Hack.lu 2016

Hack.lu 2016 Wrap-Up Day #3

The third day is already over! I’m just back at home so it’s time for a last quick wrap-up before recovering before BruCON which is organized next week! Damien Cauquil started the first batch of talks with a presentation of his new framework: “BTLEJuice: the Bluetooth Smart Man In The Middle Framework“.

Damien on stage

As the title says, the presentation focused on the BlueTooth LE (“Low Energy“) protocol. Damien started with a few slides to review the specs of this protocol. It is designed to be used by low power devices. That’s why it is mainly used in embedded devices (IoT). Two important terms are: the peripheral (which accept only one connection) and the central which accepts more connections and is some kind of relay. BTLE uses the same base band as the WiFi (2.4Ghz) and communications are encrypted (via the Security Manager Protocol). Damien explained how the pairing process is performed and how the devices use the different channels available. An important aspect is the ability to sniff the traffic. Not so easy because we must list to all advertising channels to be sure to get all the conversations. You’ve to be lucky to intercept a connection request (“CONNECT_REQ”). And, as the same frequency is used, WiFi devices may cause false positives.

The next part of the presentation was dedicated to Damien’s framework: BTLEJuice. Written in Node.js, it has the following features:

  • Live GATT operations and sniffing
  • Burp-like intersection and manipulation
  • Web UI
  • Text and JSON export
  • Python & node.js bindings

Some demonstrations were performed. The first one was just sniffing some traffic. The victim was a smart lock that can be unlocked via a smartphone and an app. After sniffing the traffic, we see that the PIN code is exchanged in clear-text mode and that the lock authentication is just based on the BD address. The next one was a replay attack against a small robot. It’s easy to send commands to make the robot “beep”. Finally, an injection attack was demonstrated based on a blood glucose monitoring system. Can you imagine sending false data without the device itself?

Finally, Damien explained how to detect / block BTLEJuice. Applications should use timing detections (read or write operations take longer than expected when intercepted by the application). Another best practice is to keep the BTLE connections available only when required. The framework is available on Github.

The next presentation was “Where to host my malware?”

Attila presented “Where to host my malware?” by Attila Marosi. It was the same kind of presentation: abusing some hardware. Attila made a research and discovered that a specific malware is infecting specific NAS devices. How? The malware, called Mal/Miner-C, is distributed via open FTP servers. The first step was to identify such vulnerable system. A good start is to use online tools like shodan.io or netdb.io. Attila searched for open FTP servers, than the ones with anonymous access and finally the ones with writable access. Thousands of devices were identified and 70% (!) of them were already infected by Mal/Miner-C. Vulnerable devices are the Seagate Central NAS. On those devices, accounts can’t be disabled and if remote access is enable, anonymous access is also activated by default.  Based on the capacity of the devices, Attila estimated that the online available storage space was 766TB! The malware drops the following files: photo.src and info.zip. Available webpages are also infected. The next Attila’s target was the CCTV solution NetVU and finally some smart street lighting systems. Crazy to see such devices so badly protected! For those who are interested, Attila wrote a nice blog post on the Sophos website.

After a welcome coffee break, Marion Marschalek came with another awesome malware research titled “Interesting malware, No I’m not kidding”. Marion’s job is to track malware’s and when she found one, it is analyzed from A to Z.

Marion on stage

If we have masses of malware for windows, most of them are boring and the analyze is always the same. The malware presented by Marion, called “Cheshire Cat“, was different. First of all, only 5 samples were detected between 2002 and 2011. Analyzing a malware from 2002 can be challenging because the operating systems internals were different. Marion explained in details how the malware worked: browser injection, C2 communications, key logging, file system enumeration, etc. I liked Marion’s conclusion: if you are interesting enough, you could get a malware dedicated to you 🙂

Then, Russell Mattioni, from ENISA, presented “Enhancing infrastructure cybersecurity in Europe”. By infrastructure, we mean transports, finance, e-health services, smart grids, … Russel presented the ENISA and its daily work to improve the security of infrastructures in Europe. If the talk contained interesting information, it was way too theoretical. IMHO, it was not appropriate for an audience like hack.lu. We all know what are the issues and how to (try to) fix them.

Rossella on stage

After the lunch, another talk was given with again a physical device as the target. This time, it was the intercom systems that we can find at doors of buildings in many cities. Basically, they provide the following features: they call a resident who can unlock the building from door remotely. The title was “House intercoms attacks: when front doors become backdoors” and presented by Sébastien Dudek.

Sébastien had the idea to investigate how such devices could be abuse. Modern ones do not need cables and rely on 3G connectivity. They are different brands. Amongst them, Linkcom is the cheapest and commonly used in private buildings. They are easy to detect when a nice 3G module is installed close to the door.

Sébastien on stage

Besides the intercoms, Sébastien explained how 3G networks are working. The device configuration can be performed by SMS and the configuration is stored on the SIM card. A first demonstration was to hijack the number stored in the intercom with your own number. You’ll then receive calls from visitors, be able to talk to them and unlock the door.

Some intercom’s use M2M networks (“Machine 2 Machine“). In this case, there is a centralized server, which means a broader attack surface! Re-use the SIM card in your computer and configure the same M2M network settings then attack the infrastructure. Some of you could also have free Internet access. Note that a botnet of intercom’s device could be build to call a premium-rate number for make some profit.

Mahsa Alimardani was the next speaker and came back with a talk that (“A push towards practice informing  technology“) was really close to the one she gave last year.

I left the event earlier and did not attend the last talk. The 2016 edition was a good one, I met new people and had great times with the already known too. Keep an eye on the archive page to get a copy of slides. Finally, I would like to thank all the readers of my wrap-ups. Feedbacks are always very positive! Stay tuned for more soon 🙂



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.