Archive for the ‘DEFCON’ Category
Friday, August 9th, 2019
Some more stuff I’ve stumbled across from Black Hat:
- “All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices” by SparkZheng and XiaolongBai. Slides here.
- I didn’t flag these as ones I was interested in, but XiaolongBai retweeted links: “Towards Discovering Remote Code Execution Vulnerabilities in Apple FaceTime” by Tao Huang and Tielei Wang, “Attacking iPhone XS Max” by Tielei Wang and Hao Xu, and “Debug for bug: Crack and Hack Apple Core by itself” by Lilang Wu and Moony Li.
- “Inside the Apple T2” by Mikhail Davidov and Jeremy Erickson. Slides here.
- And now, your break from things Apple: “Infighting Among Russian Security Services in the Cyber Sphere” by Kimberly Zenz. Slides here. I’m excited about this one, and I have a feeling it might pique Lawrence‘s interest, too.
- Blackhat version of a DEFCON presentation: “All the 4G Modules Could be Hacked” by Shupeng Gao, Haikuo Xie, Zheng Huang, and Zhang Ye. Slides here.
- This has gotten some public attention, so I’m linking it here without comment: “Arm IDA and Cross Check: Reversing the Boeing 787’s Core Network” by Ruben Santamarta. Slides here. White paper here.
I expect to be somewhere between slightly and highly busy this weekend, so updates will be catch as catch can. It might be Monday before I can pull more stuff together, but I’ll try as best as I can to get updates before then.
Posted in Apple, DEFCON, DEFCON 27, Planes | 1 Comment »
Thursday, August 8th, 2019
So here’s the first round of stuff from Black Hat and DEFCON 27. I apologize that I’m just posting links, but I haven’t had time to really digest any of these presentations, and I want to get the links up while they are still semi-timely:
- “Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone” by Natalie Silvanovich. Slides here. Google Project Zero blog post here.
- “Bypassing the Maginot Line: Remotely Exploit the Hardware Decoder on Smartphone” by Xiling Gong and Peter Pi. White paper here. Slides here. Blog post here.
- “Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)” by Sean Metcalf and Mark Morowczynski. Slides here.
- “Reverse Engineering WhatsApp Encryption for Chat Manipulation and More” by Roman Zaikin and Oded Vanunu. Slides here.
I think it’s still early for today’s Black Hat and DEFCON presentations. I may try to get another post up tonight.
Posted in Apple, DEFCON, DEFCON 27 | Comments Closed
Thursday, August 1st, 2019
DEFCON 27 starts a little later than I’m used to this year (August 8th, so a week from today.) Black Hat 2019 starts August 7th. Black Hat schedule is here. DEFCON schedule is here.
Again this year, I’m not going. While I feel like I’m moving closer to the point where I’m ready to return (expenses paid or expenses unpaid) I’m not quite where I want to be yet to go on my own dime. And as far as the company paying for me to go…not this year, for reasons I won’t go into. (Nothing bad. At least I don’t think so. Just don’t want to run my mouth about internal stuff.)
So, as usual: what would I go to, if I were going?
Let’s look at the DEFCON schedule first.
(more…)
Posted in Apple, Bluetooth, DEFCON, DEFCON 27, Radio, SDR | Comments Closed
Wednesday, August 15th, 2018
- Slides for “A Dive in to Hyper-V Architecture & Vulnerabilities” with Joe Bialek and Nicolas Joly can be found here. (The link on the Black Hat site is still borked.)
- This isn’t an actual DEFCON 26 presentation, but it’s referenced in Vincent Tan’s “Hacking BLE Bicycle Locks for Fun and a Small Profit”, and I want to bookmark it for later: “Blue Picking: Hacking Bluetooth Smart Locks” by Slawomir Jasek.
- Slides for “Ring 0/-2 Rookits: Compromising Defenses” with Alexandre Borges are here.
- Also not a DEFCON presentation, but picked up by way of an Ars Technica story: “Fear the Reaper: Characterization and Fast Detection of Card Skimmers” by Nolen Scaife, Christian Peeters, and Patrick Traynor. In which the authors analyze a bunch of skimmers confiscated by NYPD…and then build a device that can detect skimmers, based on nothing more than the physical properties of how card readers work. Quote of the day: “Security solutions requiring significant behavioral changes are unlikely to be successful.”
- Content for “All your math are belong to us” with sghctoma is here: slides, white paper, and exploit code.
Posted in Bluetooth, Bookmarks, DEFCON, DEFCON 26, Radio | Comments Closed
Tuesday, August 14th, 2018
I apologize that I wasn’t able to post more coverage over the weekend: as I expected, it turned out to be fun, but packed.
