You can’t trust what’s on TV

A fellow named Rafael Scheel recently published some interesting research about hacking smart TVs. He discovered a way to use $150 worth of radio transmitter equipment to send signals to a smart TV. He combined this with a couple of other exploits (one involving the Adobe Flash player, one involving JavaScript, both supported by the web browser on the TV) to load malware on the TV.

Scheel’s attack in interesting, because it doesn’t require physical access to the TV, it’s virtually undetectable, and it’s very hard to remediate once exploited.

Imagine your book’s character parking her car outside her target’s business or residence, turning on her laptop, attaching a special transmitter, and tricking all the smart TVs in the area to upload an exploit. Then she could do any of several things:

  • use the TV’s wireless connection to attack other targets on the same network

  • join the TVs to a botnet to attack a web site

  • mine some bitcoins

  • capture audio using the TV’s voice control feature

Smart TVs are probably like most Internet of Things (IoT) devices. The manufacturer happily staples on all these features to add value but then falls short in addressing security problems discovered later. Have you ever heard of anyone applying a firmware update to a TV? My TVs are a few years old, making them somewhat antiquated. So maybe TV firmware updates are commonplace, but somehow I doubt it.

Do you have a smart TV? Is it connected to the internet?

Hacking medical devices

Stories about medical devices have come across my news feeds a few times in the last couple of months. Dutch security researchers found that they were able to hack several implantable medical devices.

implantable medical device, much smaller than a nearby writing pen

What’s interesting here is that the researchers were able to do this using a black-box approach: they just used radio equipment to eavesdrop on wireless signals between the implantable devices and the equipment used to maintain and control those devices. The researchers weren’t privy to the communication protocols the vendors use to control the devices, but the researchers were able to reverse-engineer these protocols and then send command signals of their own. These protocols typically used poorly-implemented encryption or no encryption at all.

The equipment the researchers used doesn’t come cheap, nor does the researchers’ expertise. Still, this makes it at least theoretically possible to do several things regarding devices like these:

  • Track the patient’s movements.
  • Trigger potentially fatal shocks in defibrillators and pacemakers.
  • Prevent a medical device from providing treatment.
  • Disable a device’s power-saving mode, causing its battery to drain too fast.

This isn’t entirely theoretical. Research like this has compelled at least one vendor to provide software upgrades to minimize these shortcomings. That’s probably an imperfect solution, but there are obviously some complications in providing firmware upgrades for already-deployed devices.

And in a case that’s presenting some interesting privacy questions, police arrested and indicted a man on charges of arson and insurance fraud. They used data from the suspect’s heart monitor as evidence that he set fire to his own house to collect the insurance money.

The radios in these implantable devices have a pretty short range, just around five meters. So your story’s character couldn’t run exploits like these from a great distance, but it provides some interesting possibilities.


Photo credit to ec-jpr for VVIR leadless St Jude Medical pacemaker

Physical access

You can do a lot if you have physical access to a computer.

Stealing login sessions with PoisonTap

PoisonTap is a pocket-sized Raspberry Pi device that you can plug into a computer’s USB port. It impersonates a new wired network connection and responds to outbound HTTP traffic. If the computer’s user is logged on to any of an extensive list of popular web sites, PoisonTap is able to capture the cookies and write them to a text file on the USB device.This works even if the screen is locked.

If your character needs to gain access to someone’s online accounts, your character could follow her target to the coffee shop, wait for the target to go to the bathroom, plug this device into the target’s computer for a minute, and be gone before the victim knew what was happening. If the target happened to be logged on to the online resource your character needs to access, she’ll have the session IDs on the USB drive. She may need to hurry: those session IDs will become invalid as soon as the target logs out of those web sites.

Reading the MacOS FileVault2 password with PCILeech

This is a vulnerability that Apple patched just this month, so it wouldn’t work on a real-world Mac running Sierra v10.12.2 or better. But Macs were vulnerable to this particular exploit for more than four months.

PCILeech refers to a mix of hardware and software that your character could use to break in to an unpatched Mac. The video shows using a laptop attached to the device that your character would plug into the target Mac. (Maybe it would be possible to use something smaller, like a tablet or a Raspberry Pi or Arduino.)

