Brother
Professional
- Messages
- 2,590
- Reaction score
- 544
- Points
- 113
We continue to keep you updated on the most interesting reports from world hacker conferences. In today's material - everything related to vulnerabilities in wireless technologies. And by the way, share in the comments the lectures and reports that you found without our help: Roskomnadzor has not yet banned user-generated content.
.Hacking a smart gun
Popping a Smart Gun // DEF CON.Smart pistols are sold with a promise: they will only shoot from the hands of authorized users. In movies, such promises may work, but in reality things are different.
This report examines the safety of one such smart pistol, which is commercially available to the general public, and demonstrates three of its vulnerabilities. First, it is shown how a pistol can be fired even far from its owner. Secondly, how to block shooting, even if the rightful owner of the pistol wants to shoot. Third, how to shoot a pistol even without authorization, without prior physical contact with the target pistol and without modifying it.
DirtyTooth: Got Music - Lose Contacts
Kevin Mitnick. DirtyTooth: Put music & lose your contacts // ToorCon.Report by Kevin Mitnick, legendary character in the hacking scene. Lately, his name usually only comes up when discussing social engineering, but as you can see from this talk, social engineering is far from the only thing that Mitnick is good at.
Bluetooth communications are on the rise today. Millions of people use this technology to comfortably connect to peripheral devices. The report presents a trick / hack for iOS 10.3.2 (and earlier versions of this OS) to break the profile management mechanism. Due to information leakage from iOS devices caused by incorrect profile management, an attacker has the technical ability to extract a lot of confidential user data from an iOS device.
Manipulating IoT devices via radio signals
Caleb Madrigal. Controlling IoT devices with crafted radio signals // DEF CON.This talk is the perfect excursion into how wireless communication works. The talk demonstrates how to capture digital data in real time (using SDR), to the extent that it shows how exactly the data bits are transmitted. It explains how to view, listen, play and manipulate wireless signals, how to interrupt wireless communications, and even how to generate new radio waves from scratch - in other words, make radio injections (radio injections can be useful in fuzzing and brute-force attacks).
The speaker also demonstrates self-developed tools (based on SDR) that facilitate the interception and generation of wireless digital signals.
Cloning RFID beacons in the field in real time
Dennis Maldonado. Real-time RFID Cloning in the Field // DEF CON.Today there are many pretty good solutions for cloning RFID beacons. However, the cloning process is generally slow, tedious and error prone. What if there was a new way to clone RFID-filled badges, free of all these problems?
This report presents a smarter way to clone RFID beacons that can be done in the field. The report discusses the most popular long-range RFID cloning tools and techniques. It then discusses and demonstrates a new technique that allows RFID beacons to be cloned in the field - in a matter of seconds.
New version of MiTM attack: Man in the NFC
Haoqi Shan. Man in the NFC: Build a NFC proxy tool from sketch // DEF CON.NFC (Near Field Communication) technology is widely used in areas directly related to finance and access to sensitive information. I'm sure anyone who has ever paid with a phone or smartwatch will agree with me.
Where there is money, there are hackers, and it is not surprising that new attacks are constantly being thought up against this technology.
The report presents a tool for carrying out one of such attacks - the UniProxy hardware gadget based on the PN7462AU microcontroller (ARM chip with NFC hardware on board). This instrument consists of two devices, each equipped with a radio transmitter and a self-modifying high frequency card reader. One of the devices is the master, the other is the slave. The "master" part allows you to easily and quickly read almost all smart cards of the ISO 14443A type (no matter what the purpose of this card is: bank, identity, passport, access card or any other; what security protocol is used on the smart card - also does not matter, the main thing is that it complies with the ISO 14443A standard) and redirect the read data to a legal card reader via a "slave" device.
The basics of radio hacking: wireless attack methods
Matt Knight, Marc Newlin. Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods // DEF CON.What do hacking a Dallas tornado siren, hacking electric skates, and hacking smart door locks have in common? Vulnerable Wireless Communication Protocols!