I intended to post this yesterday, but I wasn’t able to find many updates on my lunch hour. Then I got stuck in a gumption trap late in the day at work, and basically came home and collapsed.
In retrospect, that was better, because this story broke late in the afternoon: Caesars Palace security was (in the opinion of at least some DEFCON attendees) a little too aggressive about searching rooms. More from Defiant, a company that was at DEFCON. Statement from Marc Rogers.
Good post with links over at Borepatch’s site about the widely covered “voting machine vulnerabilities”.
Also: badge related coverage if you care. Personally, I don’t need a stinking badge.
Black Hat updates:
DEFCON 26 updates:
Posted in Bluetooth, DEFCON, DEFCON 26, Radio | Comments Closed
Thursday, August 9th, 2018
Another Ars story based on another Black Hat panel:
Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday.
The presentation in question is “Understanding and Exploiting Implanted Medical Devices” by Billy Rios and Jonathan Butts. No slides or white paper yet, so I don’t want to comment very much. But: I do also want to point out this article, “The $250 Biohack That’s Revolutionizing Life With Diabetes“. Why? Well…
The DIY pancreas movement would never have happened if not for a Medtronic blunder. In 2011 a pair of security researchers alerted the public that the wireless radio frequency links in some of the company’s best-selling insulin pumps had been left open to hackers. Medtronic closed the loophole after the researchers warned of risks to patients, but it never recalled the devices, leaving thousands in circulation.
Some additional interesting looking work:
- “TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever” by Andrea Carcano, Marina Krotofil, and Younes Dragoni. “In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives.” Slides. White paper.
- “There will be Glitches: Extracting and Analyzing Automotive Firmware Efficiently” by a whole bunch of people.
- And it just wouldn’t be a security conference in 2018 without a Tesla attack: “Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars” by Ling Liu, Sen Nie, Wenkai Zhang, and Yuefeng Du. White paper is at the link: slides are broken.
That’s all I’ve been able to turn up today. More tomorrow, I hope.
Posted in Cars, DEFCON, DEFCON 26 | Comments Closed
Thursday, August 9th, 2018
Some of yesterday’s Black Hat presentations:
Some others that I didn’t get to the first time around:
- “Software Attacks on Hardware Wallets” by Alyssa Milburn and Sergei Volokitin. “…we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker.” Slides. White paper.
- “Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers” with a whole big bunch of folks. “…we show that it is possible to recover the original leaked signal over large distances on the radio. As a result, variations of known side-channel analysis techniques can be applied, effectively allowing us to retrieve the encryption key by just listening on the air with a software defined radio (SDR).” Slides. White paper.
Ars Technica has a story up in advance of Justin Shattuck’s “Snooping on Cellular Gateways and Their Critical Role in ICS” presentation later today:
…many of the unsecured gateways were installed in police cars, ambulances, and other emergency vehicles. Not only were the devices openly broadcasting the locations of these first responders, but they were also exposing configurations that could be used to take control of the devices and, from there, possibly control dash cameras, in-vehicle computers, and other devices that relied on the wireless gateways for Internet connections.
There are a couple of other presentations from yesterday that sound interesting on second look, but the links to them are currently broken. Also, I haven’t had a chance to read through all of these yet: I did give a quick skim to “Stress and Hacking” and “Reversing a Japanese Wireless SD Card” and look forward to a more careful read of both.
I think I’m going to try to post a second update later this evening if the broken links are fixed and/or new content is available. We should also be getting close to the point where the DEFCON 26 media server has preliminary versions of the presentations up…
Edited to add: DEFCON 26 presentations are now live on the DEFCON media server.
Posted in DEFCON, DEFCON 26, Geek, Radio, WiFi | Comments Closed
Sunday, August 5th, 2018
DEFCON 26 and Black Hat 2018 start up later this week. Again, I’m not going, but I do feel like I’m inching closer to making a return. Full-timers from my group have been sent to Black Hat in the past, so who knows what’s going to happen next year?
What would I do if I was there? A quick skim of the Black Hat briefings schedule doesn’t show a whole lot that really jumps out at me. I’d probably just be hitting targets of opportunity, with a few exceptions:
What about DEFCON 26? After the jump…
(more…)
Posted in Bluetooth, Christmas, Cops, DEFCON, DEFCON 26, Law, Radio, SDR, WiFi | Comments Closed
Thursday, August 3rd, 2017
Mike the Musicologist tipped me off to this:
Marcus Hutchins, the guy who was in the news earlier this year for defusing the WCry malware, was detained in Las Vegas after DEFCON.
This is still an evolving story, but what I’ve seen from reliable sources (and CNN) is that Hutchins is under federal indictment and charged with creating another piece of malware: Kronos, described as a “banking Trojan”.
The best coverage I’ve seen of this so far is from TechDirt and ArsTechnica. I would keep an eye on those two sites for updates, as this story is still evolving.