PCILeech is able to recover the FileVault2 password from the Mac’s memory after rebooting the Mac. Once your character has the FileVault password, she has full access to the Mac. This will work even if the Mac is locked with a screensaver or hibernating, but it won’t work if the Mac is completely powered off. And the target might notice that his Mac rebooted.

USB kill stick

And if your character just wants to destroy a target device, there’s the USB kill stick. It’s a USB device that looks like a harmless thumb drive. It has several capacitors that start drawing power as soon as it’s plugged in. When the capacitors are charged (which appears to take no time at all), the kill stick rapidly discharges the capacitors right back into the port. Some devices have hardware protection against this, but many do not. The video on the page shows the researcher plugging the stick into several devices, frying many of them. It makes a lovely noise when that happens.

Conclusion

I bet you think twice about leaving your laptop unattended. Remember to…

  • RUN YOUR OPERATING SYSTEM UPDATES!!!!!
  • Hope that your favorite devices have overvoltage protection
  • Never, ever use the Internet for anything

 

Phishing can be effective

Have you ever gotten an email that looks real but feels wrong, an email trying to get you to click a link in the body of the message? It may have been a phishing attack, and that sort of thing is becoming more and more common.

Fish, which sounds like phish, and has nothing to do with phishing

A typical phishing attack email is a message that tells you that there’s something wrong with one of your online accounts and that you need to click a link and log in right away to do something. That’s the kind of message that tricked John Podesta, the chairman of Hillary Clinton’s presidential election campaign. He got a message saying there was some problem with his gmail account, he clicked the link, got something that probably looked like the gmail login page, and he typed in his username and password. But the message wasn’t from gmail, and the login page didn’t belong to google. Unknown to him at the time, Podesta had just handed over his gmail credentials to criminals who then logged on to his gmail account, downloaded copies of his email, and published them on wikileaks.

That motherboard article shows a screen shot of a similar phishing message sent to someone else on Clinton’s campaign. The message told the staffer that someone had just logged on to his account from the Ukraine, and that he needs to use the link in the email to change his password immediately.

email messages like that prey on our fears, and they work well. If you get an email like that, don’t click anything in the message. Go to gmail (or whatever) via a bookmark or a web search or by typing the address yourself. Then log in and check on your account, changing the password if you need to.

Sometimes phishing messages try to appeal to emotions other than fear. The holiday season sees lots of phishing messages claiming to be from Fedex or UPS telling people to click a link to  track a package. Other effective phishing attacks ask the victim to click a link to make a charitable donation right after a natural disaster.

If you need more evidence of how effective these attacks are, remember that the Target breach happened because someone fell for a phishing attack, or read about how the city of El Paso lost $3.3 million in a phishing scam.

The main character in your story might want to use phishing to take over someone’s email. It’s the kind of thing your readers will find plausible, because they’ve probably heard lots of stories of that happening. They may have even experienced it themselves.

Photo credit to Ching for Fish, Creative Commons.

Predictably insecure electronic locks

A couple of researchers recently presented their analysis of a dozen or so consumer electronic locks. Some of these locks are the kind that you’d use on a typical door in place of a deadbolt, and some of them work like padlocks. Most of them use bluetooth for wireless operation: you purchase the lock, install an app on your phone, and then use your phone to lock and unlock the device.

Sounds great, right? That’s fewer keys in your purse or pocket or in that not-very-fake-looking rock on your porch. You can enable a temporary code that you send to your plumber, so that he can enter the house while you’re at work. Some devices even have access logs. (Did the plumber come when he said he would? How long did he stay?)

The researchers found that 75% of the devices they studied were vulnerable to different kinds of attacks. In many or most cases, these attacks involved capturing and analyzing the traffic between the smart phone and the lock. The researchers notified the vendors of the affected products, but none of them was interested in doing anything about it. And why would they? At the very best, it would mean an expensive and embarrassing public relations campaign to notify consumers that they had purchased a lock with a defect.