Hacking of wireless devices is becoming more common as IoT and mobile-controlled radio frequency protocols are gaining popularity. While all those radio frequency protocols that do not fall under the Wi-Fi and Bluetooth category remain a mystery for many security practitioners, they are much easier to hack than you might think. This talk lays the foundations for modern radio hacking. After an introduction to the underlying RF concepts, the speaker presents a wireless threat classification. Describing wireless attacks, the speaker draws parallels with classic exploits for wired networks, and also highlights points that are unique only to wireless networks. Supports the concepts described with live demonstrations,
The talk helps to develop a clear understanding of how wireless networks are hacked and how to apply your wired network exploitation skills to wireless networks.
New Adventures of a 3G / 4G Spy
New Adventures in Spying 3G and 4G Users: Locate Track & Monitor // Black Hat.To say that 3G / 4G devices are popular is to say nothing. The fact that they are all vulnerable to IMSI interceptors, also known as SKATs, is no surprise either. Attacks on 3G / 4G networks by means of IMSI eavesdroppers have long been known, well documented, and available to the general public. However, this report tells about new attack vectors - which allow tracking and monitoring the activity of mobile devices.
In particular, a new vulnerability in a cryptographic protocol widely used in 3G / 4G networks is described. Various ways to exploit this vulnerability using inexpensive hardware are described. In addition, the speaker is several conducting demo attacks to show what this vulnerability can lead to end users of 3G / 4G devices.
Ultrasonic cannon against smart gadgets
Sonic Gun To Smart Devices: Your Devices Lose Control Under Ultrasound / Sound // Black Hat.MEMS sensors such as accelerometer and gyroscope are indispensable and indispensable components of modern smart gadgets. The authors of the report discovered a vulnerability associated with them: the sensors of smart gadgets resonate from acoustic waves at certain frequencies, which leads to distortion of the sensor readings.
By developing an attack methodology, the researchers were able to manipulate data by fine-tuning the parameters for the accelerometer and gyroscope. In addition, the presenter presents a combined attack that uses both sensors and is therefore more flexible. The speaker describes in detail the impact of the vulnerability found on a wide variety of gadgets with MEMS sensors on board: VR devices, vehicles with auto-balancing, drones and others. Using a home-assembled ultrasound system, the speaker attacks popular VR devices, including the iPhone 7 and Galaxy S7 smartphones. The speaker shows how, by acting on these smart devices with ultrasound at resonant frequencies, one can manipulate "virtual reality". For example, control the direction of the gaze without any movement by the user or cause an earthquake with different magnitudes. This development may shock some users because it contradicts their actual feelings; because of this, they can fall from the hoverboard and be injured.
The speaker tells how he attacked the DJI multicopter and was able to change its trajectory.
Thus, the described ultrasonic attack is capable of depriving users of control over their smart gadgets. And in the case of VR systems and vehicles with auto-balancing, this attack can lead to serious physical injury.
Apple Pay is the "safest" form of payment
Timur Yunusov. The Future of ApplePwn - How to Save Your Money // Black Hat.As you might guess from the title (especially from the quotes around "the most secure"), the speaker examines in detail the vulnerabilities of this payment service.
The characteristics of Apple Pay, such as a dedicated processor for conducting payment transactions (designed as a secure enclave), and the transfer and storage of payment information (outside the enclave) exclusively in encrypted form, at first glance, make this system impenetrable to an attacker. However, the speaker presents specialized open source software that allows you to bypass all this protection and turn an iPhone with Apple Pay into a customizable bug for cloning bank cards. The speaker also shows that the Apple Pay API provides many more functions than is required for emulating a bank card - functions that give a potential attacker extensive opportunities to manipulate merchant equipment through the iPhone.
In the end, the speaker summarizes the categorical statement: "Maybe someone thinks that Apple Pay is the safest form of payment, but we know that Apple Pay is a promising tool for carding."
