TSA baggage scanners, evil USB sticks, and smart homes were among the targets in some of the most creative — and yes, scary — hacks this year by security researchers.
It’s easy to forget some of the more innovative and eye-popping hacks by the good guys in 2014 amid the painful and unprecedented wave of cybercrime, cyber espionage, and cyber mayhem that the world has witnessed the past 12 months.
But the lessons learned from the epidemic of retailer hacks this year starting with Target, and the unprecedented destructive breach and doxing of Sony that to date has come as close to an international incident as any cyberattack, serve as a chilling reminder that any organization’s computing infrastructure is breakable by bad hackers. And that raises the stakes in the race to find new security weaknesses before the bad guys do.
The epidemic of real-world breaches this year has lent some blatant and highly tangible credence to the dangers of malicious hacking that white hat hackers for years have been warning about and demonstrating in their own research.
So yes, our annual lighthearted look back at the year’s coolest hacks by the good guys has a more profound feel to it now. Even so, kick back with some holiday cheer and have a look at some of the more memorable and creative hacks this year:
A weaponized PLC
Programmable logic controllers (PLCs), the systems that run machinery in power plants and manufacturing sites, are traditionally the target of attackers looking to disrupt or sabotage critical systems. But Digital Bond researcher Stephen Hilt earlier this year decided to rig a PLC with a low-cost hacking tool that would allow the system to shut down a process control network via a text message.
The so-called “PLCpwn” hacking tool cost Hilt about $400 and a couple of weeks to build, and lets an attacker bypass perimeter security and air gaps to wreak havoc on the plant floor. “It can cause a large disruption with a single text message,” Hilt said. “It will sweep an entire subnet with STOP CPU,” and is capable of data exfiltration and injection-style attacks, he said.
Hilt’s weaponized PLC uses attack modules previously written by Digital Bond, and is based on a 5-volt Raspberry Pi board with DualComm Tap and a DroneCell card for communications.
Cheating TSA’s carry-on baggage scanners
Turns out you can easily sneak a weapon or a banned substance past US airport security by exploiting “lame bugs” in a pervasive X-ray scanner for carryon baggage at TSA checkpoints.
That’s how renowned researcher Billy Rios described the flaws in the Rapiscan 522 B x-ray system used by the TSA at some major airports. Rios and his colleague Terry McCorkle discovered some painfully wide open holesin the scanners, including user credentials stored in plain text, the outdated Windows 98 as the underling operating system, as well as a training feature for screeners that injects .bmp images of contraband, such as a gun or knife, into a passenger carry-on in order to test the screener’s reaction during training sessions. The researchers say the weak logins could allow a bad guy to project phony images on the X-ray display.
They were able to easily bypass the login screen and see the stored user credentials sitting the database store. “These bugs are actually embarrassing. It was embarrassing to report them to DHS — the ability to bypass the login screen. These are really lame bugs,” Rios said.
Hacking satellite ground terminals by air, sea, land
Ruben Santamarta found critical design flaws in the firmware of popular satellite land equipment that could allow attackers to hijack and disrupt communications links to ships, airplanes, military operations, industrial facilities, and emergency services.
An attacker could install malicious firmware or even send an SMS text message to spoof communication to a ship, for example. Another even scarier possibility: he could wrest control over the Satellite Data Unit or SwiftBroadband Unit interface in the satellite terminals sitting on an airplane’s in-flight WiFi network via its weak password reset feature, hardcoded credentials or the insecure protocols that support the so-called AVIATOR 700 satellite terminal, as well as compromise control of the satellite link communications channel used by the pilot.
“We’re not crashing planes here,” Santamarta said of the potential danger, but some of the vulnerabilities could pose a safety risk, he said.
In many cases the attacker would need physical access to the ground equipment, as well as knowledge of the firmware and its security weaknesses.
Smart home devices not so savvy
If an attacker has physical access to your Nest Learning Thermostat or your DropCam camera, bad things can happen easily — and fast. Two groups of researchers this summer demonstrated the ease with which an attacker can turn the devices against their owners to spy on them, attack other devices on the network, or spoof their activities.
University of Central Florida researchers Grant Hernandez and Yier Jin and independent researcher Daniel Buentello showed at Black Hat USA how in less than 15 seconds a bad guy can rig a Nest with a micro USB cable and backdoor to spy on the owner, capture wireless credentials, as well as attack other home network devices. Another risk would be Nests backdoored and then returned to a store or resold on Craigslist to target a neighborhood, for example.
