A FaceTime fail, weaponized sound, a ‘Prying Eye,’ and a wearable fingerprint ring, were among the more novel and odd hacks this year.
In a year punctuated by endless reports of leaky cloud storage buckets, firmware flaws, and the resurgence of ransomware into a full-blown epidemic, security researchers still found innovative hacks to keep one step ahead of cybercriminals and (maybe) nation-states.
They weaponized sound, hijacked building automation systems, and found security holes in the Boeing 787 airplane’s on-board network. Internet of Things devices and mobile apps continued to be a pathetically easy mark for vulnerability hunters, but it was an accidental finding by a 14-year-old Fortnite gamer that rocked the mobile sector: a flaw in Apple iOS’s Group FaceTime app that activated the microphone on an iPhone even if the user doesn’t answer the call.
And in a creepy but creative project on the defender side, security researchers teamed up with a jeweler to develop a wearable ring that stores a user’s “fingerprint” for authenticating to biometric systems.
So take a break from sifting through the false positives and stressing over the elusive needle in the haystack, and peruse some of the most creative hacks by security researchers that we covered this year on Dark Reading.
Grant Thompson was doing what many teenagers do when they game together online: the Tucson, Ariz., 14-year-old was getting his friends together for Fortnite on a group call, using Apple’s Group FaceTime feature. After trying to ring one friend via FaceTime who didn’t pick up and then adding a second friend to the call, he was able to hear the microphone of his first friend, even though the boy hadn’t picked up. He could hear the ringing sound on the first friend’s phone, he told NBC News.
Grant’s mom tried to reach out to Apple support via Twitter and word soon began to spread online of the bug, as well as handy how-to’s on exploiting it. Security experts warned iOS users to immediately disable FaceTime on their devices, and Apple subsequently disabled the Group FaceTime service. The company later issued an update to iOS 12.1.4 and for MacOS Mojave 10.14.3 for the flaw, and gave Thompson an official acknowledgement for his find. Apple described as a logic issue in how Group FaceTime handles calls.
Grant’s opportune catch even earned him the coveted Pwnie Award for Best Client-Side Bug, along with software developer Daven Morris, 27, of Arlington, Texas, who separately reported the bug to Apple a few days after Thomas and his concerned mom did in January. “Exploiting this issue required no heap manipulation or even understanding what a CPU or a buffer is,” the judges said in nominating Thompson and Morris. “Don’t look up how old Grant Thompson was when he found this. It’ll make you insecure,” they added.
Researcher Matthew Wixey calls them acoustic cyber weapons: the PWC UK researcher wrote custom malicious code that forces Bluetooth and Wi-Fi-connected embedded speakers to emit painfully high-volume sound or even high intensity and inaudible frequency sounds that can possibly produce destructive sound levels to the speakers – and to the ear.
The research was part of his PhD work at UCL, and he described it as an example of cyber-physical malware.
Wixey was able to hack into volume controls for various speaker devices – including a laptop, mobile phone, smart speaker, Bluetooth speaker, and headphones – that could irritate or hurt hearing in humans with just a short exposure period, and even destroy or damage the speakers themselves. He reported his findings to the affected device makers, whose names he didn’t disclose.
No human ears were tested in his research for obvious reasons, but he and his team did find that a component in a smart speaker burnt and ultimately permanently damaged the speaker after just 10 minutes of testing frequencies.
Just how secure is your online videoconference, anyway? Well, if you forgo passcode protection, you could be inviting trouble.
Researchers from Cosequence discovered a major vulnerability in the wildly popular Cisco Webex and Zoom online meeting platforms that could allow an attacker to scan for and attend videoconference meetings set up without password protection.
The so-called Prying Eye flaw could be exploited to execute an enumeration attack, where it automatically detects numeric or alphanumeric sequences used to identify applications on the public Internet. The researchers created a bot using the Web conferencing platform APIs to find WebEx and Zoom call meeting IDs, and join, view, or listen in.
But the good news is that even if an attacker was able to sneak into the meeting via a Prying Eye attack, he or she would be likely get found out since attendees get announced when they join meetings.
