The 7 Coolest Hacks Of 2011

  /     /     /  
Publicated : 22/11/2024   Category : security


The 7 Coolest Hacks Of 2011


Evil insulin pumps and laptop batteries, war texting, and a tween hacker captured our imagination -- and our attention



Some hacks are epic not merely for their significance in IT security, but for their sheer creativity and novelty. Theyre those in-your-face hacks that both entertain and educate, and crack those things we take for granted in our everyday lives.
For the fifth year in a row,
Dark Reading
has compiled an end-of-the-year list of the coolest hacks executed by those imaginative, inquisitive, and resourceful hackers who dare to go the distance to try some of the most unique -- and sometimes bizarre -- hacks.
Some of this years coolest hacks are downright chilling in that they could mean life or death, like the ones that tampered with the dosage dispensed by popular insulin pumps, or that remotely shut down the power on industrial control systems that run power plants. Others were both charming and precocious, like the 10-year-old hacker who found a major flaw in her favorite mobile gaming app after getting bored and looking for a way to progress further with it.
So grab a cup of eggnog, kick back by the fireplace, and time-travel back -- to some of the coolest hacks of the year.
1. Remotely starting a car via text message.
Theres war driving, and then theres war texting. Security researcher Don Bailey discovered how simple it is to remotely disarm a car alarm system and control other GSM and cell-connected devices: He showed off his find by remotely starting a car outside Caesars Palace in Las Vegas during the Black Hat USA and DefCon shows.
It took Bailey, a security consultant with iSec Partners, only two hours to first hack into a popular car-alarm system and then start the car from afar with a text message. He and fellow researcher Mat Solnick later re-enacted the hack via video in Vegas.
The problem: Physical security systems attached to the GSM and cellular networks, such as GPS tracking devices and car alarms, as well as traffic control systems, home control and automation systems, and SCADA sensors, are vulnerable. Once these devices have been discovered on the network, an attacker can abuse them. Take the car alarm, which sites on cellular networks and receives messages from control servers: Attackers now can reverse-engineer and commandeer them, as Bailey demonstrated. GSM basically gives them a foot in the door.
Their proprietary protocols [traditionally] were insulated and so obfuscated that you wouldnt necessarily know what was going on under the hood, Bailey said. [But] car-alarm manufacturers now have to worry about reverse-engineering of their proprietary protocols.
Starting a car from afar is one thing, but even more disconcerting is
the possibility of SCADA systems similarly being sniffed and reverse-engineered, Bailey pointed out
.
2. Powering down the power plant -- literally.
Speaking of SCADA, researcher Dillon Beresford this summer at Black Hat USA gave one of the most graphic and alarming public demonstrations of the fragility of security in power control systems. Beresford, a researcher with NSS Labs, demonstrated how a backdoor in Siemens S7-300, S7-400, and S7-1200 devices let him get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash. He had initially postponed a presentation earlier in the year on his vulnerability finds due to concerns about possible risk to human life. Yikes.
Even scarier is that it took Beresford, who admits hes no SCADA expert, only about two-and-a-half hours to write code that exploited the backdoor in the Siemens PLCs. He also discovered a hard-coded password in the systems that let him open a command shell: That allowed me to do other things, such as perform a memory dump, capture passwords, and reprogram the programmable logic, he said. Beresford wrote a Metasploit module for the hack.
His hack was all about demonstrating how its not that hard to take control of these devices running our critical infrastructure. Im not here to freak you out. But an attack on PLCs for 24 hours could cause it to blow up a plant, he
said in his demo.
This creates an awareness that not only nation-states [can hack SCADA systems], but its now in the hands of researchers, and its only a matter of time, Beresford said. Someone could use it to cause damage to control systems.
And its not just Siemens products that are at risk of these types of attacks. At the heart of the holes in the Siemens devices are the lack of access control to them, which, like other PLC systems, use the 802.3 Ethernet Profibus and Profinet LAN protocols, which communicate via TSAP over TCP Port 102. TSAP transmits packets in plain text, too. TSAP, like TCP, is an older protocol that was not created with security in mind. The PLC manufacturers need to better secure them, experts say.
3. Mini-hacker time-travels.
A 10-year-old girl who attended the inaugural DefCon Kids conference within the DefCon show this year nearly stole the show with her hack. CyFi said she was getting bored with her favorite mobile gaming app, so she came up with a neat trick to switch the time on her device to make it more challenging.
What she didnt realize at first was that she had actually discovered a whole, new class of zero-day bugs across multiple tablet and smartphone operating systems.
I wasnt making enough progress, so I was trying to find a way around that ... to turn the time forward on the device, she said.
It wasnt until her mom caught wind that CyFi had found a way to game her game that things got real. Her mom, a seasoned DefCon attendee, knew this was more than just a clever childs trick: CyFi had basically found a way to restart the clock on a mobile gaming apps free trial. Shes going out of the app, and switching the time on the device, and then she goes back in her app, her mom said.
CyFi had found the same bug on multiple games, not just the one app, and CyFi and her mom then consulted with a seasoned hacker friend, who checked out the bug and found it in yet another OS. Other professional hacker friends verified it, and now the mini-hacker is working on the responsible disclosure process.
The mobile app world is different -- you have all these different, tiny companies making games. You dont just have Oracle and Microsoft, so thats why there were so many zero-days, CyFis mom said.
CyFi got props from famed security researcher Dan Kaminsky, too
. Its legitimately cool work, Kaminsky said. Weve known for years that games suffer security risks, for reasons of time, budget, and, to be honest, lack of consequence … Time acceleration is extremely rare -- I know of only one other use, and thats to locate phone homes where an application or operating system sends traffic to a manufacturer, months, or years after installation. Seeing the phone home trick used successfully against mobile games -- en masse -- is impressive, particularly since it apparently works against some online games.