DropCam, the plug-and-play webcam-based video monitoring system used for watching over your house while on vacation or the on the kids at daycare, can be similarly abused. Synack researchers Patrick Wardle and Colby Moore at DEF CON this summer demonstrated holes in the WiFi security cameras, such as intercepting video and hot-miking audio for spying purposes. Wardle and Moore inserted a malware “implant” that can infect computers used to configure a DropCam camera.
“Don’t trust a camera from strangers,” Wardle said, a theme echoed by the Nest hackers on the potential for rigged smart thermostats.
Meanwhile, security researcher David Jacoby of Kaspersky Lab recently put his own smart home to the test. That’s right — he hacked his own home, specifically his smart TV, satellite receiver, DVD/Blu-ray player, network storage devices, and gaming consoles. “Before I started, I was pretty sure that my home was pretty secure. I mean, I’ve been working in the security industry for over 15 years, and I’m quite paranoid when it comes to such things as security patches,” Jacoby wrote in a blog post on Dark Reading sharing his findings.
But Jacoby quickly found flaws in his network-attached storage systems, smart TV, and in his home router, including weak default passwords, incorrect permissions in configuration files, and plain text passwords. “The DSL router used to provide wireless Internet access for all other home devices contained several hidden dangerous features that could potentially provide the Internet service provider remote access to any device in my private network. The results were shocking, to say the least,” Jacoby said.
Crashing the vehicle traffic control system
Outfitted with a backpack carrying his prototype access point to passively test access to the vehicle traffic control systems in major cities including Washington and New York, researcher Cesar Cerrudo was able to reach from a few hundred yards away traffic control equipment and access points supporting them.
Cerrudo found that hundreds of thousands of road traffic sensors and repeater equipment are at risk of attackers wreaking havoc that could result in traffic jams or even vehicle crashes. In his experiment, Cerrudo discovered the devices communicate traffic information in clear text and don’t authenticate the data, opening the door for possible sabotage.
The Sensys Networks sensors he tested detect vehicles and use that data to determine the timing of traffic lights and for issuing electronic alerts of events on the highway. “You can sniff the wireless data, learn how the system was configured, how it was working, and then just launch an attack with fake data,” Cerrudo said. The access point will accept the phony traffic data, but an attacker would need to know the where the AP, repeaters and sensors are located at an intersection he or she targets.
Sensys Networks recently updated its software, but Cerrudo said it’s difficult to confirm whether the updates fix the security flaws because the nature of the patches wasn’t public.
One bad-ass USB
Don’t trust that USB stick. Researchers Karsten Nohl and Jakob Lell created “BadUSB,” a weaponized USB stick that once plugged into a machine can wage attacks on the network. The pair basically reverse-engineered and retooled its firmware to become an attack tool that among other things steals information or installs malware.
An Android plugged into a computer could intercept all network traffic to and from that machine, for instance, and Nohl said there isn’t much you can do to prevent BadUSB attacks. Anti-malware software only scans the data on an USB stick, not the firmware, for example, he noted.
BadUSB can’t be cleaned up by reinstalling the operating system, and it can replace the computer’s BIOS by posing as a keyboard and unlocking a hidden file on the stick.
A worm in your NAS
Jacob Holcomb this fall constructed a proof-of-concept, self-replicating wormthat scans for vulnerable services running on network-attached storage devices and identifies the NAS device. If a NAS is vulnerable, the worm launches an exploit to take over the device and then spread to other NAS devices.
“I wanted to actually develop a POC myself and present it so people can understand the ramifications as my findings are being demonstrated and publicly disclosed, versus six months later when adversarial attackers are trying to exploit it for profit,” Holcomb said.
Holcomb, a security analyst at Independent Security Evaluators, has been studying flaws in NAS devices for the past year or so, and the list of vulnerable products is a who’s who of the storage market Seagate, D-Link, Lenovo, Buffalo, QNAP, Western Digital, Netgear, ZyXEL, Asustor, TRENDnet, HP, and Synology. “Pretty much everything we do relies on some form of backend storage for access,” he said of the problem.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, CommunicationsWeek, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at The College of William & Mary. Follow her on Twitter @kjhiggins.