Cisco and Zoom both issued fixes for the issue and provided more stringent password-use settings for online meetings.
Building a Building Worm
For about $12,000 in code development costs and building automation system equipment, researcher Elisa Costante and her team from ForeScout developed an attack framework that included a worm, first infecting an IP camera and then spreading to the PLC that controls building automation system processes. The researchers wanted the malware to be stealthy and untraceable via forensics investigations.
The hack exploited a buffer overflow vulnerability in the Windows-based workstation, and could, for instance, be used by an attacker to open up the restricted physical access to a specific area in a building. But an attacker could well have used any other of 10 different security flaws in popular BAS systems – including protocol gateways, PLCs for HVACS and access control – the team had pinpointed.
Building systems often don’t fit neatly into a cybersecurity strategy, and they rarely get software updates or security checks. Nor does IT typically have access to them. “They’re not behind the firewall or [part of] ICS … and they’re not run by IT. It’s a little group doing their own thing,” said Dale Peterson, CEO of Digital Bond.
It’s typically older equipment with dated software, too. “You still have a lot of [BAS] devices running on old firmware,” Costante said.
Apple Mac users often harbor a false sense of security. Take code injection attacks: Windows machines are more prone to this breed of attack than the MacOS, where this threat hardly registers on the radar screen. But researchers from Deep Instinct shook the Mac world earlier this year with a hack that employs code injection – using a customized Mach-O loader. Mach-O is the format used by MacOS and iOS for executable files.
Shimon Oren, head of threat research at Deep Instinct, dubbed the attacks as Hook-Inj, named after the remote-process hooking method they employ to run code remotely. There’s no vulnerability in Mach-O per se; the attacks basically abuse its functions and bypass detection by multiple MacOS security tools.
“Right now if an attacker wants to use these mechanisms, there is no solution in the marketplace that can protect against it,” Oren told Dark Reading in April when he went public with his research.
Bad news: there’s no vuln for Apple to patch. “In general, the whole code injection execution area is still somewhere that’s more in the courts of security vendors than in the courts of the operating system vendors,” Oren said.
Security researcher Ruben Santamarta was shocked when he came across an exposed Boeing server online last year that contained firmware specifications for Boeing’s 787 and 737 plane networks. Santamarta, who had been studying airplane cybersecurity for years, reverse-engineered the binary code and studied the configuration files. He found that the firmware, a version of VxWorks in a Honeywell network component, harbored multiple security flaws that could give an attacker remote access to the sensitive avionics network on the plane.
But Boeing pushed back hard when Santamarta went public with his findings at Black Hat USA this summer, arguing that its network defenses would block any such attack and potential threat to its avionics system. That, even after Santamarta and his company IOActive had worked closely with Siemens on the disclosure process and analysis of the findings.
Santamarta had framed his research with the caveat that the ultimate effect on the avionics system is unclear without him getting access to an actual 787 aircraft. Even so, he argued, an attacker exploiting the firmware could bypass security controls on the network and reach the avionics network. He or she then could attempt to update firmware of avionics systems, for instance.
Lord of the Ring
Fingerprint biometrics are increasingly becoming more mainstream thanks to Apple’s fingerprint authentication option on some of its iPhones, but security experts worry about privacy and security risks of lost or “lifted” fingerprint data. That’s what inspired researchers at Kaspersky to design a wearable ring with a stone that stores your unique “fingerprint” for authenticating to biometric systems.
The ring, which the security firm co-developed with a 3D accessory designer, is just a prototype aimed at raising awareness of security risks in biometrics. The stone stores a unique fingerprint made from conductive fibers embedded in a rubber compound: a smartphone reads the stone, which is (eek) the shape and texture of a finger.
“That ring can be used to authenticate the user with biometric systems, such as a phone or a smart home door lock. And if the data of the ring fingerprint leaks, the user can block this particular ring and replace it with a new one — and their own unique biometric data won’t be compromised,” the company said in blog post announcing it.