In-flight airplanes, social engineers, and robotic vacuums were among the targets of resourceful white-hat hackers this year.
It was a year where malicious hackers waged shockingly bold – and, in some cases, previously unimaginable – false flag attacks, crypto-jacking, social engineering, and destructive malware campaigns. But even with this backdrop of more aggressive and nefarious nation-state and cybercrime attacks in 2018, security researchers still found creative breathing room to pre-empt the bad guys with some innovative hacks of their own.
White-hat hackers – including “tweenagers” – this year cracked into high-profile targets such as in-flight airplane satellite equipment and simulated US election websites, as well as robotic vacuums. They also pwned social engineers and phishers by turning both their verbiage and artificial intelligence (AI) against them in the hopes of beating the bad guys at their own game and exposing the holes before they could be abused.
So forget about that failed bitcoin mining experiment, the Russians in your home router, and the weaponized PowerShell lurking in your network. Instead, take a few minutes to peruse some of the most innovative (aka cool) hacks by security researchers that we covered this year on Dark Reading.
Hacker on a Plane
It took four years, but Ruben Santamarta finally proved his theory that the major vulnerabilities he first discovered in the firmware of satellite equipment and reported in 2014 could be abused to weaponize it. To do so, the IOActive researcher, from the ground, cracked into on-board Wi-Fi networks, saw passengers’ Internet activity, and reached the planes’ satcom equipment, all of which in his previous research he had concluded would be possible – but had been met with some skepticism by experts.
“Everybody told us it was impossible. But basically, it’s possible, and we [now] have proof,” Santamarta told Dark Reading prior to presenting his new findings at Black Hat USA in August.
Santamarta said he found an alarming array of backdoors, insecure protocols, and network misconfigurations in satcom equipment affecting hundreds of commercial airplanes flown by Southwest, Norwegian, and Icelandair airlines. Although the vulnerabilities could allow hackers to remotely gain control of an aircraft’s in-flight Wi-Fi, Santamarta was reassuring that there were no safety threats to airplanes given the way the networks are isolated and configured.
In addition, while scanning the Wi-Fi network on a Norwegian Airlines flight from Madrid to Copenhagen in November 2017, Santamarta revealed at Black Hat that he stumbled on actual malware: A backdoor was running on the plane’s satellite modem data unit, and a router from a Gafgyt Internet of Things (IoT) botnet was reaching out to the satcom modem on the in-flight airplane and scanning for new bot recruits. Luckily, none of the satcom terminals on the plane were infected, but it was a wakeup call for possible threats to come for airlines.
Semantics Expose Phishers
Social engineering is one of the easiest and most foolproof ways to infect Patient 0 in a cyberattack, and not all phishing emails get trapped in a spam filter. So a pair of researchers devised a way to detect social engineers/phishers by “hacking” the language attackers use in their text: They built a tool that runs a semantic analysis to determine malicious intent, using natural language processing to identify sketchy behavior.
Ian Harris, professor at the University of California, Irvine, and Marcel Carlsson, principal consultant at Lootcore, basically exposed the attackers via the language they used in their text and spoken words converted to text. Harris and Carlsson’s phisher-hacking tool detects in emails both questions looking for private data and nefarious commands – which typically are signs of a possible social engineering attack. The tool can be used to flag malicious text messages and phone calls, too.
This word-hacking tool of sorts compares verb-object pairs in the text with a blacklist of randomly chosen phishing emails to analyze semantics and word choice.
“The reason why social engineering has always been an interest … it’s sort of the weakest link in any infosec conflict,” Carlsson told Dark Reading. “Humans are nice people. They’ll usually help you. You can, of course, exploit that or manipulate them into giving you information.”
The old adage of the Apple Mac’s immunity to viruses – propagated, in part, by marketing on Apple’s own website until 2012 – has fallen to the reality of malware writers increasingly targeting MacOS.
Pham Duy Phuc, a malware analyst with Netherlands-based Sfylabs BV, and Fabio Massacci, a professor at the University of Trento in Italy, decided to hack the painstakingly manual process of detecting and analyzing the growing ecosystem of malicious code targeting Macs. They developed a framework called Mac-A-Mal that blends static and dynamic code analysis to find and unmask the inner workings of Mac malware – even the stealthiest variants.
