Monday, April 14, 2008

The Five Coolest Hacks of 2007

Dark Reading
Nothing was sacred – not cars, not truckers, not even the stock exchange

DECEMBER 31, 2007 | 2:51 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading

Hackers are creative folk, for sure. But some researchers are more imaginative and crafty than others. We're talking the kind of guys who aren't content with finding the next bug in Windows or a Cisco router. Instead, they go after the everyday things we take for granted even more than our PCs -- our cars, our wireless connections, and (gulp) the electronic financial trading systems that record our stock purchases and other online transactions.

Not that there's anything wrong with a new Windows or Vista flaw. But you can't help but secretly admire the ingenuity and persistence it takes to hack something that we hadn't thought of as hackable -- or that maybe that we just didn't want to think was. These are the kinds of hacks that pierce the mainsteam consciousness: Your mom's eyes may glaze over when you warn her about the risk of her PC becoming a bot, but you can bet you'll have her full attention when you show how a hacker could redirect her brand-new car navigation system to a deserted dead end street far from her intended destination.

We've selected five of the coolest hacks we covered here at Dark Reading in 2007 -- unusual vulnerabilities that were exposed and exploited this past year by researchers who don't just do Windows. So raise your glass to some innovative, and sometimes wacky, hacks that we won't soon forget (nor maybe will Mom):


* Page 1: The car navigation system
* Page 2: WiFi 'sidejacking'
* Page 3: Eighteen-wheelers
* Page 4: 'Hacking capitalism'
* Page 5: iPhone

Next Page: The car navigation system
1. The car navigation system

DECEMBER 31, 2007 | A pair of Italian researchers earlier this year drove right through holes they discovered in some car navigation systems -- vulnerabilities that would let an attacker inject phony messages into the system or launch a denial-of-service attack against it. (See Hacking the Car Navigation System.)

Andrea Barisani, chief security engineer of Inverse Path, and Daniele Bianco, hardware hacker for Inverse Path, built tools for hacking satellite-based navigation systems that use Radio Data System-Traffic Message Channel (RDS-TMC) to receive traffic broadcasts and emergency messages. RDS-TMC is popular in vehicle navigation systems sold in Europe, and has been catching on in North America as well.

RDS-TMC provides broadcasts on traffic conditions, accidents, and detours for the driver. Its main weakness: It doesn't authenticate where the traffic comes from, the researchers say. That leaves the door wide open for a bad guy to reroute drivers to a detour, or to overwhelm it with a DDOS, killing the navigation system as well as its climate-control system and stereo.

The researchers tested their hardware and software tools with a one- to five-kilometer radius of the targeted vehicles, but they say an attacker could target a specific vehicle by adding a directional antenna, for instance. The good news is there are some emerging navigation-system technologies that may be safer -- including one that will include encryption, although that's at least five years out.

So how can you tell if your navigation system has been hacked? There's not much you can do until it's too late and your AC and stereo are out, and you're sitting on a hot and dusty, deserted road nowhere near Starbucks.

Next Page: WiFi 'sidejacking'
2. WiFi 'sidejacking'

DECEMBER 31, 2007 | First it was the Ferret, then the Hamster: WiFi will never be safe again. Researcher Robert Graham, CEO of Errata Security, wowed (and in some cases, shamed) the Black Hat DC and Las Vegas crowds this year with live hacks of attendees who dared to use the WiFi network unprotected, using his homegrown WiFi sniffing tools that basically sniff and grab WiFi traffic out of the air.

Yes, some of us got a firsthand lesson in "it can't happen to me." (See Joke's on Me.) As I checked my email during a session at Black Hat DC last February, little did I know that as Graham and colleague David Maynor were demonstrating Ferret next door, the tool was blasting my username and password up on the screen for all to see.

But Graham turned his WiFi hack up a notch in Vegas in August, with a more powerful version of Ferret -- Hamster -- that "sidejacks" machines using WiFi and accesses their Web accounts. Hamster grabs users' Gmail, Yahoo, and other online accounts. It basically clones the victim's cookies by sniffing their session IDs and controlling their Website accounts. (See 'Sidejacking' Tool Unleashed.)

"You can be in a café and see a list of people browsing [over WiFi]. And you can hijack and clone their Gmail system," for example, Graham says. And it's very easy to do, he says.

Hamster doesn't hack passwords, just the cookies and URL trail left behind by a WiFi user. The attacker then can pose as the victim and read, send, and receive email on his or her behalf. It does not, however, see the victim's actual email messages (phew).

Interestingly, Graham had a little trouble finding many users in Vegas who dared to go WiFi unprotected. Still, he recommends logging out of your Web session to wipe out your cookie trail when you're using WiFi.