Posted in DEFCON, DEFCON 25, Law | Comments Closed
Monday, July 31st, 2017
Things are going to be a little busy this week, but I do plan to keep an eye out for updates. In the meantime, please enjoy this latest set:
- TJ Horner has a nice blog post up about his experiences hacking voting machines in DEFCON 25’s “Voting Village”.
- “The Adventures of AV and the Leaky Sandbox” (Itzik Kotler and Amit Klein) didn’t catch my attention the first time around, but the abstract sounds intriguing: “In this presentation, we describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises whose endpoints have no direct Internet connection, or whose endpoints’ connection to the Internet is restricted to hosts used by their legitimately installed software. Assuming the endpoint has a cloud-enhanced antivirus product installed, we show that if the anti-virus product employs an Internet-connected sandbox in its cloud, it in fact facilitates such exfiltration.” Slides. White paper. GitHub repo.
- GitHub repo (including slides and white paper) for the Marc Newlin/Logan Lamb/Chris Grayson presentation, “CableTap: Wirelessly Tapping Your Home Network”.
- Here’s some stuff from “Tracking Spies in the Skies” (Jason Hernandez, Sam Richards, Jerod MacDonald-Evoy): North Star Post summary of their presentation. GitHub repo.
- Slides from the David Robinson talk, “Using GPS Spoofing to control time”, are here. Slides contain links to code, per Mr. Robinson. I’ve only had a chance to take a quick look at this, but I’m fascinated.
Posted in DEFCON, DEFCON 25, GPS, Planes, Radio | Comments Closed
Saturday, July 29th, 2017
Third round. I’m not proud. Or tired.
- Slides from Salvador Mendoza‘s “Exploiting 0ld Mag-stripe information with New technology” are here. I think this is the most current version, but I welcome correction.
- Here’s the slides for “macOS/iOS Kernel Debugging and Heap Feng Shui” (Min(Spark) Zheng).
- Mikhail Sosonkin has a series of blog posts up describing vulnerabilities in the HooToo TM6 travel router. I believe this is a longer version of the same material from his “Hacking travel routers like it’s 1999” talk, but I haven’t had a chance to sit down and compare the blog posts with the slides.
- I have yet to find new material on “Open Source Safe Cracking Robots – Combinations Under 1 Hour!” but there’s a BBC article here. Worthy of note, to me: “For example, if one dial is set to open at 14, using 15 and 13 will work as well. It meant the robot could check every third number, making it possible to quickly test the remaining combinations much faster than a human being.” No disrespect intended to the presenters, but that’s exactly the Feynman/Los Alamos technique. (I think they used a different method for getting the number off the third dial, to be fair.) “The only thing we learn from history, is that we learn nothing from history.”
- David Robinson and ZX Security have a GitHub repo up. Here’s NMEAsnitch, a Python tool to detect GPS spoofing. Here are some other related (and some unrelated) tools courtesy of ZX Security.
- GitHub repo for “Snide” Owen’s “Phone system testing and other fun tricks” containing the slides and extras.
- EFF whitepaper, “The Pregnancy Panopticon”, by Cooper Quintin. This is the basis for the Cooper Quintin/Kashmir Hill talk “The Internet Already Knows I’m Pregnant”.
Posted in DEFCON, DEFCON 25, GPS, Locks | Comments Closed
Friday, July 28th, 2017
Round 2:
- The white paper for “Free-Fall: Hacking Tesla from Wireless to CAN Bus” (Ling Liu, Sen Nie, Yuefeng Du) is here. Slides here.
- Slides for “Exploiting Network Printers” (Jens Müller, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk) are here.
- Found slides for “Breaking Electronic Door Locks Like You’re on CSI: Cyber” here. (I called this one wrong: no Bluetooth. Not a complaint, just an observation.)
- This is one that I saw, overlooked, and now am intrigued by: “All Your SMS & Contacts Belong to ADUPS & Others“. “Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers in China – without disclosure or the users’ consent.” Slides. White paper.
- Slides for Vlad Gostomelsky’s “Hunting GPS Jammers”. I think this is one that really needs video, too.
- “Intercepting iCloud Keychain” (Alex Radocea) slides.
- And “The Future of ApplePwn – How to Save Your Money” (Timur Yunusov) slides.
- And (hattip to Mr. Yunusov) “Jailbreaking Apple Watch” (Max Bazaliy). I haven’t compared these slides to the onea on the presentations server, just FYI.
Okay, lunch time is almost over, and I feel like I’ve done enough damage to the security community today. I’ll try to have more updates later today or tonight.
Posted in Android, Apple, Cars, DEFCON, DEFCON 25, Geek, GPS, Locks | Comments Closed