So what's left? Well, this year it was making ATM machines indiscriminately spit out mountains of cash, intercepting GSM cellphones with a homegrown rogue cell tower, turning the tables on an attacker with a reverse hack, point-and-click WiFi sniffing for the Average Joe, a new breed of cross-site scripting (XSS), and pinpointing a victim's geographic location through his home router so you can show up at his place later with pizza and beer.
Lesson learned. There are always determined white-hat hackers who still seem to find ways to tickle -- or torture -- the imagination, and make consumers and enterprise IT folks think twice before they perform everyday tasks, like withdrawing money from an ATM machine or placing a voice call via GSM.
So put away that iPhone, pull up a bowl of figgy pudding, and read on as we reminisce about the coolest hacks of the past year.
#1 Barnaby Jack's ATM jackpot
Vegas has seen its share of cash payouts, but none like the one that security researcher Barnaby Jack performed on stage at the Black Hat USA conference this summer: Jack demonstrated how using vulnerabilities he had discovered in certain ATM machines could literally pay off.
Jack, director of research at IOActive, demonstrated attacks that would allow a criminal to compromise ATMs, allowing hypothetical thieves to steal cash, copy customers' ATM card data, or learn the master passwords of the machines. He targeted Tranax and Triton ATMs, but other brands have similar weaknesses, according to Jack.
Unlike the wave of ATM skimming attacks seen over the past couple of years by criminals, Jack's hacks were all about the software. In one attack, it took Jack all but a few seconds to open the ATM and insert a USB drive with code that overwrites the system to do his bidding. He also showed a remote attack that exploits a remote management feature in ATMs. "We are back to 1999 in terms of code quality," he said.
Jack wrote a remote administrative tool called Dillinger that lets an attacker select known ATM machines and grab data or send payloads, and he crafted a rootkit he named "Scrooge" that can be sent as a payload to an ATM and overwrite the system so the attacker can take over control of the ATM. The bugs he discovered in the machines were in the proprietary cash management applications, he said.
Jack demonstrated how Scrooge could be used to make the ATM spit out phony bills, inserting a card into the machine with specially crafted code stored on the magstripe or by typing code into the ATM. In case you weren't there live, you can view the photo gallery of Jack's ATM hack here.
#2 Intercepting GSM phone calls
Chris Paget wanted to show how the GSM protocol is broken, so he crafted by hand his own GSM base station running over ham-radio frequency and brought his so-called "IMSI Catcher" to Defcon18 this year. During a live demonstration that was nearly nixed by the FCC, Paget, a security researcher, successfully fooled several attendees' cell phones into connecting to his phony GSM base station.
"The main problem is that GSM is broken. You have 3G and all of these later protocols with problems for GSM that have been known for decades. It's about time we move on," Paget said in a press briefing prior to the much-anticipated hack demo.
The hack almost didn't happen at all: The FCC initially voiced its concerns that the demo might involve the unlawful interception of phone calls, so after consulting with Electronic Frontier Foundation attorneys, Paget went forward, careful to issue sufficient warnings about his demo to attendees during his presentation. He even destroyed the USB stick that contained any data gathered from the "owned" phones on stage afterward. His use of ham-radio frequency to carry the GSM signal got around any spectrum violation issues with the FCC.
In all, it cost Paget only about USD 1,500 in equipment to build the IMSI (International Mobile Subscribe Identity) Catcher, which also included two directional antennas and a Debian laptop running OpenBTS and Asterisk, an open-source tool that turns a computer into a voice communications server. He used the device only to intercept and handle outgoing voice calls -- which were sent via voice-over-IP -- and not incoming calls nor data. "When the phone is looking for a signal, it looks for the strongest tower. This offers the best signal," Paget said, even though it's only 25 milliwatts.
Callers in the Defcon session whose phones connected to Paget's phony tower got a recorded message when trying to dial out. "When attached to my tower, your phone is [considered] off, so incoming calls go straight to your voicemail," he said.
Overall, Paget captured anywhere from 17 to 30 phones at a time during the demo, even after configuring the base station to appear as an AT&T tower. The phones automatically defaulted to 2G because Paget's base station is 2G. The base station could also be configured to disable encryption, he notes, as well as to target specific brands of phones to connect to it.
In earlier tests he conducted, Paget found iPhones most commonly connect to his fake cell tower.