newstalk week 20/2014
DESCRIPTION
My news talk from the week 19/2014 and 20/2014, presented on Tuesday, May 13, 2014.TRANSCRIPT
N-talk
Dušan Klinec
Faculty of InformaticsMasaryk university
Brno
13. 5. 2014
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 1 / 33
Outline
1 Local root exploit for linux kernel
2 ATM strikes back
3 Italian-job style hacks
4 NSA backdoors in exported servers and routers
5 IETF mull anti-NSA crypto-key swaps in future SSL
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 2 / 33
Critical linux kernel bug
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 3 / 33
Local root exploit for linux kernel
Local root bug in a linux kernel
Local root exploit / local DoS exploit→ critical vulnerability.Present in kernel, almost all linux versions affected (Android?).Bug from version 2.6.31-rc3, 2009.Present in current versions 3.14.3 including testing version 3.15.Critical impact for systems with local user accounts (e.g.,webhosting companies, university servers, ...)
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 4 / 33
Local root exploit for linux kernel
Local root bug in a linux kernel
Local root exploit / local DoS exploit→ critical vulnerability.Present in kernel, almost all linux versions affected (Android?).Bug from version 2.6.31-rc3, 2009.Present in current versions 3.14.3 including testing version 3.15.Critical impact for systems with local user accounts (e.g.,webhosting companies, university servers, ...)
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 4 / 33
Local root exploit for linux kernel
Local root bug in a linux kernel
Local root exploit / local DoS exploit→ critical vulnerability.Present in kernel, almost all linux versions affected (Android?).Bug from version 2.6.31-rc3, 2009.Present in current versions 3.14.3 including testing version 3.15.Critical impact for systems with local user accounts (e.g.,webhosting companies, university servers, ...)
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 4 / 33
Local root exploit for linux kernel
Local root bug in a linux kernel
Local root exploit / local DoS exploit→ critical vulnerability.Present in kernel, almost all linux versions affected (Android?).Bug from version 2.6.31-rc3, 2009.Present in current versions 3.14.3 including testing version 3.15.Critical impact for systems with local user accounts (e.g.,webhosting companies, university servers, ...)
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 4 / 33
Local root exploit for linux kernel
Local root bug in a linux kernel
Local root exploit / local DoS exploit→ critical vulnerability.Present in kernel, almost all linux versions affected (Android?).Bug from version 2.6.31-rc3, 2009.Present in current versions 3.14.3 including testing version 3.15.Critical impact for systems with local user accounts (e.g.,webhosting companies, university servers, ...)
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 4 / 33
Local root exploit for linux kernel
Local root bug in a linux kernel
CVE-2014-0196.The n_tty_write function in drivers/tty/n_tty.c in the Linux kernelthrough 3.14.3 does not properly manage tty driver access in the"LECHO & !OPOST" case, which allows local users to cause adenial of service (memory corruption and system crash) or gainprivileges by triggering a race condition involving read and writeoperations with long strings.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 5 / 33
Local root exploit for linux kernel
Local root bug in a linux kernel
No atomic guaranteee in atomic_write_lock in termios settingsLECHO & !OPOST.Not allowed to call TTY buffer helpers like tty_insert_flip_stringconcurrently.This may lead to crashes when concurrent writers call pty_write.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 6 / 33
Local root exploit for linux kernel
Technical details
tty_insert_flip_string_fixed_flag
int space = __tty_buffer_request_room(port, goal, flags);struct tty_buffer *tb = port->buf.tail;...memcpy(char_buf_ptr(tb, tb->used), chars, space);...tb->used += space;
Race condition:
__tty_buffer_request_room
memcpy(buf(tb->used), ...)tb->used += space;
__tty_buffer_request_room
memcpy(buf(tb->used), ...)
