.
While this year for sure was fraught with disruption and uncertainty, it also made some space for ingenuity by security teams, who navigated a new normal, and security researchers, who unearthed new vulnerabilities that otherwise might not have been uncovered. In addition, some inspired white-hat hacks were already in the works before the pandemic struck.
Among the head-turning hacks in 2020: The Tesla's smart-car camera fell victim to a piece of good old, black electrical tape. Light hacked sound. And a pair of pen testers who got busted for doing their jobs finally shared details of their harrowing experience that nearly ruined their personal and professional lives, including how they sat in lockup overnight and then were mired in legal jeopardy for months amid a territorial and political battle between a small-town sheriff and the state of Iowa.
Kicking back and truly relaxing over this holiday season is not so simple. We get that. But you've earned it, so grab a cup of cheer (2020 is behind us now) and take a look back at some of the coolest hacks by researchers that graced Dark Reading's news coverage this year.
So much for the smart car.
Researchers from McAfee were able to fool older-model autonomous vehicles made by Tesla to dangerously accelerate: They merely affixed black electrical tape on a traffic sign, changing the "3" in 35 mph to an "8," and the Teslas automatically accelerated their speed to 85 mph.
The experiment focused on Teslas equipped with Mobileye version EyeQ3 (Tesla hardware Pack 1), and the good news is that a newer version of the camera didn't fall for their attack. (Also good news: The latest Tesla models don't use Mobileye or appear to conduct traffic-sign recognition).
The attack works if the car is set for traffic-aware cruise control, but the researchers noted the driver would likely notice the issue and retake control of the acceleration.
"We are not trying to spread fear here and saying that attackers are likely going to be driving cars off the road," said Steve Povolny, head of McAfee Advanced Threat Research.
Then why the scary car test? Povolny said the research was all about adversarial machine learning (ML), testing ML algorithms for their vulnerability for exploitation. Mobileye cameras' algorithms are trained to specific data sets, including known traffic signs, leaving them vulnerable to a previously unknown or altered data.
"If we project 10 to 20 years into the future, at some point these issues are going to be become very real," Povolny said. "If we have completely autonomous vehicles and computing systems that are making medical diagnoses without human oversight, we have a real problem space that is coming up."
A Pen Test That Went Very Wrong
Physical penetration testing relies on a pact between the client and the pen-testing company that the testers will be free from legal — and physical — risk. But red-team experts Gary De Mercurio and Justin Wynn of Coalfire this year shared their personal story of just how these engagements can expose pen testers to inherent vulnerabilities in the pacts themselves.
It was a few minutes after midnight on Sept. 11, 2019, during the final phase of De Mercurio and Wynn's pen-testing engagement for the state of Iowa's Judicial Branch, when their lives were forever changed. After breaking into the front door of the Dallas County Courthouse in Iowa with a plastic cutting board retrofitted with a handy notch fitted into the doorjamb, the pair went to work poking around for potential security weaknesses in the courthouse as the alarm went off.
Soon officers arrived at the city of Adel, Iowa, courthouse, just across the street from the Dallas County Sheriff's Department. In what was at first a tense but ultimately friendly exchange once the officers confirmed their story, everything fell apart after the Dallas County Sheriff arrived on the scene and had De Mercurio and Wynn handcuffed and perp-walked to the jail across the street. They spent the night in separate cells, were hit with felony charges, and spent nearly five months in an ugly and very public legal battle in part due to a political fight between state and county officials in Iowa over who had legal jurisdiction over the courthouse where the pen testers had been conducting their engagement. Their client, the state of Iowa, "disavowed" them, leaving them in further legal jeopardy.
"They [the state] had no doubt" what it had hired Coalfire to do, maintained Wynn.
De Mercurio and Wynn were fully exonerated in January after a state legislative hearing that led to the charges getting dropped. They're now on a crusade to hack the process of setting up social engineering and physical pen tests so other pen testers won't be at risk like they were.
"Always record your phone calls, at least with physical engagements," De Mercurio recommended. "Try to make your contract as ironclad and succinct as possible," as well.
Honeypot on Steroids
Industrial prototyping company MeTech was hit with ransomware, remote access Trojans (RATs), malicious cryptojacking, and online fraud, as well as botnet-style beaconing malware that infected its robotics workstation in a seven-month period in 2019.
MeTech's exposed industrial control system (ICS) network was flagged by a researcher known for spotting vulnerable industrial systems via Shodan, but a team of Trend Micro researchers asked him to stand down: They informed him that MeTech was a fictitious manufacturing company they had built as part of an elaborate honeypot-type operation, complete with its own website.
The researchers had set up phony employee personas, a website, and PLCs on a simulated factory network in order to track and study attacks and threats to the industrial control sector. The advanced interactive honeypot model provided them just that, and what they found was mostly the typical threats IT networks see, with a few exceptions.
In one case, the attacker got to the robotics system, closed the HMI (aka human machine interface), and powered down the system. Another attack started up the factory network, stopped the simulated conveyer belt, and shut down the phony factory network; another opened the log view of the robot's optical eye.
