Black Hat 2011: The Rise Of The Machines

I attended the Black Hat Briefings this year after teaching the "Advanced Vulnerability Scanning Using Nessus" course. There were several really great presentations covering a wide range of topics. My only wish is that I could have cloned myself and attended more of the talks! Following is a recap of the presentations I attended:

Don Bailey - War Texting Weaponizing Machine 2 Machine

Several of the presentations this year centered on the topic of embedded systems. This is right up my alley, as I've always had a fascination with embedded computing. Don gave some great examples of embedded systems, including:

• Glowcap, a cellular wireless enabled pill bottle cap that reminds you to take pills and notifies the doctor if you are taking too few, or too many, pills. The product is targeted at people who have disabilities that prevent them from taking medication regularly. This was touted as a bad idea, as health information is traveling over several different systems, and in the air, potentially unencrypted.
• Zoomback, an "advanced GPS tracker" featured on Oprah”, primarily marketed as a tool to track your children by putting it in their backpacks. It contains a GPS chip, a GSM chip for communications (primarily SMS), and a web interface. One problem with this idea is that the firmware is binary (not encrypted) and the communications are poorly authenticated. An interesting feature leads to certain defeat; the device uses cell phone tower triangulation when the GPS could not contact the GPS satellites. The end result is that, via SMS, attackers can change where the device believes its location is since the telemetry information from the towers can be spoofed. So, if your car is in the parking lot, the Zoomback web site can report it to be in Pakistan.
• The car security model - Don could not disclose the vendor, however using the same enumeration and attack strategies, he was able to control a car security system. Cars are using the same technology, allowing owners to unlock and start their cars using their smartphones. A video demonstration was given where they were able to unlock and start a car remotely using a laptop. The car security system chip did in fact have protections, likely encrypted firmware and message signing and/or encryption. However, these were easily bypassed.

Bailey's method for finding and exploiting vulnerabilities on the various platforms was interesting. First, he would identify the industry and products being targeted (Google is helpful for this). Next, he found the processors being used in the devices (e.g., forum posts, news items/press releases, more Google searches). Then, once the hardware was identified he used various techniques to intercept the command structure using a demo unit, use hardware attacks to get firmware and keys, and extract commands by reverse engineering firmware. Once he knew how the device functioned and what commands it expected, he would find the devices on network and then attack them. He used his previous research to be able to fingerprint the devices on the GSM network.

The presentation did a good job of outlining the threats to the "mainframe in your pocket" problem; how we carry and use computers in everyday life that often do not implement security very well (e.g., pill bottles, trees, bugs, medical devices, alarm systems, ATMs, car security systems). The really interesting thing for me is that so-called "cyber-attacks" are now crossing into the real world. It’s one thing to have your credit card stolen, and another to have your car stolen or your house broken into. Another scary thought on embedded security is that since the chips are lightweight, they are both easy to reverse engineer (fewer registers) and difficult to implement good cryptography.

Defenses for these attacks include; spending the extra money and using chips that implement good crypto, use nonces and tokens to validate requests, and not embedding IP addresses in SMS messages. The tools showcased in the presentation are available on www.wartexting.org.

Femtocells: a Poisonous Needle in the operators Hay Stack (Ravishankar Borgaonkar, Nico Golde, Kevin Redon)

A femtocell is a small access point that connects your phone to a local 3G/UMTS network within a range of less than 50 meters. It then uses the IP network to connect the calls to the provider. They are meant to improve coverage in rural areas, offering high bandwidth and quality without the expense of building towers in low population areas. Typically, they offer location based services as not everyone can use the femtocell; only the phones that are pre-programmed into the device can access it. They also help to offload traffic from the main towers and are cheaper to maintain as the user is responsible for configuration and setup. The device that was used for testing is provided by SFR, an ISP in France (and the 2nd ISP to offer femtocells in Europe) and costs 99 Euro (plus the cost of the cell phone). The device is an ARM-based CPU from Ubiquisys that runs embedded Linux with proprietary services to manage the cellular data.