Their tool can operate undetected while it grabs malware binary behavior patterns, such as network traffic, evasion methods, and file operation. “It takes actual behavioral data of malware samples, executions, inside a sandbox,” Phuc said.
The pair has discovered hundreds of new Mac malware samples with the tool. Half of all Mac malware on VirusTotal in 2017 were backdoors, they found, and most of the variants were adware.
Hardware hacking was hot in 2018. In a year that began with the revelation of the now-infamous Spectre and Meltdown flaws in most modern-day microprocessors and a mass scramble to mitigate their abuse, a researcher this summer revealed his chilling hack of a CPU security feature.
Researcher Christopher Domas found a way to break the so-called “ring-privilege model” of modern CPUs, giving him kernel-level control of the machine and bypassing software and hardware security. He demonstrated this at Black Hat USA during his “God Mode Unlocked: Hardware Backdoors in X86 CPUs” talk.
Domas shared the details on how he cracked into the ring and obtained “God mode” control of the machine via a hardware backdoor found in some machines and embedded x86 microprocessors. The backdoor was enabled by default on some systems, which he exploited to obtain kernel control. The good news: Domas said he believed only VIA C3 CPUs were vulnerable to this attack and not later generations of the processor.
His tool, Project Rosenbridge, is on GitHub for other researchers to experiment with. “This work is released as a case study and thought experiment, illustrating how backdoors might arise in increasingly complex processors, and how researchers and end-users might identify such features. The tools and research offered here provide the starting point for ever-deeper processor vulnerability research,” he wrote on the site.
Robotic Vacuums Hoover Data
First your fridge and now your vacuum cleaner.
Researchers from Positive Technologies discovered flaws in the Dongguan Diqee 360 robotic vacuum that could turn it into a mobile surveillance device able to eavesdrop on consumers’ conversations or spy on them via its built-in webcam or smartphone-controlled navigation feature.
A remote code execution bug let the attacker gain superuser rights on the device, after authenticating to the device’s weak default login feature. Another flaw the researchers found in its firmware-update process would allow an attacker to physically input a malicious microSD card.
The obvious dirty little secret: An attacker could use the vacuum cleaner as a hub for stealing information from consumers and spying on them – or even commandeer it for an IoT botnet army. It’s yet another example of consumer IoT devices coming equipped with Internet access and little to no security.
AI as a Weapon
One way to beat adversaries is to think like them. That’s what inspired researchers from Cyxtera Technologies to build an algorithm that simulated how bad guys could weaponize AI for more foolproof phishing attacks.
DeepPhish is all about learning how attackers ultimately could use AI and machine-learning tools to bypass security tools that spot malicious behavior and content. Alejandro Correa, vice president of research at Cyxtera, said that by the end of the year, more than half of phishing attacks will have come via sites with malicious TLS Web certificates. “There is no challenge at all for the attacker to just include a Web certificate in their websites,” he said.
Correa and his team took URLs that had been manually created by attackers and then built a neural network that learned which URLs got past blacklists or other defenses. From there, they could generate new phishing URLs with the best chance of success for attackers. In one test, an attacker that previously had a success rate of 0.7% improved to 20.9% with the DeepPhish AI tool.
“[It will] enhance how we may start combatting and figuring out how to defend ourselves against attackers using AI,” Correa said.
Two 11-year-olds at DEF CON this year pointed SQL injection code at a website replicating the look and feel of the Florida Secretary of State site. Within 15 minutes, they broke in and altered the vote count reports.
Emmett Brewer, aka @p0wnyb0y, was first to crack the simulated state website, in 10 minutes, followed five minutes later by his contemporary Audrey, who changed the vote counts on the simulated Florida Division of Elections site. Brewer awarded himself all of the vote counts and then tweeted: “I think I won the Florida midterms.”
The good news was that the website wasn’t the exact duplicate of the state’s website. The bad news was that all it took for the kids to hack the model website was reading a handout on SQL injection and how to use it – information the organizers gave them and other kid hackers at the R00tz kids’ event within DEF CON.
Jake Braun, co-founder and organizer of the DEF CON Voting Village, said the voting and election hacking events as well as R00tz weren’t meant to be a “gotcha” moment. “The most vulnerable part [of the election system] are these websites,” he said.