"Yes, your factories will be attacked if they are directly connected to the [Internet]," says Stephen Hilt, who went public with the project in January of this year after running the amped-up honeypot with fellow Trend Micro researchers Federico Maggi, Charles Perine, Lord Remorin, Martin Rösler, and Rainer Vosseler from September to December 2019.
They even performed a real-world negotiation with ransomware attackers who had dropped Crysis ransomware on the phony network:
"The system was down for a week because it [the malware] spread," said Hilt, who added the PLCs weren't affected but did lose visibility into plant operations, while the HMI files were locked down by the ransomware.
The researchers talked the attackers down from $10,000 in Bitcoin to $6,000 but never actually paid up: They had backups and were able to recover.
The Mysterious Case of Light Hacking Sound
Researchers at the University of Michigan and the University of Electro-Communications (Tokyo) took their initial digital voice assistant hacking research from 2019 to the next level this year: At Black Hat Europe Virtual, they showed how the built-in microphones of newer model digital voice assistants can be manipulated by light, using laser pointers. They previously had hacked Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri as well as smartphones and tablets via a vulnerability in their embedded MEMS mikes, using laser beams to inject inaudible commands.
This time they hijacked the Amazon Echo 3 via light and then manipulated a security camera connected to the Echo.
They spent just $2,000 in equipment for the attack technique they have christened as "Light Commands," but say it could be pulled off for as little as $100, including a low-end laser pointer for cats that can be bought on Amazon.
Benjamin Cyr, a Ph.D. student at Michigan, and researcher Sara Rampazzi confessed they still don't know how they are able to hack sound with light: Why do the mikes respond to the light as if it's sound?
"There's still some mystery around the physical causality on how it's working. We're investigating that more in-depth," Cyr said. "We want to try to nail down what's happening on a physical level, so that future hardware designs" protect them from light-injection attacks.
The researchers also are studying sensing system security of medical devices, autonomous vehicles, industrial systems, and space systems.
"We want to understand ... how to defend against these vulnerabilities. Our final goal is to protect the system and make it more resilient, not only for the attack we found but for future attacks that have not yet been discovered," Rampazzi said.
When Smart Bulbs Go Dim
A light bulb is likely the last thing you'd think could be abused for a cyberattack, but researchers this year again demonstrated the dangers of a smart home with a new exploit against the Philips Hue Smart Bulb.
Philips fixed a flaw the researchers had found in previous work in 2017, but the researchers this year found a way an attacker could infiltrate a home network and install malware via a vuln in the popular Zigbee communications protocol used in the Philips bulbs.
"In an office environment, it would probably be the first step in an attempt to attack the organization, steal documents from it, or prepare a dedicated ransomware attack on sensitive servers inside the network," said Eyal Itkin, a security researcher at Check Point. "From our perspective, the main takeaway from this research is emphasizing that IoT devices, even the most simple and mundane ones, could be attacked and taken over by attackers."
Here's how the new attack works: Check Point researchers found and exploited a heap-based buffer overflow (CVE-2020-6007) in the Zigbee implementation in Philips Hue's smart-bulb control bridge. This allowed them to gain control of the smart bulb and install malware on it via an over-the-air firmware update.
That let them control the bulb's color and brightness so it appears to be malfunctioning, and then shows the bulb as "unreachable" to the user's control app. That in turn would prompt the user to reset the bulb and unknowingly trigger the malicious firmware update that exploits the control bridge vulnerability.
An attacker then can spread spyware, ransomware, or any other type of malware using a known exploit such as the infamous EternalBlue, according to the researchers.
There are some key caveats to the attack, however: An attacker must be nearby to wrest control of the bulb, and the attack will only work if the bridge is adding a light bulb to the network.
"Without the user issuing a command to search for new light bulbs, the bridge won't be accessible to our now-owned light bulb, and we won't be able to launch the attack," Itkin said.
Ring-a-Ling: How Hackers Can Abuse Video Doorbells
Sometimes buying a cheaper device that's marked as Amazon's Choice isn't the smartest choice. Take the smart video doorbell: Researchers found some major security flaws in nearly a dozen inexpensive doorbell products sold on Amazon and eBay and popular among UK consumer sites.
NCC Group worked with UK consumer organization Which? to study the security of 11 lesser-known brands of smart doorbells and found several of them gather and send Wi-Fi names, passwords, location data, photos, video, email, and other information back to the manufacturer.
"The most surprising finding was seeing some of the doorbells sending home Wi-Fi passwords over the Internet and unencrypted to remote servers. It's not really clear what the purpose of such a feature would be for, and it certainly exposes a person's entire home network to potential attackers and criminals," said Matt Lewis, research director at NCC Group.
The researchers found two Victure and Ctronics video doorbells that contained a vuln that could allow an attacker to pilfer the victim's network password and hack the doorbell, as well as the router and other network devices.
Another Victure doorbell with a top seller rating on Amazon was sending Wi-Fi network names and passwords — unencrypted — to servers in China.
There were other eye-popping flaws, such as one generic brand video doorbell that contained a vulnerable WPA-2 protocol implementation that could let an attacker access the user's home network directly.
Many of the doorbells had weak or easily guessed default passwords.
"The main takeaway for consumers is to really do their homework before purchasing devices like these and, where possible, stick with popular and known brands," Lewis said.