The presenters began to reverse engineer the firmware and found that updates were not authenticated. To put it in “command line speak”, they noticed that wget was being run with "--no-check-certificate". They were also able to reverse engineer the binaries within the firmware itself, enabling a library call (dbg_trace) and using IDA Pro. Creating the "IMSI catcher", which allowed them to perform man-in-the-middle attacks against cell phones, was pretty simple. Using a "hidden" web interface they changed the authentication scheme for connecting phones from "closed" to "open access", which means that any phone in range would connect to the device.

Before connecting to the cellular provider over IP, the device initiated an IPSEC tunnel, that the researchers were able to snoop on by hijacking and parsing the ISAKMP messages using Wireshark. The phone calls were then dumped as WAV files and played back. Interception of SMS messages was also possible as was the ability to impersonate other subscribers and force a phone to route to any number desired, such as a costly 1-900 number.

You can find more information about this talk at the following URL: http://femto.sec.t-labs.tu-berlin.de/

Aerial Cyber-apocalypse - If We can do it... So can they! - Richard Perkins & Mike Tassey

I have to say, I've never really woken up one day, got out of bed and said, "You know, today I should really start building a Unmanned Aerial Vehicle (UAV)". Apparently both Mike and Richard had such a day, and 2 years later, they had a working remote-controlled airplane. But this is no ordinary UAV. This one runs BackTrack Linux, USRP, OpenBTS, OpenVPN, Kismet, and a host of other tools to launch a "cyber aerial assault". It’s all battery powered, low profile, silent at distances of more than 50 feet, and carries with it a 1-watt Wi-Fi card with a 7Dbi antenna.

At the surface, this may sound like something from the movies. However, while you can do everything that the airplane does from the ground using a laptop, this stuff flies. Not only does it fly, but you can tell it where to fly and know where it’s flying thanks to a built-in GPS and telemetry system that pumps data back to a base station. You can SSH into the plane over an Xbee 900MHz connection, or use its 4G connection implementing OpenVPN over the Internet. Once the plane is in the air it connects to an Internet-connected server running OpenVPN, allowing anyone on the Internet to gain access to the plane's data and SSH connections to control it. They really pushed this one to the limit and seemed to have thought about every possible use case.

Conceivably this could be used to follow someone home and hack into their Wi-Fi network. Or, fly over buildings with tight physical security to launch Wi-Fi attacks. I don't believe we'll see this in penetration testers’ toolkits just yet, but “war flying” is an interesting concept. Positive use includes flying it over disaster areas to provide cell phone services. Since all of the parts are readily available and little customization was done other than some glue and a few shell scripts, anyone could build one for around $6000.
You can visit the creators web site for more information and instructions: http://rabbit-hole.org/.

I attended a few more talks as well, including Chris Paget's talk on Windows Vista security titled "Microsoft Vista: NDA-less The Good, The Bad, and The Ugly". Chris was part of an independent team that reviewed the Vista architecture with developers, developed threat models, read documentation, interviewed project managers / architects, and reviewed the source code, filing as many bug reports as they could. It was a very interesting look at how Microsoft treats software security, and mostly positive with respect to their software development life-cycle.

Charlie Miller gave a "killer" talk on battery hacking. He started by saying that he was not out to make batteries catch on fire or make an exploding laptop, though this is certainly possible. He did find that in order to access the firmware on Apple MacBook and MacBook Pro series laptops, you have to know two passwords: one to be able to read values and another to write values. It turns out these two values are the same on every Apple battery (some 3rd party manufacturers change the password). While you can't plant malware on a system using a battery just yet, the possibility certainly exists. I also learned a lot about how my own battery talks to my computer (why it erroneously reports battery usage), just about the time my own battery died during his talk. Coincidence? I guess we'll never know. As always, I greatly look forward to Black Hat next year!