DEF CON 2021: Hackers highlight IoT device vulnerabilities

A series of devastating cyber attacks this year has brought global attention to the issue of cybersecurity for companies and individuals.

This year’s hacker and IT security conference DEF CON took place last week under the banner of global security issues that seem more relevant than ever.

DEF CON is the world’s largest annual hacker conference and happens in Las Vegas. This year saw it take on a hybrid format: Anyone who wanted to be, was able to attend live in Vegas last weekend, while interested parties from around the world could follow along and participate in proceedings via Twitch, YouTube, and Discord Talks – free of charge and without registering.

It’s not ‘just’ professional hackers and students who attend DEF CON, there are also computer security experts, journalists, lawyers, government officials, and security researchers.

Key topic at DEF CON 2021: IoT security and IoT device hacking

Dennis Giese has rooted robot vacuum cleaners. Giese’s hack lets owners use their devices safely through open source home automation, working around the in-built functions that automatically upload data to the cloud. Hacker Joseph Gabay presented his research into hacking shopping cart locking systems, which he began to explore out of a dual passion for technical challenges and locksmithing.

More mainstream, and a burning issue given the rise in WFH, was the talk by hacker Matthew Bryant. Bryant presented his results from using Apps Script to exploit G Suite (also known as Google Workspace).

Apps Script payloads can be developed to work around security mechanisms, such as U2F and OAuth app permission lists. Apps Script runs on Google’s infrastructure and allows a hacker to open comprised accounts through the back door, even if the target changes their computer.

And finally, Check Point researcher Slava Makkaveev showed how he was able to use an infected e-book to take over a target’s Kindle e-reader.

Amazon’s Kindle e-readers let users download books and other documents onto a mobile device.

Makkaveev showed how he was able to create a book infected with malware that can be published and made freely available in every virtual library, including the official Kindle Store, or sent directly to end user devices using Amazon services.

When a Kindle user opens the e-book on their device, it executes a hidden piece of code that grants root access.

“From that moment on, you’ve lost your e-reader, your account, and a whole lot more,” said Makkaveev.

An attacker could potentially steal a victim’s Amazon account, delete books, turn the Kindle into a bot to attack other devices, or simply brick the device and make it unusable.

AI-guided social engineering

One especially forward-looking presentation at DEF CON outlined a possible future of AI-guided social engineering.

Products using artificial intelligence as a service (AIaaS), such as the GPT-3 API by OpenAI, have made advanced technologies accessible and easily affordable.

Three researchers from Singapore managed to deploy AIaaS products for personality analysis and generate phishing emails based on the target’s social media profile. Their work drew on the strengths of the natural-language generators that are incorporated into AIaaS products.

The targeted mass phishing emails produced more interaction than content generated by humans. But in targeted spear phishing exercises carried out as part of authorized penetration tests, the response to AI-generated phishing emails was even higher.

It’s not all bad news. Those same researchers outlined several techniques that can be used to detect synthetic texts, as well as principles of governance that AIaaS providers need to consider.

Vulnerabilities found in the AI algorithm

Twitter launched the first ever Algorithmic Bias Bounty Challenge at DEF CON, designed to investigate problems with its algorithm. Challenges like this are well-established in the hacker scene, for example, as a way to identify security gaps in systems at major corporations.

First prize was USD 3,500, second place received USD 1,000, and third place received USD 500.

The problem with the Twitter algorithm

According to Twitter, the most problematic aspect is that “companies only find out about unintended ethical damage after something is already public”. It is apparently extremely difficult to detect AI biases in advance.

Twitter hopes this new challenge will build on the success of its previous hacker challenge: “We’ve been inspired by how the research and hacker community has helped the security sector develop best practices to identify and mitigate vulnerabilities and, ultimately, to protect the general public.”

3D printed fingerprints evade biometric scanners

On August 8, at the virtual security conference DEF CON, security researcher Yamila Levalla from Dreamlab Technologies explained the options available to evade biometric authentication for a wide range of different fingerprint scanners. Levalle described various workarounds during her presentation, including the use of a cheap 3D printer, all of which gave positive results. Attacks on biometric systems are not a hypothetical, they do actually happen in the real world, which is what inspired Levalle to undertake this research. In 2019 in her home country of Argentina, six employees of the airline Aerolineas Argentinas were caught falsifying their work attendance. Apparently, the airline workers used fingerprints made of silicone to clock other people into work who were not actually present.

Vulnerabilities in the global food supply chain

On August 8 at DEF CON 29, one Australian researcher – known only under the pseudonym “Sick Codes” – spoke of a “tractor load of vulnerabilities” that, were they to be exploited by an attacker, would have serious consequences for the global food supply chain. He explained that modern farming equipment is increasingly automated, with the machinery being controlled from one central console that might have access to multiple different businesses.

He ran through an entire series of catastrophic scenarios that could arise if an attacker was able to gain access to these interconnected farms. For example, a hacker could order an overspray of chemical treatments, turning fertile land to dust and rendering it unusable for generations. A denial-of-service attack could impair a farmer’s ability to sow seeds on a critical date, so that farmer might not see a harvest at all. Another major risk is that an attacker could gain control over agricultural equipment, such as a tractor, and send it to the wrong location or even drive it off the farm onto a nearby highway.

Sick Codes noticed that almost all individual farms today are linked by a variety of different technologies, including wireless infrastructure such as 4G and 5G, Wi-Fi, and GPS. Use of the LoRa protocol and NTRIP is also on the rise in farming machinery, to facilitate more accurate positioning.

In the case of agricultural machinery producer John Deere, Sick Codes discovered that information access and remote control is possible via the John Deere operations center, which he and his colleagues were able to penetrate.

He identified several vulnerabilities, including a fundamental problem with counting usernames, as he described it. This vulnerability made it easy for him to find out the username of the machine’s owner. He also recorded a cross-site scripting vulnerability (XSS) that allowed the researchers to acquire even more information.

“Of course XSS is a really basic vulnerability, but it shows that fundamental weaknesses are not being taken into account,” the researchers said.

As it turned out, that XSS weakness was only the tip of the iceberg. Sick Codes described how he penetrated a remote system that essentially gave him full control of several connected agricultural machines to which the John Deere operations center had access.

“We could literally do whatever the heck we wanted with anything we wanted on the John Deere operation center, period,” he said.

The researchers noted that they had passed all their information about the various vulnerabilities to John Deere, but that the company did not respond right away. Consequently, the researchers called in the US government in the form of the Cybersecurity and Infrastructure Security Agency (CISA), which helped resolve the issues.

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.