This is the time of year to reflect on the revelations brought forth from Black Hat and Defcon.
As many of you have probably heard by now, I presented research on exposures in Google’s authentication system. This included a live demonstration of just how much access ‘weblogin:’ tokens have to a Google account.
For those of you who were unable to attend, I have made my slides and a demo video available. The purpose of this blog post however is not to promote my talk which has already been pretty well covered in various media outlets, but rather to highlight some other Defcon revelations which you may not have heard about.
MIT students, inspired by their local lock sport chapter, demonstrated that keys for ‘high-security’ locks could be duplicated with relative ease using 3d printing.
With patent applications and calipers as their guide, they were able to create digital blueprints and fabricate keys for roughly what it would cost to duplicate a traditional ‘low-security’ key at a hardware store.
The students used a variety of online prototyping services ranging from $3 (plastic) up to $150 (titanium) and found that all of the keys would at least open the lock once.
This research added onto previous work in which another group had successfully fabricated a house-key using a photograph taken from the roof of a nearby building.
Defeating Corporate Wireless (DefconSecure isn’t so secure after all)
Two self-described hillbilly hackers (James Snodgrass and Josh Hoover) demonstrated a technique for capturing clear text WPA2 enterprise (MS-CHAPv2) credentials using a patched RADIUS authentication server.
As part of their talk they performed a live demonstration in which consenting audience members had their credentials to the ‘secure’ Defcon wireless network intercepted and revealed in plaintext.
This comes just a year after Moxie Marlinspike showed off huge design flaws in MS-CHAPv2 which reduce the effective key space enough that any key can be determined within 24 hours using Moxie’s password cracking service.
The difference this year is that the attack does not rely on heavy computing resources to brute-force an encryption key. As attendees witnessed, the hillbilly hackers were able to see plaintext credentials in virtually real-time as devices attempted to connect to the rogue access point.
SIM Card Hacking
First time Defcon speakers Karl Koscher and Eric Butler shared their research on the inner workings of the SIM card. (SIM cards are the subscriber identity modules which authenticate GSM and LTE phones with a mobile network.)
Their talk explained how SIM cards relate to traditional smartcards such as those commonly used in 2-factor authentication and European bank cards.
Although many users (particularly in the US) are unaware of this, SIM cards use an old version of Java to provide applications which communicate directly with the baseband processor.
This can happen right under the nose of the iOS or Android platforms which run on a separate application processor.
SIM card applications do however have the ability to describe simple UIs which can be rendered on feature phones as well as smartphones.
As if it isn’t scary enough to know that Java is running on the SIM, the presentation detailed the process of loading applications onto the cards including a process which allows for over the air installation of applications to the SIM card without involving the higher-level phone OS.
Fortunately the SMS messages required to do this involve some level of authentication typically reserved by the carrier but a separate Black Hat presentation this year laid the ground work for extracting key material from the SIM card’s secure storage which could turn some theoretical attacks into practical attacks.
Apart from the Defcon speaking tracks, there were also great presentations on lock-picking, defeating tamper evident systems, and injecting subcutaneous NFC tags (complete with live demonstration).
I had a really great time at DEF CON and was very encouraged by the response to my talk. Thank you to everyone involved with making Defcon21 possible and a special thanks to Jeff Moss (@thedarktangent) and Edward Snowden for the photo ops!
- Defcon: How Risky is Google Apps for Your Business?
- Five Good Things in Infosec
- What is Vulnerability Management Anyway?
- Your Enterprise Vulnerability Management Reality Check
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock