Hack week in Vegas
During the Black Hat and Defcon conferences in Las Vegas last week, researchers wheeled out their best new attacks on everything from browsers to automobiles, demonstrating ingenuity and diligence in circumventing security efforts or in some cases in exploiting systems that were built without security in mind. Here's a handful of the ones that deserve the most concern.
Siemens S7 hack
At Black Hat, NSS researcher Dillon Beresford demonstrated how to hack a Siemens S7 computer, gain read-and-write access to the memory, steal data, run commands and shut the computers off. All this is very bad when you consider these devices are used to control machines in factories, utility networks, power plants, chemical factories and the like -- a major security threat. His findings were so troublesome that he pulled out of an earlier conference where he'd been scheduled to present the information until Siemens could patch the vulnerabilities he exposed. And the Department of Homeland Security monitored his talk to make sure it didn't reveal too much.
VoIP botnet control
Botmasters can use VoIP conference calls to communicate with the zombie machines in their botnets, researchers Itzik Kotler and Iftach Ian Amit of security and risk-assessment firm Security Art demonstrated at Defcon. They released a tool called Moshi Moshi that converts touchtones into commands the bots can understand and turns text into speech to capture information on compromised corporate computers and read it into voicemail for the botmaster to pick up later. The techniques enable botmasters to control their hijacked machines from wireless phones and even payphones (if they can find one). The botmasters call in to the conference bridge, the zombies connect via the corporate network and data can flow, the researchers showed.
Powerline device takeover
Independent researchers Dave Kennedy and Rob Simon showed Defcon a device they customized that can tap into home powerlines to monitor and control home alarm and security camera systems. Using the device and broadband-over-powerline technology, burglars could plug the device into an electric outlet on the outside of a house and monitor devices inside the home. They could deduce, for example, that if the alarm system is turned on and security cameras activated then the residents are not at home. The device can send signals that jam signals from the security devices, leaving burglars free to break in without worry that alarms will be set off, the researchers say.
A spy drone made from off-the-shelf electronics was demonstrated at both Black Hat and Defcon by its creators, Richard Perkins and Mike Tassey. The model plane -- Wireless Aerial Surveillance Platform (WASP) -- was tricked out with electronics that can crack codes and pick off cellphone calls, and an onboard computer that can execute a flight plan designed to have the plane circle above a target while it does its work. The researchers say that if they can build one, so can just about any country or corporate espionage group that puts its mind to it, so beware.
Car hijack via phone networks
A demo at Black Hat hacked a Subaru Outback car alarm, unlocked the doors and started the vehicle, all using text messages sent over phone links to wireless devices in the vehicle. The same type of exploit could just as easily knock out power grids and water supplies, says Don Bailey, a security consultant with iSec Partners, who presented the research. The common thread is that the car alarm and certain devices on critical infrastructure networks are all connected to public phone networks in ways that are fairly simple to compromise, and the prospect is threatening enough that the Department of Homeland Security wanted a briefing beforehand.
Hack faces to find Social Security numbers
A demo at Black Hat and Defcon showed it's possible to acquire a person's Social Security number using nothing more than a photo publicly available in online social-network databases, face-recognition software and an algorithm for deducing the numbers. The point is to show that a framework of digital surveillance that can go from a person's image to personal data exists today, says Alessandro Acquisti, a professor at Carnegie Mellon University, who presented the research. The results will only get better as technologies improve, making privacy more scarce and making surveillance readily available to the masses. "This, I believe and fear, is the future we are walking into," says Acquisti.
Remotely shut down insulin pumps
Insulin pumps that diabetics rely on to keep their blood sugar in balance can be shut off remotely, a researcher demonstrated at Black Hat. Jerome Radcliffe, a diabetic himself, showed how he could pick off wireless signals used to control the pump, corrupt the instructions and send the altered commands to the machine. He could force the wrong amount of insulin to be pumped or shut the device off altogether, either of which could be fatal in the wrong circumstances. The problem, he says, is that the devices weren't designed with security in mind.
Embedded Web server menace
There are embedded Web servers that come in photocopiers, printers and scanners meant to make administering the devices easier, but they lack security, leaving them open to being pilfered for documents recently scanned or copied, Michael Sutton, vice president of security research at Zscaler Labs, told Black Hat. He says he's able to find these Web servers through scripts he wrote to scan huge blocks of IP addresses and recognize telltale Web header fingerprints. "There's no breaking-in required," Sutton says.
Spreading false router tables
A researcher at Black Hat revealed a vulnerability in the router protocol Open Shortest Path First (OSPF) that lets attackers install false route tables on uncompromised routers in an OSPF-based network. That puts networks using the protocol at risk of attacks that compromise data streams, falsify network topography and create crippling router loops. The solution? Use another protocol such as RIP or IS-IS or changing OSPF to close the vulnerability, says Gabi Nakibly, a researcher at Israel's Electronic Warfare Research and Simulation Center, who discovered the problem.
A flaw in SAP's NetWeaver software enables hackers to dodge authentication into the ERP system, says researcher Alexander Polyakov of security firm ERPScan, who presented his findings at Black Hat. The implications of this are that attackers could gain access to data and delete it, he says. He was able to Google hack servers that contained the flaw, he says, which was present on about half the servers he tested. SAP says it plans to issue a fix for the problem.