Top hacks from Black Hat and DEF CON 2020

We take a closer looking at some of the more unusual security research that was presented at this year’s virtual Hacker Summer Camp

The annual Hacker Summer Camp traversed from Las Vegas into the wilds of cyberspace this year, thanks to the coronavirus pandemic, but security researchers still rose to the challenge of maintaining the traditions of the event in 2020.

As well as tackling core enterprise and web security threats, presenters at both Black Hat and DEF CON 2020 took hacking to weird and wonderful places.

Anything with a computer inside was a target – a definition that these days includes cars, ATMs, medical devices, traffic lights, voting systems and much, much more.

Hacked hip implants could be a national security threat

Security researcher Alan Michaels brought a new meaning to the phrase “insider threat” with a talk about the potential risk posed by implanted medical devices in secure spaces at Black Hat 2020.

An aging national security workforce combined with the burgeoning, emerging market for medical devices means that the risk is far from theoretical.

Healthcare devices like hearing aids, hip implants, insulin pumps and pacemakers can be, and increasingly are, connected to the outside world using IoT communication protocols.

There’s a conflict between HR policies – like the Americans with Disabilities Act – and intelligence community policies that call for electronic devices not to be taken into secure areas, for example.

“Technology is rapidly outpacing policy when you look at the [range of] devices that should be permitted in a secure facility,” Michaels, director of the electronic systems lab at the Virginia Tech Hume Center said.

Virginia Tech estimates 100,000 security cleared personnel in the national security workforce have an implanted medical device. Researchers have come up with a range of potential technical mitigations and policies to manage risk.

“Policy should proactively address tech from five years from now rather than consistently being five years behind,” Michaels concluded.

Space is the place

James Pavur was in demand at this year’s virtual Hacker Summer Camp, with the Oxford University DPhil student presenting his talk, ‘Whispers Among the Stars: A Practical Look at Perpetrating (and Preventing) Satellite Eavesdropping Attacks’, at both Black Hat and DEF CON.

Pavur’s name will be familiar to those who attended Black Hat in 2019, where he showed how GDPR’s data transparency clause could be used to obtain users’ sensitive information.

The computer science specialist has now turned his attention to the skies, reigniting the enthusiasm for satellite hacking that was brought to the fore by researchers including Adam Laurie in the mid- to late-2000s.

What started out as a “fairly small project”, says Pavur, became two years of experiments looking at the real-world use of satellite broadband.

RECOMMENDED Black Hat 2020: Web cache poisoning offers fresh ways to smash through the web stack

After analyzing and intercepting signals from 18 satellites in geostationary orbit, the UK-Swiss team found that sensitive information was still being sent in plain text, allowing miscreants to snoop on all manner of data.

“We saw sensitive traffic from at least nine members of the Fortune Global 500, traffic from passengers flying on six of the largest airlines in the world, sensitive data from maritime companies, and even traffic from government agencies,” Pavur explained.

Pavur’s satellite eavesdropping talk can be viewed on YouTube

Lamphone attack turns light bulbs into microphones

Intelligence agencies will be alarmed – and perhaps also inspired – by the prospect of eavesdropping attacks being conducted passively, externally, and without having to compromise electronic systems.

At Black Hat last week, Ben Nassi recounted how his team of Ben-Gurion University researchers successfully turned a hanging, non-smart lightbulb into a de facto microphone using a telescope and electro-optical sensor.

The ‘Lamphone’ attack saw them capture minute fluctuations in vibrations on the surface of an E27 light bulb in an office room from a bridge 25 meters away.

The audio signal was then isolated by a custom-built algorithm and clarified with filters and an equalizer.

BLACK HAT BRIEFINGS New HTTP request smuggling variants levied against modern web servers

Song-identifying app Shazam subsequently recognized tracks from Coldplay and The Beatles, while Google’s Cloud Speech API accurately transcribed a speech from US President Donald Trump.

However, the side-channel attack was only effective at detecting speech at a fairly high volume, something potentially remedied by a larger diameter lens or deep learning-powered audio-processing, suggested Nassi.

Based on dramatic improvements to eavesdropping research that abused smartphones’ gyroscope motion sensor over a six-year period, he speculated that by 2026, DEF CON or Black Hat audiences might learn “how to convert light into sound at a normal volume”.

Next-gen social engineering

Inspired by the Be Right Back episode of Black Mirror, researcher Tamaghna Basu created a bot who talked like him and might be used to impersonate him online and run social engineering attacks.