B’s memcpy is past the tty_buffer due to the previous A’s tb->used increment.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 7 / 33
Local root exploit for linux kernel
Technical details
tty_insert_flip_string_fixed_flag
int space = __tty_buffer_request_room(port, goal, flags);struct tty_buffer *tb = port->buf.tail;...memcpy(char_buf_ptr(tb, tb->used), chars, space);...tb->used += space;
Race condition:
__tty_buffer_request_room
memcpy(buf(tb->used), ...)tb->used += space;
__tty_buffer_request_room
memcpy(buf(tb->used), ...)
B’s memcpy is past the tty_buffer due to the previous A’s tb->used increment.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 7 / 33
Local root exploit for linux kernel
Exploitability
Working local root exploit available athttp://bugfuzz.com/stuff/cve-2014-0196-md.c
220 lines, easy to read, simple.Privilege escalation, very easy for script kiddes / automated testing.Cons: Directly uses features from kernel version 3.14+
Wotking local DoS exploit available athttp://pastebin.com/raw.php?i=yTSFUBgZ
149 lines, easy to read, simple.Sucessfully tested on my local PC & lab server.Should work on all affected versions.
Universal local root exploit will appear will high probability soon...
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 8 / 33
Local root exploit for linux kernel
Exploitability
Working local root exploit available athttp://bugfuzz.com/stuff/cve-2014-0196-md.c
220 lines, easy to read, simple.Privilege escalation, very easy for script kiddes / automated testing.Cons: Directly uses features from kernel version 3.14+
Wotking local DoS exploit available athttp://pastebin.com/raw.php?i=yTSFUBgZ
149 lines, easy to read, simple.Sucessfully tested on my local PC & lab server.Should work on all affected versions.
Universal local root exploit will appear will high probability soon...
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 8 / 33
Local root exploit for linux kernel
Exploitability
Working local root exploit available athttp://bugfuzz.com/stuff/cve-2014-0196-md.c
220 lines, easy to read, simple.Privilege escalation, very easy for script kiddes / automated testing.Cons: Directly uses features from kernel version 3.14+
Wotking local DoS exploit available athttp://pastebin.com/raw.php?i=yTSFUBgZ
149 lines, easy to read, simple.Sucessfully tested on my local PC & lab server.Should work on all affected versions.
Universal local root exploit will appear will high probability soon...
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 8 / 33
Local root exploit for linux kernel
Kernel bug fix
https://github.com/torvalds/linux/commit/4291086b1f081b869c6d79e5b7441633dc3ace00
Debian fixed yesterdayNot present in RHEL 5.RHEL 6 and Ubuntu still not patched.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 9 / 33
Local root exploit for linux kernel
Kernel bug fix
https://github.com/torvalds/linux/commit/4291086b1f081b869c6d79e5b7441633dc3ace00
Debian fixed yesterdayNot present in RHEL 5.RHEL 6 and Ubuntu still not patched.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 9 / 33
Local root exploit for linux kernel
ATM strikes back
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 10 / 33
ATM strikes back
ATM strikes back
Research conducted at ETH Zurichhttps://www.ethz.ch/en/news-and-events/eth-news/news/2014/
04/der-bancomat-schlaegt-zurueck.html
Basic idea: protective material, aggresive reaction on damage.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 11 / 33
ATM strikes back
Inspiration for the research
Inspiration taken from the nature: Bombardier beetle.Probably the most aggresive chemical defence system in nature.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 12 / 33
ATM strikes back
Scheme of the beatle’s defense system
212 ◦F = 100 ◦CDušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 13 / 33
ATM strikes back
Description
A chemical defence mechanism (self-defending surface).Designed to prevent vandalism.Composed of several sandwich-like layers of plastic.Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.Layer of lacquer separates these chemicals, impact→ mixingchemicals→ wild chemical reaction.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 14 / 33
ATM strikes back
Description
A chemical defence mechanism (self-defending surface).Designed to prevent vandalism.Composed of several sandwich-like layers of plastic.Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.Layer of lacquer separates these chemicals, impact→ mixingchemicals→ wild chemical reaction.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 14 / 33
ATM strikes back
Description
A chemical defence mechanism (self-defending surface).Designed to prevent vandalism.Composed of several sandwich-like layers of plastic.Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.Layer of lacquer separates these chemicals, impact→ mixingchemicals→ wild chemical reaction.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 14 / 33
ATM strikes back
Description
A chemical defence mechanism (self-defending surface).Designed to prevent vandalism.Composed of several sandwich-like layers of plastic.Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.Layer of lacquer separates these chemicals, impact→ mixingchemicals→ wild chemical reaction.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 14 / 33
ATM strikes back
Description
A chemical defence mechanism (self-defending surface).Designed to prevent vandalism.Composed of several sandwich-like layers of plastic.Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.Layer of lacquer separates these chemicals, impact→ mixingchemicals→ wild chemical reaction.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 14 / 33
ATM strikes back
Chemical reaction
Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.
