There's not much that hackers can crack that surprises us anymore.
In years past, nothing has been sacred: We've witnessed hackers
sniffing 18-wheeler payloads while truckers nap at the truck stop,
weaponizing the iPod Touch, hacking faces (think biometrics), and
even the unthinkable -- silencing a texting teen.
So what's left? Well, this year it was making ATM machines
indiscriminately spit out mountains of cash, intercepting GSM
cellphones with a homegrown rogue cell tower, turning the tables on
an attacker with a reverse hack, point-and-click WiFi sniffing for
the Average Joe, a new breed of cross-site scripting (XSS), and
pinpointing a victim's geographic location through his home router
so you can show up at his place later with pizza and beer.
Lesson learned. There are always determined white-hat hackers who
still seem to find ways to tickle -- or torture -- the imagination,
and make consumers and enterprise IT folks think twice before they
perform everyday tasks, like withdrawing money from an ATM machine
or placing a voice call via GSM.
So put away that iPhone, pull up a bowl of figgy pudding, and read
on as we reminisce about the coolest hacks of the past year.
#1 Barnaby Jack's ATM jackpot
Vegas has seen its share of cash payouts, but none like the one
that security researcher Barnaby Jack performed on stage at the
Black Hat USA conference this summer: Jack demonstrated how using
vulnerabilities he had discovered in certain ATM machines could
literally pay off.
Jack, director of research at IOActive, demonstrated attacks that
would allow a criminal to compromise ATMs, allowing hypothetical
thieves to steal cash, copy customers' ATM card data, or learn the
master passwords of the machines. He targeted Tranax and Triton
ATMs, but other brands have similar weaknesses, according to
Jack.
Unlike the wave of ATM skimming attacks seen over the past couple
of years by criminals, Jack's hacks were all about the software. In
one attack, it took Jack all but a few seconds to open the ATM and
insert a USB drive with code that overwrites the system to do his
bidding. He also showed a remote attack that exploits a remote
management feature in ATMs. "We are back to 1999 in terms of code
quality," he said.
Jack wrote a remote administrative tool called Dillinger that lets
an attacker select known ATM machines and grab data or send
payloads, and he crafted a rootkit he named "Scrooge" that can be
sent as a payload to an ATM and overwrite the system so the
attacker can take over control of the ATM. The bugs he discovered
in the machines were in the proprietary cash management
applications, he said.
Jack demonstrated how Scrooge could be used to make the ATM spit
out phony bills, inserting a card into the machine with specially
crafted code stored on the magstripe or by typing code into the
ATM. In case you weren't there live, you can view the photo gallery
of Jack's ATM hack here.
#2 Intercepting GSM phone calls
Chris Paget wanted to show how the GSM protocol is broken, so he
crafted by hand his own GSM base station running over ham-radio
frequency and brought his so-called "IMSI Catcher" to Defcon18 this
year. During a live demonstration that was nearly nixed by the FCC,
Paget, a security researcher, successfully fooled several
attendees' cell phones into connecting to his phony GSM base
station.
"The main problem is that GSM is broken. You have 3G and all of
these later protocols with problems for GSM that have been known
for decades. It's about time we move on," Paget said in a press
briefing prior to the much-anticipated hack demo.
The hack almost didn't happen at all: The FCC initially voiced its
concerns that the demo might involve the unlawful interception of
phone calls, so after consulting with Electronic Frontier
Foundation attorneys, Paget went forward, careful to issue
sufficient warnings about his demo to attendees during his
presentation. He even destroyed the USB stick that contained any
data gathered from the "owned" phones on stage afterward. His use
of ham-radio frequency to carry the GSM signal got around any
spectrum violation issues with the FCC.
In all, it cost Paget only about USD 1,500 in equipment to build
the IMSI (International Mobile Subscribe Identity) Catcher, which
also included two directional antennas and a Debian laptop running
OpenBTS and Asterisk, an open-source tool that turns a computer
into a voice communications server. He used the device only to
intercept and handle outgoing voice calls -- which were sent via
voice-over-IP -- and not incoming calls nor data. "When the phone
is looking for a signal, it looks for the strongest tower. This
offers the best signal," Paget said, even though it's only 25
milliwatts.
Callers in the Defcon session whose phones connected to Paget's
phony tower got a recorded message when trying to dial out. "When
attached to my tower, your phone is [considered] off, so incoming
calls go straight to your voicemail," he said.
Overall, Paget captured anywhere from 17 to 30 phones at a time
during the demo, even after configuring the base station to appear
as an AT&T tower. The phones automatically defaulted to 2G
because Paget's base station is 2G. The base station could also be
configured to disable encryption, he notes, as well as to target
specific brands of phones to connect to it.
In earlier tests he conducted, Paget found iPhones most commonly
connect to his fake cell tower.