Next Page: Eighteen-wheelers
3. Eighteen-wheelers

DECEMBER 31, 2007 | Truckers are sleep-deprived enough without having to worry about their RFID-based electronic product code (EPC)-based load of plasma TVs getting hacked while they park and snooze at a truck stop. But researchers from PacketFocus Security Solutions have shown that's a very real threat. (See Hacking Truckers.)

PacketFocus, along with some researchers at Atlas RFID Solutions, were able to read EPC codes using standard EPC Generation 2 readers and antennas on an 18-wheeler they rented from a local freight company. They loaded the rig with EPC-tagged boxes to test out just what data can be intercepted from it, and found it was easy to scan and hack information off the labels.

Joshua Perrymon, hacking director for PacketFocus, and his colleagues used off-the-shelf tools to hack the freight information. "We are showing you can do this with off-the-shelf products, and you don't have to be a super-hacker" to get EPC data off a tractor-trailer, Perrymon says.

EPC provides more detailed information about a product than a standard bar code, with unique tags for each item to improve inventory and shipment-tracking. But that information could also fall into the hands of a malicious competitor or criminal: "Each product has its own EPC number," he says. "If a company is using EPC numbers, we can sit outside the tractor-trailer and scan them, reference them with known EPC numbers, and know the inventory of what's on that trailer."

Aside from the obvious danger of this information falling into a competitor's hands, criminals could sniff the 18-wheeler's payload to better target their holdups: "Unless they had a lot of inside information, they don't have enough information to rob that truck," Perrymon says. "Now they can scan it if it's not secure -- they don't want to rob that toilet paper truck, but if it's got plasma TVs with surround sound, [that's their] target."

Next Page: 'Hacking capitalism'
4. 'Hacking capitalism'

DECEMBER 31, 2007 | The financial services industry is typically on the leading edge when it comes to adopting new security technologies and standards. But researchers at Matasano Security this year revealed that one of the most popular application-layer protocols used by financial services firms, stock exchanges, and investment banks for automated financial trading, has some serious security holes. (See 'Hacking Capitalism'.)

Applications written to the FIX (financial information exchange) protocol can be vulnerable to denial-of-service, session-hijacking, and man-in-the middle attacks over the Internet -- and could let an attacker "watch" transactions, according to David Goldsmith, CEO of Matasano Security, who discussed these issues at Black Hat USA in August.

Even scarier is that an attack on a FIX-based app could be silent and by the time it's detected, it may be too late. "If a hacker was monitoring or viewing [the transactions], you may never know they are there," Goldsmith says. "[He] could take that information and use it to their advantage for insider trading... or to cause significant financial damage."

Security tools are mostly ineffective for protecting financial systems from this type of attack, although Goldsmith recommends strong firewalls and external session-layer encryption. But an IDS or a vulnerability scanner isn't going to find FIX bugs, he says, and because these systems are mission-critical and can't be taken offline for testing, it's even difficult to search for vulnerabilities in them.

Goldsmith wouldn't reveal details on the actual vulnerabilities he and his colleagues found in FIX, but he says financial firms should revisit how they secure these applications, looking at changing passwords, for instance.

Next Page: iPhone
5. iPhone

DECEMBER 31, 2007 | Hacking and bypassing the iPhone's exclusive service with AT&T was all the rage when the new device first got into users' palms this year, but it wasn't until researcher HD Moore added an iPhone hacking module to the Metasploit penetration testing tool that the real iPhone hacking could begin. (See Metasploit Adds iPhone Hacking Tools and i Caramba! iPhone Hacked Already.)

Moore released an Apple iPhone shellcode for Metasploit 3.0 in September, with "payloads" for writing exploits using the wildly popular Metasploit framework. "The addition of iPhone payloads to Metasploit makes it easy for a researcher to write exploits," Moore says. "The payloads also provide an example of how to develop new shellcode for the iPhone, which could accelerate exploit development for the platform."

He had a little fun with it, too, creating a payload that lets you make a victim's phone vibrate. But the other payloads are no laughing matter -- they can give the attacker remote shell access. Moore also wrote some exploit modules for the iPhone.

The powerful stuff, of course, comes with the rootkits that attackers could use on an iPhone. "A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with 'always-on' Internet access over EDGE and you have a perfect spying device," Moore said in a Metasploit blog post.

Moore, who is also director of security research for BreakingPoint Systems, says he added the iPhone hacking tools for Metasploit in hopes that it would help researchers discover new attack vectors on the smart phone. Meanwhile, iPhone hacking has made many a 2008 threat prediction list -- so look out in the new year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

# Errata Security
# Matasano Security LLC
# BreakingPoint Systems
# Apple Inc. (Nasdaq: AAPL)

Copyright © 2008 United Business Media LLC - All rights reserved.