Reaction: H2O2MnO2−−−→ 2H20 + O2 + ENERGY
MnO2 is a catalyst, thus preserved after reaction.MnO2 lowers activation energy, room temperature enough tolaunch decomposition of the H2O2.Temperature reaches 80 ◦C.Like a fuse, very little mechanical energy→ release a muchgreater amount of chemical energy.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 15 / 33
ATM strikes back
Chemical reaction
Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.
Reaction: H2O2MnO2−−−→ 2H20 + O2 + ENERGY
MnO2 is a catalyst, thus preserved after reaction.MnO2 lowers activation energy, room temperature enough tolaunch decomposition of the H2O2.Temperature reaches 80 ◦C.Like a fuse, very little mechanical energy→ release a muchgreater amount of chemical energy.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 15 / 33
ATM strikes back
Chemical reaction
Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.
Reaction: H2O2MnO2−−−→ 2H20 + O2 + ENERGY
MnO2 is a catalyst, thus preserved after reaction.MnO2 lowers activation energy, room temperature enough tolaunch decomposition of the H2O2.Temperature reaches 80 ◦C.Like a fuse, very little mechanical energy→ release a muchgreater amount of chemical energy.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 15 / 33
ATM strikes back
Chemical reaction
Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.
Reaction: H2O2MnO2−−−→ 2H20 + O2 + ENERGY
MnO2 is a catalyst, thus preserved after reaction.MnO2 lowers activation energy, room temperature enough tolaunch decomposition of the H2O2.Temperature reaches 80 ◦C.Like a fuse, very little mechanical energy→ release a muchgreater amount of chemical energy.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 15 / 33
ATM strikes back
Chemical reaction
Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.
Reaction: H2O2MnO2−−−→ 2H20 + O2 + ENERGY
MnO2 is a catalyst, thus preserved after reaction.MnO2 lowers activation energy, room temperature enough tolaunch decomposition of the H2O2.Temperature reaches 80 ◦C.Like a fuse, very little mechanical energy→ release a muchgreater amount of chemical energy.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 15 / 33
ATM strikes back
Chemical reaction
Chemicals: hydrogen peroxide H2O2, manganese dioxide MnO2.
