The Coolest Hacks Of 2016
No 400-pound hacker here: Lightbulb and do-gooder worms, machines replacing humans to hack other machines, and high-speed car hacking were among the most innovative white-hat hacks this year.
In a year when ransomware became the new malware and cyber espionage became a powerful political propaganda tool for Russia, its easy to forget that not all hacking in 2016 was so ugly and destructive.
Sure, cybercrime and cyber espionage this past year turned the corner into more manipulative and painful territory for victims. But 2016 also had its share of game-changing good hacks by security researchers, with some creative yet unsettling ways to break the already thin-to-no defenses of Internet of Things things, as well as crack locked-down computers and hijack computer mice. Hackers even took a back seat to machines in the first-ever machine-on-machine hacking contest this summer at DEF CON.
So if youre still confused about that elusive 400-pound hacker in his bedroom, or just sick of hearing about Bitcoin ransoms and fancy and cozy Russian bears, heres a look at some of the coolest hacks by the
good
guys this year.
MouseJack Attack Bites Non-Bluetooth Wireless Mice
With a $15 dongle, researchers at Bastille were able to sniff traffic from PCs, Macs, and Linux machines that use non-Bluetooth wireless mice and keyboards, thanks to the unencrypted communications employed by seven different wireless dongle vendors.
The so-called MouseJack attack exploited nine vulnerabilities across devices from Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, and AmazonBasics. The researchers could take control of the input devices and ultimately infiltrate the machines and their networks — from a distance of 100 meters from the victims machine.
MouseJack exploits wireless proprietary protocols that operate in the 2.4GHz ISM band and don’t encrypt communications between a wireless mouse and its dongle. An attacker then could spoof a mouse and insert his own clicks and inputs to the dongle, and generate keystrokes instead of mouse clicks on the victim’s computer.
If an attacker sitting in the lobby of a bank could get the wireless dongles [via MouseJack], all of a sudden you’ve got an APT [advanced persistent threat] inside a bank, said Marc Newlin, the Bastille engineer who found the flaws that lead to
MouseJack
. An attacker could install rootkit, for instance, he noted.
Lights-Out Worm
Who needs to hack the power company when all it takes is one smart lightbulb rigged with a worm to spread to nearby lights within minutes?
At Black Hat USA
this summer, researcher Colin OFlynn, who is CTP of NewAE Technology Inc., outlined work he and fellow researchers Eyal Ronen, Adi Shamir, and Achi-Or Weingarten conducted with the Philips Hue smart lighting system to demonstrate how a worm could be unleashed to turn out (or on) the lights in a city or local area, or even to wage a distributed denial-of-service attack.
The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity, the researchers wrote
in a research paper
.
They wanted to illustrate how plugging in just one infected bulb anywhere in a city using the smart lights could then spread to adjacent lights throughout the city.
While the attack sounds simple on paper, it was actually quite sophisticated. The researchers discovered and exploited a vulnerability in the Touchlink element of the ZigBee Light Link protocol, as well as devised a type of side-channel attack to grab Philips global AES-CCM key that encrypts and authenticates new firmware so they could inject their own firmware with the worm.
To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates, they wrote.
Stuxnets Silent Successor?
Stuxnet, the destructive attack that sabotaged and ultimately damaged centrifuges in Irans Natanz uranium-enrichment facility, met its demise and was outed when the self-propagating worm spread outside the facility to other Windows machines.
A pair of researchers this year at Black Hat Europe in November demonstrated what they describe as
a silent rootkit for the programmable logic controllers (PLCs)
that control physical processes such as water and power in an industrial network. Researcher Ali Abbasi, a Ph.D. candidate in the distributed and embedded system security group at University of Twente, Netherlands, and Majid Hashemi, a system programmer and independent security researcher at the time of their research, say their rootkit, unlike Stuxnet, cant be detected. Thats because their creation sits directly on the PLC, at the lower-level of the system – in dynamic memory – where its less likely to be spotted.
Abbasi and Hashemis PLC rootkit manipulates the PLC I/O process, so if a plants parameters require that a gate be opened to relieve pressure if a boiler temperature reaches 80 degrees Celsius, the rootkit attack could manipulate the temperature values and cause the boiler to overheat and explode, according to Abbasi. He says that in PLCs, the I/O operations are one of the most important tasks.
The attack basically exploits inherent security weaknesses in the PLC hardware.
Machines Hacking Machines (No Human Hacker Required)
DARPA hosted one of the most intriguing contests at DEF CON this year: the first-ever
all-machine
Capture the Flag contest. Teams of researchers brought their hacking machines to the ring to go at it in a live forum against the contests testbed of challenges as well as their opponents machines.
The so-called
Cyber Grand Challenge
featured high-performance autonomous systems – aka cyber reasoning systems – were tasked with finding and fixing security flaws in the contests air-gapped network.
Seven teams
associated mainly with various universities for 12 hours watched their machines reverse-engineer binary software, write new intrusion detection system signatures to protect themselves from opposing teams, and patch and defend their own machines.
A machine called Mayhem won and the team, which has ties to Carnegie Mellon University, took home a $2 million prize for their efforts.
In case youre wondering how the machines did: six of the seven machines patched the contests SQL Slammer flaw/flag, and six of the seven did the same with Heartbleed – all within a matter of minutes.
