Turn someone else’s phone into an audio/video bug. Check.
Use Dropbox as a backdoor into corporate networks. Check.
Suck information out of pacemakers. Check.
The Black Hat conference convening in Las Vegas next week offers hacker tools for all of those plus more.
[LOOKING BACK: 10 scariest hacks from Black Hat and Defcon
MUST SEE: 10 more of the world’s coolest data centers]
Intended to provide good-guy researchers with tools to test the security of networks and devices, the free tools distributed at the conference can also be used by the bad guys to break into networks, steal data and thwart defenses designed to expose malware halt attacks.
Over the course of two days white-hat hackers from consultancies, universities and vendors will present more than 100 briefings on vulnerabilities and exploits they have discovered, and in many cases releasing tools that would be useful to hackers.
Many of the specific exploits they expose in specific commercial products have been reported to the vendors and been patched already, but other tools can be more widely applied.
Here are some of the hacker tips promised as part of the Black Hat briefing agenda:
= A tool called BREACH will be released that pulls encrypted secrets from HTTPS streams. During the same session, speakers from Salesforce.com and Square will use BREACH to demonstrate an exploit against “a major enterprise product” that retrieves session identifiers, CSRF tokens, email addresses and the like in under 30 seconds from an HTTPS channel.
= An attack tool that its authors say can defeat commercial products designed to mitigate DDoS attacks will be made freely available. Proof that it works will be supplied by testing results against specific products as implemented on Web sites known to employ them. Bloodspear Research Group will present a new DDoS defense that thwarts BloodSpear’s own attack tool.
= A tool to automate information gathering that can be used to make spear phishing messages more convincing by mimicking how individuals interact with others, with whom they interact and the vocabulary and phrasing they use. This tool from researchers at Trustwave’s Spider Labs grabs the data from publicly available sites using both APIs and screen scraping. It then analyzes the data to show frequency of use of verbs, adjectives and nouns, average sentence length, hobbies, networks of friends and upcoming trips planned by target individuals.
= Bluebox will explain how to exploit a vulnerability that tricks the Android mobile operating system into accepting malicious applications hiding behind the signatures of legitimate, cryptographically-verified apps. While patches have been written to address the problem, deploying them depends largely on device manufacturers and service providers, so when and if they will be patched is up in the air.
= Michael Shaulov and Daniel Brodie of Lacoon Mobile Security will show how to bypass mobile malware-detection and mobile device management features such as encryption to install surveillance tools that gather text messages, email location information as well as hijack the phone to record what’s being said in its vicinity.
= Kevin McNamee, research director at Kindsight, will show how code that turns smartphones into spy sensors can be injected into any phone application. The phones can be attacked and operated from a Web-based command and control server and infected to pick off phone calls, text messages, emails and contact lists. The attacks enable turning on the phones’ cameras and microphones without being detected, turning the devices into audio-video bugs.
= Home-based devices that connect to carrier cell networks can be hijacked to intercept voice, texting and data traffic running over the network, says a team from iSec Partners. These femtocell devices distributed by CDMA service providers, sometimes for free, act as cellular base stations to connect customers’ cell phones to the providers’ networks via Internet connections. Hacking these Linux devices enables attackers to pick off traffic as well as clone connected mobile devices without physical access to them.
= iPhones are vulnerable to attacks from malicious chargers, and a team from Georgia Institute of Technology will show how to build one and use it to install software on a phone. They will show how to hide such applications the same way Apple hides its standard apps it installs on the phones. The charging device, called Mactans, can be built easily and inexpensively. They also have recommendations for owners to protect the phones and steps Apple could take to make such attacks harder to carry off.
= Three researchers from McAfee will demonstrate software that can bypass Windows 8 Secure Boot, which is supposed to block malware from corrupting the operating environment beneath the operating system. With Secure Boot bypassed, it’s easier for malware to install itself and remain undetected.
= Google will release a tool called Bochspwn that has already been used to discover about 50 vulnerabilities in the Windows kernel and related drivers. Many of the vulnerabilities have been patched but the tool could be used to find more.
= A team at Cyclance will give away a tool that figures out how pseudorandom number generators work based just on the numbers they generate, enabling attackers to figure out numbers generated in the past and will generate in the future. The implication is that discovering these pseudorandom numbers can help undermine the security systems they are used to protect.
= It’s possible to set up an inexpensive sensor-based tracking system for keeping an eye on individuals or groups as they go about daily activities without sending any data to the targets of the surveillance, and law student/security researcher (Malice Afterthought) Brendon O’Connor will show how. His system, called CreepyDOL uses inexpensive sensors and open-source software to ID targets, track them and analyze the data gathered. “In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware,” according to the Black Hat briefing description.
= Attackers can manipulate certain Flash storage devices in order to hide potentially malicious files on them or to render them useless, a situation that will be explored in a session by Josh Thomas, a researcher at Accuvant Labs. He will release two proof-of-concept tools at the show for Android – one that injects and hides files on Android devices and one that finds such files. He will also show how devices as diverse as smartphones and industrial-control systems can be disabled by tinkering with their NAND Flash memory – a vulnerability he says cannot realistically be patched or fixed.
= Low-energy Bluetooth (sold as Bluetooth Smart) employs a key exchange that security consultant Mike Ryan of iSEC Partners says is weak. He will demonstrate how to sniff those keys in order to decrypt traffic sent by such devices, release a tool that does the sniffing and show how to fix the problem using Elliptic Curve Diffie-Hellman key exchange instead.
= Barnaby Jack, director of embedded security research at IOActive, will reveal software that employs a bedside transmitter to scan for and interrogate medical devices such as pacemakers that are implanted in human patients. He will point out the shortcomings of security on these devices and ways to improve it.
= A researcher who showed at Black Hat 2011 how to take over routing tables on the OSPF routers in a single autonomous system have found a new way to do the same thing. “The attack may be utilized to induce black holes, network cuts or longer routes in order to facilitate DoS of the routing domain or to gain access to information flows which otherwise the attacker had no access to,” according to the briefing description by Gabi Nakibly, a fellow at the National EW Research & Simulation Center in Israel. “The attack can also be used to easily DoS a victim router using a single packet.” Router vendors are working on a fix.
= A tool to make Dropbox a backdoor into corporate networks was introduced at Black Hat Europe earlier this year, and the upcoming Black Hat in Las Vegas the developer of that tool, called DropSmack, will release DropSmack v 2, an upgrade that deals with “some of the unique operational challenges posed by synchronization environments. In particular, we added the ability to work with more synchronization services automatically,” according to the description of the talk by Jacob Williams, a principal at CSRGroup Computer Security Consultants. The talk goes beyond Dropbox to include cloud backup services in general and their use of synchronization in particular.
= Power-analysis attacks can extract cryptographic keys and other data from hardware encryption devices, but the gear needed to capture and analyze the power-use data so is expensive. Colin O’Flynn, a Ph.D. student at Dalhousie University, will detail how to set up a power-analysis lab for a few hundred dollars using open source hardware and software that fits in a pocket.
= RFID tags are often used in proximity badges that control access to buildings. Fran Brown, managing partner at Bishop Fox, will show how to read these badges from three feet away in order to make a clone using a microcontroller to modify an RFID badge reader. He says he’ll show how to steal RFID information from the badges of passersby and how to make custom RFID hacking tools using Arduino microcontrollers.
Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at firstname.lastname@example.org and follow him on Twitter@Tim_Greene.