4. Insulin pumps go rogue.
SCADA security expert Jerome Radcliffe, a diabetic, had become curious about the security of the devices that keep his blood sugar in check. So he started studying how continuous glucose monitors (CGM) and insulin pumps could be hacked, and discovered that at least four models of insulin pumps sold by Medtronic can be hacked wirelessly.
An attacker could remotely disable the pumps or alter the insulin dosage thats automatically delivered to the user. Radcliffe demonstrated that a hacker could illicitly turn off the pump remotely, with the device offering only a small chirp as a response, and also remotely manipulate any setting on the pump without the users knowledge. Its basically like having root on the device, and thats like having root on the chemistry of the human body,
he said
.
It was a frightening but enlightening find given the life-or-death consequences. Radcliffe was also able to disrupt and jam the GSM devices.
And later this year, Barnaby Jack, a security researcher with McAfee, at the Hacker Halted conference demonstrated an exploit he wrote that could deliver a deadly dose of insulin to patients using Medtronics embedded insulin pumps.
Jack rigged an antenna and some software in a wireless exploit that wrested control of the insulin pumps and administered what would be a fatal dose of insulin. His hack took Radcliffes a step further, demonstrating how to wirelessly crack the pump without knowledge of its device identification code.
5. Warflying: Hacking in midair.
For a little more than $6,000, a pair of researchers built a radio-controlled model airplane with an onboard computer and 4G connectivity that could be used as a hacking drone to wage aerial attacks on targets that are basically unreachable on land. Mike Tassey and Richard Perkins
brought their so-called Wireless Aerial Surveillance Platform (WASP) to Vegas for Defcon
to demonstrate the potential threat of warflying.
The 6-foot long, 14-pound WASP is made from all off-the-shelf equipment and open-source software, and was built on top of a surplus Army drone Perkins had stored in his basement. It contains wireless antennae, GPS, wireless sniffing tools, and a Backtrack penetration testing toolkit. A base station controls the plane via Google Earth and an autopilot software tool, and it can fly above 20,000 feet, although FAA regulations dont allow it to go above 400 feet.
WASP can sniff wireless networks, spoof cell-towers, track and intercept cell phone calls, steal data, and conduct video surveillance. A back-end PC handles most of the heavy processing requirements.
All in all, it wasnt that difficult to build. You dont need a Ph.D. from MIT to do this, Perkins said.
Whats not so simple is how to defend against such a drone hack. So how do you defend against this? I dont know. Thats what you guys are for. We need the right people to start thinking about this. How would you defend against something like this? Perkins said. Because if we thought of it, someone else has, too. Theyre just not telling you about it.
6. When laptop batteries turn against you.
You probably dont worry much about your laptop battery until it runs out of juice and you scramble for the power plug. But what if your battery could hack you?
Turns out the embedded controllers on
laptop batteries are hackable, renowned security researcher Charlie Miller demonstrated this year
. Miller found that Apples laptop battery has two fixed passwords that could be exploited to make changes to the smart battery systems firmware. The passwords are basically a way for Apple to update the firmware, but they also leave it wide open for abuse.
Miller disassembled his MacBooks batteries and found that Apple uses one default password to unlock the battery and another to access the firmware. If an attacker were to obtain those passwords, then he could eavesdrop on any communication between the battery and the laptop, as well as inject malicious code.
I definitely completely destroyed that first and most important layer of defense, Miller said. The main brains of the operation is this chip, and I can control that now.
He reverse-engineered a MacBook battery update and got the password that gave him access to the system, and found he could manipulate the batterys firmware. So an attacker could theoretically inject malicious code onto the battery -- a clever hideout that could be used to harbor stealthy attacks trying to remain under the radar.
Millers original goal was to make the batteries overheat or explode, but in the end he wasnt able to do so. He did successfully brick them, though: I can definitely make it so the battery doesnt respond anymore, he said. I did that seven times already.
7. Hot Diggity hack.
Remember Google hacking? Well, its back and its sexier as a pair of researchers built tools that making Google-hacking yourself faster and more efficient.
Fran Brown and Rob Ragan, researchers for Stach & Liu, wrote a series of tools called Diggity that speed up the process of detecting security vulnerabilities via Google or Bing searches. The goal is for enterprises to find those bugs -- SQL injection, cross-site scripting, etc. -- in their servers before attackers do.
We wanted to find a way to bring search engine hacking back into light because its a pretty effective method of finding vulnerabilities, and we see it being used more and more [by malicious attackers], Ragan said.
DIY Google-hacking typically requires searching one domain at a time, and that just doesnt scale when youre talking an enterprise of hundreds of domains. Brown says Diggity tools are akin to an IDS that sniffs out known attacks.
The tools are compromised
of databases of known Google and Bing hacks, Foundstones repository of search engine hacks, and Stach & Lius own database of known vulnerabilities and hacks.
It works like this: When a tool finds a potential hack, they send a Google alert to the enterprise, which then can have Google halt indexing them. That gives them time to fix the flaws offline.
Brown says Diggity could prevent disasters such as when the user database of Groupons Indian subsidiary Sosata.com was inadvertently published online and exposed emails and passwords of its 300,000 users. To put it in perspective, if Groupon.com had been using our tools, they would have gotten an alert via iPhone or Droid and found the vulnerability before anyone else did, Brown said.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
The 7 Coolest Hacks Of 2011