WiFuzz: Detecting and Exploiting Logical Vulnerabilities in a Cryptographic Wi-Fi Handshake
Mathy Vanhoef. WiFuzz: detecting and exploiting logical flaws in the Wi-Fi cryptographic handshake // Black Hat.Encrypted Wi-Fi is gaining in popularity. New standards such as Hotspot 2.0 and Opportunistic Wireless Encryption are proof of this. Hotspot 2.0 simplifies network discovery and selection by creating an infrastructure that works in the same way as cellular roaming. On the other hand, Opportunistic Wireless Encryption introduces unauthorized encryption for Wi-Fi networks. The idea of these solutions is good. But they will make absolutely no sense if mistakes are made during the implementation of the four-stage cryptographic Wi-Fi handshake (during which the devices agree on new session keys).
This talk explains and demonstrates how to detect vulnerabilities in the implementation of this handshake and how to abuse them. And here we are not talking about traditional programming errors (such as buffer overflows or re-freeing memory), but about logical vulnerabilities. An example of a logical vulnerability can be a situation when some messages are skipped during a handshake, as a result of which uninitialized cryptographic keys can be used. It is obvious that such vulnerabilities negate any security guarantees. To detect such logical vulnerabilities, the presenter first builds a Wi-Fi handshake model that describes the expected behavior. Next, it automatically generates a full set of incorrect handshake options and then checks if
The speaker tested twelve Wi-Fi access points and found vulnerabilities in each. Among them: the ability to bypass the authentication procedure, fingerprinting, downgrade attacks, DoS attacks, and others. The most sensitive vulnerabilities are found in OpenBSD. The first one can be exploited for a DoS attack on an access point. The second is for a MiTM attack against WPA1 and WPA2 clients. The speaker also discovered vulnerabilities allowing a downgrade attack against MediaTek and Broadcom, which forces the use of TKIP and RC4. In addition, the speaker found vulnerabilities that can be abused for DoS attacks against Windows 7, as well as a number of vulnerabilities in implementations for Aerohive, Apple, Cisco, Hostapd and Windows 10.
Ghost Telephone Operator Posing As You Via LTE CSFB
"Ghost Telephonist" Impersonates You Through LTE CSFB // Black Hat.The report presents one of the CSFB switching vulnerabilities in the 4G LTE cellular network. The speaker found that there is no authentication procedure for CSFB switching. This gives a potential attacker the ability to intercept all of the victim's communications. The speaker called the attack developed on the basis of this vulnerability "ghost telephone operator".
This vulnerability allows multiple exploits to be crafted. First, when a call or SMS is not encrypted or is weakly encrypted, the attacker can impersonate the victim: receive calls / messages on her behalf, and initiate them. Secondly, the "ghost telephonist" can obtain the phone number of its victim and then use this number to carry out advanced attacks, for example, to hack accounts in various Internet services. The attack can be carried out in two modes: either on a random or on a specific victim. The speaker carried out this attack using his own mobile phone in the operator's unmodified network.
The attack does not need a fake base station, so the cost of implementation is low. In addition, the victim will not be able to detect the fact of the attack, because there is no fake base station and there is no cell reselection.
One car, two radio packets: attack on Hitag-2 car keys
One Car, Two Frames: Attacks on Hitag-2 Remote Keyless Entry Systems Revisited // Proceedings of the 11th USENIX Workshop on Offensive Technologies (WOOT).Since 2006, there have been many publications analyzing the security of the Hitag-2 algorithm in the context of car access control. Although the cryptography of this algorithm has long been broken, it is still used in the automotive industry. Plus, more recently, new vulnerabilities were discovered in RKE systems (Remote Keyless Entry) based on Hitag-2, which make it possible to carry out an attack to unlock the car; this requires the capture of four to eight radio bursts.
However, the report shows that specific implementations of Hitag-2-based RKE systems employ subtle countermeasures that make RKE data invulnerable to the attack described. In addition, the report presents a detailed analysis of such a system (using the black box method) - from the physical / hardware level to the "continuously changing code". Finally, the report reveals a new cryptographic vulnerability that can be exploited to create spoofed packets without extracting the cryptographic key and unlock the target car - with only two radio packets being hijacked.
The report shows that it is possible to create opening radio frames without finding the secret key; instead, equivalent keys can be computed that produce the same Hitag-2 key stream as when using a genuine key. With such an attack, it is trivial to circumvent the mentioned countermeasure - with one simple capture of an additional radio packet.