What I learned at DEFCON 22

After a hack-filled week at Black Hat and DEFCON, I realize Las Vegas has always been the appropriate place for these events because much like the virtual world, it shouldn’t exist. Like the Internet, the city sprung up where there was nothing, created through a combination of human ingenuity, tenacity and of course, a bit of greed.

Like Las Vegas, we are often dazzled by the lights and illusions of the Internet as it expands, often forgetting that there is a darker, seedier side that runs in parallel and preys on those not paying attention, or whose guard is down, for money, power or plain ego.

When it comes to technology, the house doesn’t always win. Once the rules and algorithms are understood, they can be manipulated, torn apart and with some morale flexibility, can be used for nefarious purposes. DEFCON, to me, isn’t so much about hacking all the things, but understanding where we are weak.

One session I really enjoyed at DEFCON was “PoS Attacking the Traveling Salesman” with researchers Tsagkarakis Nikolaos and  Alex Zacharis, where they discussed multiple vulnerabilities they discovered in airport kiosks, such as those used to check-in, purchase wi-fi time and others. They highlighted that airports are a target because business travelers are in a hurry and more willing to trade privacy and security for communication from rogue access points and kiosk systems, both which may easily be compromised.

The kiosks themselves had poor security. Although considered point-of-sale systems, they lack the security of actual payment systems since they do not deal with credit cards, making it unlikely that the devices adhered to basic security controls that even PCI DSS requires. Many of these devices have web cameras, open USB ports and either lack authentication or are easily cracked. Others simply ran unpatched operating systems that could easily be exploited.

The devices could give someone with malicious intent, eyes in the airports through the web camera and the ability to gather information about passengers on specific flights. Often times, these devices are also networked to other systems and can serve as a beachhead for further attacks. Methods and techniques for fuzzing the QR/barcode reader was an added bonus.

Before Black Hat, there were some bold claims regarding a talk giving the impression that planes can be hacked through the onboard Wi-Fi. I was happy to see Phil Polstra bring some reason to much of these claims and provide less FUD fueled presentation outlining the facts. Although there are some security weaknesses, such as lack of encryption in most aviation communication protocols, I didn’t need to worry about my plane being hacked on the way home.

In my hotel room, a friend showed me how he easy it was to get information from planes flying overhead. Using his HackRF, he was able to extract the 24-bit Airframe Address assigned by the ICAO. From this, we could easily lookup aircraft type, owner, tail number and sometimes even a recent photo on Airframes.org.

I immediately saw a future chained exploit where data extracted from compromised check-in terminals paired with this radio sniffing Airframe Addresses, could identify not only what plane was flying above but also who was on it.

Speaking of the HackRF, there were a lot of presentations around RF hacking with Software Defined Radio at both Black Hat and DEFCON, at least more than previous years it seemed. The Wireless Village had a full schedule with several excellent presentations, including Tripwire’s own Craig Young.

Michael Ossman and Jared Boone did a great presentation on HackRF and the soon to be launchedPortaPack. This year there was even a Wireless Capture the Flag (WCTF), along with presentations on using RF in penetration testing scenarios.

There are a lot of great SDR hardware tools coming out, it will be interesting to see how new attack and defensive tools are developed over the next year taking advantage of these new tools. I even included a slide on the potential risk of rogue mesh networks planted by a technically savvy insider in my BSides Las Vegas presentation, hoping to have a prototype working in the near future.

Via The State of Security