Reaction: H2O2MnO2−−−→ 2H20 + O2 + ENERGY
MnO2 is a catalyst, thus preserved after reaction.MnO2 lowers activation energy, room temperature enough tolaunch decomposition of the H2O2.Temperature reaches 80 ◦C.Like a fuse, very little mechanical energy→ release a muchgreater amount of chemical energy.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 15 / 33
ATM strikes back
Chemical reaction
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 16 / 33
ATM strikes back
Usage
Attacks on ATMs on the rise→ film surface protection.Q1,Q2 in 2013, more than 1,000 attacks on ATMs in Europe.Losses of EUR 10 million.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 17 / 33
ATM strikes back
Usage
Attacks on ATMs on the rise→ film surface protection.Q1,Q2 in 2013, more than 1,000 attacks on ATMs in Europe.Losses of EUR 10 million.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 17 / 33
ATM strikes back
Usage
Attacks on ATMs on the rise→ film surface protection.Q1,Q2 in 2013, more than 1,000 attacks on ATMs in Europe.Losses of EUR 10 million.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 17 / 33
ATM strikes back
Rendering banknotes useless
Goal: protect cash in ATMs.Banknotes marking system already exists (reaction to intrusion).Depends on an electricity.Complex system (sensor, motor, chemicals)→ expensive.Known cases of malfunction.New surface: added DNA enveloped in nano-particles.If the film is destroyed, both the foam and the dye are released.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 18 / 33
ATM strikes back
Rendering banknotes useless
Goal: protect cash in ATMs.Banknotes marking system already exists (reaction to intrusion).Depends on an electricity.Complex system (sensor, motor, chemicals)→ expensive.Known cases of malfunction.New surface: added DNA enveloped in nano-particles.If the film is destroyed, both the foam and the dye are released.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 18 / 33
ATM strikes back
Rendering banknotes useless
Goal: protect cash in ATMs.Banknotes marking system already exists (reaction to intrusion).Depends on an electricity.Complex system (sensor, motor, chemicals)→ expensive.Known cases of malfunction.New surface: added DNA enveloped in nano-particles.If the film is destroyed, both the foam and the dye are released.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 18 / 33
ATM strikes back
Rendering banknotes useless
Goal: protect cash in ATMs.Banknotes marking system already exists (reaction to intrusion).Depends on an electricity.Complex system (sensor, motor, chemicals)→ expensive.Known cases of malfunction.New surface: added DNA enveloped in nano-particles.If the film is destroyed, both the foam and the dye are released.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 18 / 33
ATM strikes back
Rendering banknotes useless
Goal: protect cash in ATMs.Banknotes marking system already exists (reaction to intrusion).Depends on an electricity.Complex system (sensor, motor, chemicals)→ expensive.Known cases of malfunction.New surface: added DNA enveloped in nano-particles.If the film is destroyed, both the foam and the dye are released.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 18 / 33
ATM strikes back
Rendering banknotes useless
Goal: protect cash in ATMs.Banknotes marking system already exists (reaction to intrusion).Depends on an electricity.Complex system (sensor, motor, chemicals)→ expensive.Known cases of malfunction.New surface: added DNA enveloped in nano-particles.If the film is destroyed, both the foam and the dye are released.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 18 / 33
ATM strikes back
Rendering banknotes useless
Goal: protect cash in ATMs.Banknotes marking system already exists (reaction to intrusion).Depends on an electricity.Complex system (sensor, motor, chemicals)→ expensive.Known cases of malfunction.New surface: added DNA enveloped in nano-particles.If the film is destroyed, both the foam and the dye are released.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 18 / 33
ATM strikes back
Conclusion
Lab experiments shows this method is effective.Relatively cheap protection method, 40 USD per m2.If attacker knows about it, may somehow hack this system.Chemical reaction needs energy, freezing this material may help.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 19 / 33
ATM strikes back
Conclusion
Lab experiments shows this method is effective.Relatively cheap protection method, 40 USD per m2.If attacker knows about it, may somehow hack this system.Chemical reaction needs energy, freezing this material may help.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 19 / 33
ATM strikes back
Conclusion
Lab experiments shows this method is effective.Relatively cheap protection method, 40 USD per m2.If attacker knows about it, may somehow hack this system.Chemical reaction needs energy, freezing this material may help.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 19 / 33
