Hack.lu 2018 Wrap-Up Day #3

Here we go with the last wrap-up of the 2018 edition! The first presentation was about worms: “Worms that turn: nematodes and neotodes” by Matt Wixey. The first slide contained the mention: “for educational purposes only”. What could we expect? The idea of the research performed by Matt was interesting. A nematode is, in infosec, an anti-worm. It is designed to kill/block or disrupt other worms. Matt started with a history of worms. The first one was written in the 70’s (“I’m the creeper: catch me if you can”) until today. Modern worms target IoT devices which are juicy targets. If people can write worms to infect devices, why not write worms that can fix them by patching and/or performing security remediation. Matt performed some demos about his research. Not a classic way to address the problem with worms but interesting.
The second presentation was called “Mind the (Air)Gap” by Pedro Umbelino. Why searching for security issues on air-gapped networks? Because they are used in highly secured environments and because it’s extra-challenging and fun. But when you have air gaps, you also have covert-channels that are everywhere: physical media (USB sticks), acoustic, light, seismic, magnetic, thermal, etc. The idea of Pedro was to use a BLE (“Bluetooth Low Energy“) light bulb to exfiltrate data and particularly the blue colour because the human eye is less reactive to it. He demonstrated how to perform variations on the blue light to exfiltrate data character by character. Then, he explained how to use the NFC chip of an Android device to perform the same kind of exfiltration. The conclusion to the talk was: “As long as a device is on, people will find a way to exfiltrate data out of it“. Just a personal remark: in very secured environments, electronic devices are not allowed or must be turned off… but it was a nice demo!
Then, Gaelle De Julis came on stage to talk about PRNG (“Pseudo-Random Number Generator“). Her talk was “Not So Random”. Randomness is widely used today (for encryption, for session identifications, API keys generation, etc). There are two important properties that randomness must have:
  • Distribution (no pattern)
  • Predication (not predictable)

There was already research and exploits found like “How I met your girlfriend”, “PS3 Epic Fail” or “Mind your Ps and Qs”. Gaelle had a look at Java and the Math.random() function. She explained how a token generation function can be abused so, yes, sometimes, it’s not so random. Her background is based on mathematics so it was quite difficult to follow but you get the idea: take care when you need to generate random data.

The next one was “How we trained the dragon^H classified APKs via ANNs” by Roman Graf and Aaron Kaplan. The idea of their talk was to use machine learning techniques to detect malicious Android APK files and qualify them. Unfortunately, I had to leave the room during the talk.
The following talk was the keynote speaker and a very special one. Mr Paul Vixie himself! For those who don’t know him (yet!), he’s one of the founders of the ISC (“Internet Software Consortium”) maintaining the BIND domain name server! I had the opportunity to meet him in IRL! His keynote was focussing on the need of collaboration and exchange to better protect our Internet. The competition is mandatory for efficient purposes (to influence (nations), for profit (companies) or lifestyle (people)) but it must be defined in a framework. On the Internet, there is no cooperation (spam, e-crime, DDoS) and it is difficult to track bad actors. Indeed on the Internet, as said Paul, “packets have no passport“! And an attack on one will become an attack on all. Then, he presented the SIE (“Security Information Exchange”) founded in 2007 when he started to deploy sensors to collect DNS data (which are today known as the passive DNS – – see yesterday‘s presentation by Irena). Today, SIE is still growing and there is something new: a European office has been opened in Germany. So, they are still collecting more and more data. Feel free to join them and submit your logs!
After lunch, I attended a very interesting workshop about AIL (“Analysis of Information Leaks). This is a framework that is fed by popular sharing data platforms like pastebin.com (but not limited to) and that helps to search for interesting information like PII or IOCs.
After the workshop, back to the main room for two last talks. The first one was “Serial-Killer: Security Analysis of Industrial Serial Device Servers” by  Florian Adamsky. His research started next to the attack in Ukraine which affected the distribution of electricity (report here). Apparently, Ethernet to Serial converters were abused during the attack. Such devices are more and more used in ICS environments to perform remote access to devices that have only a serial port. Some examples of usage: traffic lights, tank monitoring. He started to investigate and found many vulnerabilities that are really basic and scary. Some examples:
  • DoS (blocking regular users by opening just 1 TCP session)
  • No access control or very weak access control (like 4 digits)
  • Firmware manipulation (no verification)
  • Etherleakinng (exposition of some portion of the kernel memory)
  • Hidden WiFi access point that can’t be disabled
  • XSS

All vulnerabilities were reported to ICS-CERT and,  after three months, publicly disclosed.

My last presentation was the one of Francois Durvaux about “Practical and Affordable Side-Channel Attacks“. Crypto is everywhere (thanks to more and more IoT devices) and cyphers are strong today… until the key is not disclosed or stolen. François explained how easy it is to steal an AES key using a side-channel attack. What does mean side-channel? It’s all information that is not part of the standard input/output. We can have timing attacks, power attacks, sound-based attacks or cache attacks (like Meltdown). Francois explained how we can steal a key by having a look at the electromagnetic radiations emitted by an implementation of an AES-258 on an 8-bit microcontroller. He explained how we can detect variation of the radiations emitted by the device when it’s performing encryption. And this based on a low budget! After explaining how to perform the attack, François presented his demo which was quite impressive! Note that it’s not AES that is targetted! All block cyphers are affected by this non-intrusive attack. The code used in the demo has been released on github.com. Awesome!
That’s all for this edition of hack.lu, now let’s switch to BSidesLux organized tomorrow.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.