This offers a plausible way for your character to do some breaking-and-entering. Maybe she needs to enter the home or storage building of a gadget-lover. She might need to plant some kind of sniffer device near the lock she wants to defeat and leave it there long enough for someone to use the lock. The FTS4BT bluetooth protocol analyzer and packet sniffer looks like a USB device that she could plug in to a Raspberry Pi. Tricking the lock might be as simple as replaying the signal that the sniffer recorded. If the devices doesn’t have access logs (or if the owner doesn’t bother looking at them), your character could come and go as she pleases from then on.

Oh, and don’t use electronic locks in real life. There’s a reason people have used metal keys to secure their stuff for hundreds of years.

Late July 2016 roundup

Here are a few news stories that caught my interest lately. Maybe one of them will be good for a story.

Internet-connected cameras are a terrible idea

These devices seem like a great idea. You use one like a security camera, but it’s connected to the internet and has a web interface, so that you can log on to it from anywhere to download footage or pictures.

Unfortunately many devices like this don’t get much attention from the manufacturer after production. It turns out that lots of these cameras all have the same remotely-exploitable command injection vulnerability. So it’s not hard to use one or more of these cameras to perform distributed denial-of-service attacks on other targets. These cameras also have a common signature which makes them fairly easy to locate in things like the Shodan search engine.

A SANS infosec article about this points out that people install these devices on the same networks where they have servers hosting sensitive resources. So it’s not a stretch to imagine your main character using Shodan to find vulnerable cameras on a target network and using the cameras to attack the target’s web servers.

Turn your head and cough

Medical devices can have a similar problem. A hospital buys an X-ray machine, and it’s really expensive and mission-critical (it’s in the business of saving lives, after all), so no one wants to mess with it. The hospital just wants to install it and have it run perfectly forever.

But over time vulnerabilities creep in that neither the manufacturer nor the hospital wants to take the risk of patching, because who wants to stick a patient in an MRI machine only to find that the control system stopped working after running an update last night? As a result some of these medical devices are riddled with malware that crooks can use to attack riper targets. Does your character want to hack a hospital to get at patient data he can use for identity theft? It might not be that hard.

Grand theft auto

Here’s an article with video of someone using a laptop to steal a 2010 Jeep Wrangler. It’s not clear what the person is doing, but a policeman quoted in the article speculates that the thief used the laptop to persuade the car’s computer to recognize a key fob the thief had with him. It’s probably just a matter of time until that technique is possible with a phone. “There’s an app for that.”

And as if on cue, Fiat Chrysler is running a bug bounty to pay people to find and report security problems in cars’ computer systems.

Two-factor authentication

Many online services offer two-factor authentication (2fa) to protect users’ accounts. When you enable 2fa on an account, it means that you still log in with a username and password, but then you have to enter a one-time code before you can access your account. How you get the code (typically a six-digit number) depends on the implementation: twitter sends you the code in an SMS text message, while others (like google and facebook) have you look up the code in a mobile app. Either way, you generally get the code with your phone. The point of this is to make it harder for someone to break into your online account, because they’d have to know your password and have access to your phone.

So logging in with 2fa means taking an extra step which at times can feel like a nuisance. The way I look at it is that it’s a minor inconvenience for me, but it’s a significant inconvenience to someone who wants to steal my account.

2fa isn’t a new innovation. I knew someone in the late 1990s who worked for a government-funded research facility, and he carried around a little device in his pocket. When he needed to log in to one of the facility’s computers, he’d have to look at the code that appeared on the device’s screen and enter that code in order to complete his login process. It worked very much like modern 2fa implementations.

More and more online services are offering 2fa, and I encourage you to start using it wherever you can. The Two Factor Auth (2FA) web site provides of list of who does and who doesn’t offer 2fa login features. This can be a good place to see which of your accounts have 2fa available, and the 2fa site typically has a link to the documentation on how to set up 2fa for each service.

2fa makes it a lot harder for someone to take over an account, but it’s not perfect (and this is the part that might be useful to a writer who needs her main character to defeat a 2fa-protected account). Someone gained control of the twitter account of political activist DeRay Mckesson, an account that had 2fa enabled. The criminal contacted Verizon (Mckesson’s mobile provider) and convinced the billing department that Mckesson’s cell phone number had changed. So SMS messages that should have gone to Mckesson instead went to the criminal’s phone. The criminal then used twitter’s “forgot my password” feature and received an SMS message with the code the criminal needed to complete the account theft.