During his Black Hat presentation, Basu included live demos of the AI-based tech in action. He used his own social networking interactions as a training set.

The (open domain) chat bot, which is still at the experimental prototype stage, can use either text, video and audio as a channel. The software is built on existing machine learning technology.

“The point is, can I make [the technology] more interactive?” Basu asked. “Can I make it more lively?”

The ongoing project is the offshoot of a project to use AI to detect fraud

Healthcare data security and the opioid crisis

Drug addiction took center stage at Black Hat, when researcher Mitchell Parker argued that security vulnerabilities contributed to the opioid crisis in the US.

Parker, CISO at Indiana University Health, told attendees that the manipulation of patients’ Electronic Medical Records (EMR) led to a rise in dependency on drugs.

An EMR is an electronic version of a doctor’s paper chart.

In January this year, EMR vendor Practise Fusion paid $145 million to settle a kickback scheme that was allegedly aimed at increasing opioid prescriptions.

“People died and became addicted because of this manipulation and this subversive manipulation we’re talking about is a security issue,” Parker told attendees.

Parker argued that the healthcare industry needs to do more to secure patients’ records and suggested steps such as employing two-factor authentication on all devices.

He also recommended limiting the number of people who can have access to EMR systems.

“[Practise Fusion] was a case of a company taking advantage of the fact they knew no one was looking and well, they did what they did with tragic consequences,” Parker said.

Tesla uncoiled

DEF CON is well known for its Car Hacking Village. Despite operating offroad, this year’s edition didn’t disappoint.

Rapid7’s Patrick Kiley spoke about how he attempted to reverse engineer the Tesla’s battery management system to get more power.

Kiley was able to reverse engineer a dual motor performance upgrade process by “examining the CAN bus messages, CAN bus UDS routines, and various firmware files that can be extracted from any rooted Tesla Model S or X”.

He also decrypted and decompiled Python source code used for diagnostics to determine that the upgrade process involved “removing the battery pack and replacing the fuse and high voltage contactors with units that could handle higher amperage levels”.

The exercise allowed Kiley to understand how the process worked but when he first attempted the process on an actual donor P85D he managed to brick the car, forcing him to pay to have it towed to another state in order to troubleshoot.

The setback allowed Kiley to figure out how the firmware CRC worked before developing a workaround and successfully hacking a “ludicrous” power upgrade.

Kiley’s talk on the illuminating exercise at DEF CON was a follow-up on his earlier presentation at Black Hat.

Black Hat and DEF CON were fully virtual in 2020

Human traffic

Dutch security researchers Wesley Neelen and Rik van Duijn teamed up to look into the security of internet connected smart traffic light systems in the Netherlands.

As explained during a talk at DEF CON, the two researchers found a way that allowed them to successfully fake a continuous flow of bicyclists that turns the cyclist traffic light instantly green or decreases the time to green.

Similar hacks were possible in two different Android smartphone app platforms, collectively in use in more than 10 municipalities in the Netherlands.

In both cases, the hack could be carried out remotely – greatly increasing the scope for potential mischief – and resulted in turning the cyclists lights to green, while other lights on the intersection will turn to red.

RELATED When TLS hacks you: Security friend becomes a foe at Black Hat 2020

The hack was only possible because of a complete lack of any authentication when it came to bikes. By contrast, emergency vehicles that could request for lights to change in their favor were authenticated by the systems, researchers confirmed.

Security systems in all cases stayed intact.

“There is no hacker-style all the lights green at the same time and cars hitting each other,” van Duijn said. “Currently we are able to annoy you which is already fun,” he joked

“This is something that’s coming and we need to be sure that this is actually working properly, meaning that authentication and authorisation are correctly implemented.”

Game on

During a talk at DEF CON, Jack Baker shared the fruits of months of bug hunting in multiplayer game networking protocols, including the Unreal Engine and Unity 3D.

Baker demonstrated a timestamp hack, that allowed player avatars to move at superhuman speed, and a session hijacking bug, which allowed attackers to cause other players spout utterances, kill rivals or even resurrect them.

These various hacks (code for which Baker released through GitHub) went beyond simple denial of service exploits.

“I hope that you’ve learned something that you’ve learned here to go and get banned from some video game,” Baker concluded.

Additional reporting by James Walker, Jessica Haworth, and Adam Bannister.

READ MORE Spooler alert: A decade after Stuxnet, Windows printer component still a playground for zero-days