Destination PWND: Safes, ATMs, phones all fall to Vegas hax0rs
The best of the rest from Black Hat and DEF CON
Analysis BSides, Black Hat, DEF CON... For the last six days, Las Vegas has been home to the top brains in the computer security industry and the business menagerie that follows them – causing some panic among locals.
We've seen the pathetic state of the US electronic voting system exposed, claims of advanced eavesdropping at the Standing Rock camps and elsewhere, killer car washes and the awards for this year's biggest blunders and best research. But there's a lot going on at the edges of the shows that gets missed.
Hacker Jeff Moss kicked the whole conference season off in 1993 with a few hotel suites booked in Vegas where he and his mates would code and party. It has grown into one of the most popular hacking events out there and this year was DEF CON's biggest show ever.
Black Hat was established five years later as a commercial offshoot. It involves days of training before the main show, a day of CIO-level briefings with no press allowed, and then a two-day jamboree with as many as eight tracks of talks running concurrently. Alex Stamos, chief security officer for Facebook, kicked off the opening keynote and it looked more like a rock concert than a technology conference.
This is a security conference, not a rock venue. Is Black Hat getting too big? pic.twitter.com/sNbJTw4vRt— Iain Thomson (@iainthomson) July 26, 2017
"When I brought my girlfriend – now my wife – to the first Black Hat 20 years ago, it was because we were hacking the Man," Stamos joked. "Now, we are the Man."
DEF CON is even more complex. While the show only has four main keynote tracks, there are a plethora of other briefings. The hardware hacking talks are well worth it, the social engineering village is fascinating if unsettling, and there is a phenomenal amount of smaller training sessions dotted around the venue, not to mention informal meet, greet and share hacking talks.
Some of these sessions we'll be reporting on later in the year, when fixes have been found and papers peer-reviewed. But here's a roundup of the best hacks that weren't covered on the day.
Considering how much of our lives is tied to the things these days, mobile phone hacking is a focus for many, and Chinese giant 360 Technology detailed a disturbingly easy way to hijack phones because of lousy network security.
The firm's Unicorn Team pulled off what they called the Ghost Telephonist attack by intercepting the signals between a smartphone and a cell tower. When phones link to a new tower, they send an ID code to ensure connection, but the team found that when phones switch from a 4G to a 2G connection this authentication code is skipped.
By intercepting a signal at the point when it switched network, using an aerial-equipped laptop, an attacker could send texts and take calls from the hacked phone. They could also log onto a Facebook account using the stolen phone's credentials and get a password reset sent to their devices.
The Unicorn Team are now working with operators to fix this issue and that should disable the attack. But, based on other research, telcos are already going to have more problems on their hands with 3G and 4G communications.
Research by Ravishankar Borgaonkar and Lucca Hirschi has found a cryptographic flaw in the authentication system used to connect a 3G or 4G phone to a network. While the flaw doesn't allow the content of calls or messages to be read, it does allow for pinpointing of mobile phone users and provides records of how long they are online.
The flaw also turns out to be very easy to exploit. The team spent just $1,500 on its surveillance system and it's clear that police forces around the world would be willing to pay that – considering that they already use Stingray cellphone targeters in the US, and locally produced equivalents overseas.
But the real doozy of a flaw was Broadpwn, a now-patched remote exploit that left over one billion smartphones open to a worm infection that could have built one of the largest botnets, according to its discoverer Nitay Artenstein of Exodus Intelligence.
Broadpwn stems from a serious flaw in Broadcom's BCM43xx family of Wi-Fi chipsets that would allow malware to install itself on a device's firmware. It could then ping out to other vulnerable devices in range and create a cascade of infections.
Broadcom is one of the biggest suppliers of chipsets to the smartphone industry and the vulnerability is found in every iPhone since its fifth version, Samsung handsets from the S3 to the S8 and all Samsung Note 3s, as well as Google's Nexus 5, 6, 6X and 6P.