This is a good reminder of how effective social engineering can be. Some people will do anything to end a phone conversation with an angry-sounding customer. Sometimes the best hacks exploit people, not computers.

By the way, that Naked Security post (near the end) has some tips on how to enable security features on the accounts of several mobile providers, including Verizon. That might or might not have made a difference in DeRay Mckesson’s incident, but it might have made it easier for him to regain control of his Verizon account.

Passwords: salts, hashes

In the previous post we saw that network and web site accounts with reasonable security use hash functions to protect passwords.

But even using a hash function isn’t enough, because the bad guys have rainbow tables. A rainbow table is a list of common passwords (like Password123) and their hash values. So if a site suffers a data breach exposing account data, a simple hash function won’t be much of a barrier, because the criminal can compare the hash values (in the breach data) against a rainbow table and recover many of the weaker passwords.

To counter rainbow tables, sites typically salt users’ passwords: when someone creates a password, the site generates some random characters (the salt), appends that to the user’s password, runs the salted password through the hash function, and then stores the hash value and the salt. When the user tries to log in, the site takes the password they typed, appends the salt stored with the user’s account, sends that through the hash function, and compares the hash values.

Salting hashes sets the bar a lot higher, because the criminal would need to compute a new rainbow table for each password (because each password will have a different salt).

This is why I get frustrated with fiction that makes it look easy to crack passwords. Any account worth hacking will likely be protected by some or all of the following safeguards:

  1. salted and hashed passwords
  2. a password policy enforcing complexity rules (e.g., your password has to be at least eight characters, has to include numbers and punctuation characters, and can’t look too much like a word)
  3. active response locking an account after too many failed attempts
  4. two-factor authentication (you log in with your username and password, but then the site won’t give you access until you enter a code it sends to your cell phone)

Active response in particular makes guessing passwords impractical. If your character is trying to break into a network or web site account, too many failed attempts are going to end up locking the target account. Your character is better off trying to steal the password with a phishing attack, social engineering, using a keylogger, exploiting a flaw in the “forgot my password” feature, or even a security camera pointed at the keyboard.

And an account protected by two-factor authentication is nearly unassailable, because your character would need the target’s password and their cell phone. Social engineering might be best here.

Passwords: this isn’t a game show

Have you ever seen a movie where someone is running a computer program to crack a password (or a missile launch code), and it discovers one character at a time? It looks like a Wheel of Fortune contestant correctly guessing a letter or buying a vowel. This is a trope I think writers and screenwriters should avoid.

Passwords don’t work like Wheel of Fortune. If they did, it would mean that each individual character is stored separately, and it would take around the same (boringly brief) length of time to guess each one.

When you sign up for a account on a web site that has reasonable security, the site takes the password you provided and puts it through something called a one-way hash function. The hash function turns your password into a hash value: it transforms something like

Password123

into something like

b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1

or

Password124

into

ae5b6bf3a00dabe4bcb06918044f3032c6e7c80c

Hash functions (there are many of them–I used sha1sum for these examples) have several important features:

  1. It works the same way every time (sha1sum always hashes Password123 to b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1).
  2. It’s very difficult to find two passwords that have the same hash value, but it’s not impossible. (This means that a hash value does not uniquely determine a password.)
  3. You generally can’t work backwards from the hash value to recover the password (it’s different from encryption, which allows you to decrypt the encrypted value).
  4. A minor change in the password (changing 3 to 4 above) drastically affects the hash value.

So when you set your password, the site hashes your password and saves the hash value, not the original password. Next time you log in, it uses the same hash function to hash the password you just typed in and compares that hash value to the hash value stored next to your username. If the hash values match, then you typed the correct password, and the site gives you access. If they don’t match, you get the “invalid password” message.

That’s one of the many reasons that the Wheel of Fortune thing is so absurd. The site checking the password you just typed doesn’t even know the original password. It’s checking one hash value against another–the whole thing matches or the whole thing fails. So even if a criminal compromises the site through some security vulnerability and manages to download the username/password database, they get a bunch of stuff they can’t read.

In the next post we’ll see that hashing passwords is better than storing passwords in clear text, but that it’s still not sufficient.