With the BlackHat 2012 security conference in the rear-view mirror (and DEF CON), I decided to round up my choices for scariest exploits to come out of the demos and briefings. Feel free to suggest your own choices in the Comments.
Near-Field Communication hack
Otherwise known as NFC, this is the technology that allows two smartphones or similar devices in close proximity to communicate with each other - to exchange data or make transactions such as in contactless payment systems.
Security researcher Charlie Miller successfully compromised Android-based Nokia N9 and Nexus S Samsung smartphones by creating code that could be “beamed” to the target smartphone and used to open malicious files and webpages exploiting a variety of vulnerabilities in document readers, browsers, or operating systems. According to Ars Technica:
But even if there are no exploitable bugs in the NFC code itself, a feature known as Android Beam, which Google developers added to Ice Cream Sandwich, allows Miller to force a handset browser to open and visit any website he chooses-without first getting permission of the end user.
Miller also found problems with settings on the Nokia N9 running the Linux-based Meego OS: “If the default settings are unchanged, MeeGo allows another device to pair with it via Bluetooth over the NFC reader, even if Bluetooth is turned off.”
The prospect, raised by Miller, of someone being able to pretty much take control of your smartphone should give you pause. While Miller admitted it wasn’t a huge threat yet, since NFC devices haven’t reached a “critical mass,” it is a wake-up call for developers and manufacturers to address the vulnerabilities. Even though the demo targets were both Android-based, NFC is rumored to be in the offing for future iPhones and Windows 8 phones as well, so the time to address Miller’s research findings is now.
Researcher Jonathan Brossard introduced an exploit that demonstrated a new level of stealth in malware. Rakshasa is said to open a backdoor in PCs by infecting the BIOS — close to undetectable and extremely difficult to remove, even if detected. According to Forbes:
Any peripheral like a network card, CD-ROM, or sound card can write to the computer’s RAM or to the small portions of memory allocated to any of the other peripherals. So Brossard has given Rakshasa, whose name comes from that of a mythological Indian demon, the ability to infect all of them. And if the BIOS or network card is disinfected, for instance, it can be reinfected from any one of the other compromised components.
If you’re up to the technical explanation, you can read Brossard’s paper here.
Hotel room lock hack
Researcher Cody Brocious demonstrated an attack that could allow someone in possession of a fairly low-cost hacking tool to access hotel locks manufactured by Onity. The demo was described by eWeek’s Sean M. Kerner. Brocious used the Arduino tool, “an oscilloscope that allowed him to see what was happening in the lock whenever a key card was put in and the door opened or closed.”
He was able to determine through his research that the underlying firmware on the lock does not require any form of authentication to arbitrarily access the memory of the lock.
This means it is possible to read out every bit of information that is on the lock, which makes it possible for anyone to gain access or make a key.
In addition to the vulnerability with the locks, Brocious also found that the card keys in the Onity system use 32-bit key encryption, which is not particularly hard to break.
Road warriors beware!
If you attended in person or otherwise kept up with the briefings, what were the things that you found the most concerning, far-out, or over-hyped from this year’s BlackHat Conference?