This is a huge deal,” said Visi, a white hat hacker who helped with the play-by-play commentary during the DEF CON contest. “In the past, patching these vulnerabilities took humans days and weeks of doing the work by hand.
An IoT Security Vigilante Writes a Worm to Infect and Fix Lame Passwords
Weak, default passwords are notoriously common among Internet of Things devices. The danger of these passwords became painfully obvious with the arrival of the Mirai botnet, a bot army of IoT devices used to wage distributed-denial-of service (DDoS) attacks against a DNS domain provider this year.
So Leo Linksy, a software engineer and researcher with network monitoring company PacketSled decided to take a more aggressive approach to securing All The Things: he wrote what he called an
anti-worm worm
that hacks into IoT devices using their default credentials and then changes their passwords to strong credentials. Linskys vigilante worm was a proof-of-concept for academic purposes only, although he published the PoC on GitHub.
The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device-specific or random, he wrote.
Such a tool could theoretically be used to reduce the attack surface, he said, but should only be tested in closed research labs.
The worm cause some uproar, with ethical and legal concerns over how the worm could be fail or get abused. But it also spurred discussion over more proactive ways to lock down vulnerable digital video recorders, routers, and IP cameras from Mirai and other threats.
This is the cybersecurity equivalent of vigilante justice, Jonathan Sander, vice president of product strategy at Lieberman Software, told Dark Reading. People love a vigilante while what they are doing works. The moment a vigilante does something wrong, however, the public tends to turn against them.
$5 Poison Tap Tool Hacks Locked Windows, Mac Machines
White-hat hacker Samy Kamkar built a Raspberry Pi-based tool for a mere $5 that can hijack Internet traffic from a password-locked computer. The so-called PoisonTap tool, which plugs into a USB port, installs a persistent Web-based backdoor on the Windows or Mac OS X machine.
Its not using a security bugs but instead the inherent trust in USB, HTTP, DCHP, and DNS.
PoisonTap
basically emulates an Ethernet device so Windows and OS X automatically load it, even on a locked machine. The hack fools the machine into prioritizing it over the existing Internet connection.
Normally it would be irrelevant if a secondary network device connects to a machine as it will be given lower priority than the existing (trusted) network device, Kamkar said. PoisonTap then gets all the network traffic and is able to intercept HTTP requests and steals cookies, for instance.
Its actually easy to defend against this attack, though: Kamkar says it doesnt work against HTTPS, for example, and enabling Secure Flag on cookies.
Gone in 6 Seconds: a frighteningly Easy Visa Credit Card Hack
European researchers from the UKs Newcastle University devised a technique for bypassing the security features for online payments that allowed them to guess full credit-card details in six seconds.
The so-called
Distributed Guess Attack
nabs the credit or debit card number, security code, and expiration date of Visa payment cards, literally via guesswork.
The attack automatically generates and verifies different combinations, and exploits the reality that in many cases online sites have no way to detect multiple invalid payment requests by the same card on different sites. It also takes advantage of the fact that not all websites require the three-digit security code on the back of the Visa card, nor the address and other information.
An attacker then can get card details one field at a time by automatically generating and verifying various combinations. The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time, said Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science.
The hardest part was getting the cardholders address,
Visa, meanwhile, maintains that the research doesnt take into account fraud-prevention measures employed by the payments system.
Car Hackers Miller & Valasek Literally Accelerate their Epic Jeep Hack
Car hacking research is all the rage now and not much about gaping security holes in vehicles is really surprising anymore. But famed car hackers Charlie Miller and Chris Valasek this year still were able to top their
epic 2015 remote-hack of the Jeep Cherokee
traveling at low speed: this time, they hacked and wrested control of the Jeeps accelerator, brakes, steering, and electronic parking brake at more dangerous high speeds of travel.
Miller and Valasek wowed - and mortified - the industry with their
2015 hack recorded on video
of how they could control the 2014 Jeep Cherokees electronic functions while sitting on Millers couch with their laptops 10 miles away. The hacks were limited to the Jeep traveling at about five miles-per-hour.
At Black Hat USA in August of this year, the pair fine-tuned their original hacks and tricked the Jeeps controls by impersonating CAN bus messages to it. This is a new class of attacks against CAN messages, Miller said.
Unlike their previous live hack, when they remotely controlled the Jeep while Wired journalist Andy Greenberg was at the wheel, this time they physically plugged into the diagnostic port of the vehicle to hack it.
They spun the steering wheel 90 degrees while traveling at 60 mph in one attack, and were able to permanently immobilize the electronic parking brake. We disabled all aspects of steering, so it’s super-hard to turn the wheel and even harder if you drive the car without steering [capability] … at any speed, Miller said.
But the researchers warned that
their latest research
doesnt just apply to the Jeep; other vehicles are vulnerable to this type of attack.
Jeep maker FCA US LLC said Miller and Valaseks attacks in reality would be difficult to pull off and would require extensive technical knowledge of the vehicle. Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles.
Related Content:
9 Coolest Hacks Of 2015
The Coolest Hacks Of 2014
Slide Show: The Coolest Hacks Of 2013
The 5 Coolest Hacks Of 2012
Tags:
The Coolest Hacks Of 2016