Wireless Hacks from Defcon and Blackhat 2015

Adam Tech Trends

Wireless Hacks from Defcon and Blackhat 2015

Share

Defcon 2015 (ahem, excuse us, DEF CON® 23!) took place this last weekend in Las Vegas, preceded by a week of Black Hat 2015. As always, we look for the odd and interesting in the world of wireless security. A big theme this year was Internet-of-Things. The hundreds of remotely controllable gadgets made for an easy target, even receiving their own village this year. Baby monitors, home automation, FitBits- if it had wireless, it was a target.

Detroit Gets Sent To School

Cars are a hot target this year thanks to Detroit’s insistence on rolling out new technologies while simultaneously refusing to consult anyone already in the tech industry. As such, the tech industry has had fun publically eviscerating the auto industry’s “security” systems.

One interesting hack involved a MitM that impersonated the OnStar network. GM has already fixed the problem, but there is still not usage of certificate validation in the industry as a whole. Then there was Rolljam, a $30 device that Man-in-the-Middle’s wireless key fobs.
rolljam3-582x437

To prevent “replay” attacks, fobs generate new codes each use, and the receiver rejects duplicate codes. But install this little guy and it blocks the code from being transmitted, stored internally for later use.

Despite the amount of attention given, there’s no word on how effective it works, and car makers have already begun to rollout fobs that attach expiration dates on their transmitted code. It’s a neat trick, but one we don’t expect to work for much longer.

A Tesla Gets Hacked

A couple of researchers managed to hack a near impenetrable Tesla Model S, but not without having to disassemble much of the computer in the car. After finding some access keys stored on the memory, they used it to spoof a VPN connection with the car’s brain, pretending to be Tesla’s servers. The vehicle was programmed to connect to any network named “Tesla Service” using a static key, making it very vulnerable to a Man-in-the-Middle attack.

All told: not a very practical hack, considering you would need to actually have access and control of the car. In contrast to the relative ease of that the Detroit autos gave access, Tesla continues to get high marks for security. The flaws were all patched within a week.

Hacking a Gun

Security researcher Runa Sandvik fires a round from a Tracking Point TP750 rifle at a target 50 yards away as husband and fellow security researcher Michael Auger uses a laptop to hack into the rifle's wifi to change the trajectory of the bullet.

 

At Black Hat, some hackers took control of a “smart gun”. The $13,000 rifle in question has built-in wireless for streaming video to your mobile device because of course it does. (Related: maybe the internet-of-things gone too far?) Intercepting the gun’s short wireless range can give access and disable or augment the automatic aiming function of the gun, causing it to miss.

The guns themselves are not very popular, the software can never make the trigger pull on its own, and it’s hard to imagine any situations where a hacker will find themselves within 20 feet of someone firing one of these. Even the experts who found the exploit have downplayed its significance. Still, we would be surprised if “hacked gun” does not show up as a plot device on NCIS soon.

Hacking a Skateboard

Yes, wireless skateboards are a thing. We only learned about them now that they have been hacked. Techies be warned, you can add wireless communication to all of the things you want, but don’t be surprised when they get compromised.

A Wi-Fi Sniffing Drone

An Aerial Assault drone is displayed during a Def Con hacker gathering August 9, 2015 in Las Vegas. The Aerial Assault drone can land atop buildings or hover outside walls and hunt for ways to break into computer networks through wireless connections. AFP PHOTO / GLENN CHAPMAN

Spotted on the DEF CON floor was a drone designed to intercept insecure wireless communication. Sound familiar?

“There has never been this capability before,” Jordan said as he showed the drone to AFP.

Those words were from the vendor, not quite aware that Wi-Fi sniffing drones are already a thing, and have been a thing for quite a while. One of the things fairly common to these conferences are security companies that take established, well-known exploits and bundle them with off-the-shelf parts. Not exactly innovative, but a garden variety pen tester may appreciate the convenience over putting one together themselves.

ProxyHam HamSammich

One of the more controversial moments this year was the cancellation of a presentation by the makers of ProxyHam, a device designed to rebroadcast a Wi-Fi network over a 900 Mhz frequency band (that’s the frequency normally set aside for Ham radio, hence the name). The data rate would be very low, but the trade-off is a signal that can travel for miles.
DSCN0363-582x437

The creators promised a more anonymous way to access data using public connections (after all, you would be 20 miles away from your data source). But then they suddenly pulled out of Def Con and announced that they would be destroying their ProxyHam devices. In its place they announced HamSammich, a functionally similar device but with a modified antenna and an unencrypted signal.

There are all sorts of conspiracy theories about the cancellation of ProxyHam, many revolving around the FCC’s monitoring of signal abuse or the FBI issuing a gag order. But a likely clue is that the presence of encrypted communications in an amateur radio band is incredibly illegal, and likely sets of lots of red flags in the anti-terror corners of the government.

It doesn’t hurt that the technique they used is pretty well known among enthusiasts already, but has been disregarded as wildly impractical. Like the drone previously, Rhino Security would essentially have been selling off-the-shelf equipment with just a few modifications. Our bet is that they made a practical decision not to sell an illegal product that would fail to meet promises.

 


Since it’s pretty clear that enterprise wireless is in a very mature place right now, most of the fun is happening in the IoT space. These convenience-centric devices are being rushed to market with little thought to security, so we expect it will take a few more years of fist pounding by the hacker community until solid security practices start becoming enforced: certificate validation, strong encryption, mutual authentication, etc.

 

Is there anything we missed? Drop us a line at feedback@securew2.com