ATM strikes back
Conclusion
Lab experiments shows this method is effective.Relatively cheap protection method, 40 USD per m2.If attacker knows about it, may somehow hack this system.Chemical reaction needs energy, freezing this material may help.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 19 / 33
Italian-job style hacks
Hacking traffic lights
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 20 / 33
Italian-job style hacks
Hacking traffic lights
Security researcher Cesar Cerrudo @ IOActive Labs.http://blog.ioactive.com/2014/04/
hacking-us-and-uk-australia-france-etc.html
Basic idea: hacking traffic lights, intelligent traffic signs.Low technical details, will be revealed on Infiltrate 2014conference next week.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 21 / 33
Italian-job style hacks
Hacking traffic lights
Security researcher Cesar Cerrudo @ IOActive Labs.http://blog.ioactive.com/2014/04/
hacking-us-and-uk-australia-france-etc.html
Basic idea: hacking traffic lights, intelligent traffic signs.Low technical details, will be revealed on Infiltrate 2014conference next week.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 21 / 33
Italian-job style hacks
Hacking traffic lights
Security researcher Cesar Cerrudo @ IOActive Labs.http://blog.ioactive.com/2014/04/
hacking-us-and-uk-australia-france-etc.html
Basic idea: hacking traffic lights, intelligent traffic signs.Low technical details, will be revealed on Infiltrate 2014conference next week.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 21 / 33
Italian-job style hacks
Hacking traffic lights
Security researcher Cesar Cerrudo @ IOActive Labs.http://blog.ioactive.com/2014/04/
hacking-us-and-uk-australia-france-etc.html
Basic idea: hacking traffic lights, intelligent traffic signs.Low technical details, will be revealed on Infiltrate 2014conference next week.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 21 / 33
Italian-job style hacks
Hacking traffic lights
Several vulnerabilities discovered.Anyone can take complete control of the devices, send fake data.Can have catastrophic chaotic effects.According to Cerrudo, more than 50,000 traffic control devicesaffected.Affected devices deployed in US: New York, Washington DC, SanFrancisco, Los Angeles, Boston, Seattle, etc.Worldwide: United Kingdom (London, Blackburn; Belfast), China,Canada, Australia, France.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 22 / 33
Italian-job style hacks
Hacking traffic lights
Several vulnerabilities discovered.Anyone can take complete control of the devices, send fake data.Can have catastrophic chaotic effects.According to Cerrudo, more than 50,000 traffic control devicesaffected.Affected devices deployed in US: New York, Washington DC, SanFrancisco, Los Angeles, Boston, Seattle, etc.Worldwide: United Kingdom (London, Blackburn; Belfast), China,Canada, Australia, France.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 22 / 33
Italian-job style hacks
Hacking traffic lights
Several vulnerabilities discovered.Anyone can take complete control of the devices, send fake data.Can have catastrophic chaotic effects.According to Cerrudo, more than 50,000 traffic control devicesaffected.Affected devices deployed in US: New York, Washington DC, SanFrancisco, Los Angeles, Boston, Seattle, etc.Worldwide: United Kingdom (London, Blackburn; Belfast), China,Canada, Australia, France.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 22 / 33
Italian-job style hacks
Hacking traffic lights
Several vulnerabilities discovered.Anyone can take complete control of the devices, send fake data.Can have catastrophic chaotic effects.According to Cerrudo, more than 50,000 traffic control devicesaffected.Affected devices deployed in US: New York, Washington DC, SanFrancisco, Los Angeles, Boston, Seattle, etc.Worldwide: United Kingdom (London, Blackburn; Belfast), China,Canada, Australia, France.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 22 / 33
Italian-job style hacks
Hacking traffic lights
Several vulnerabilities discovered.Anyone can take complete control of the devices, send fake data.Can have catastrophic chaotic effects.According to Cerrudo, more than 50,000 traffic control devicesaffected.Affected devices deployed in US: New York, Washington DC, SanFrancisco, Los Angeles, Boston, Seattle, etc.Worldwide: United Kingdom (London, Blackburn; Belfast), China,Canada, Australia, France.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 22 / 33
Italian-job style hacks
Hacking traffic lights
Several vulnerabilities discovered.Anyone can take complete control of the devices, send fake data.Can have catastrophic chaotic effects.According to Cerrudo, more than 50,000 traffic control devicesaffected.Affected devices deployed in US: New York, Washington DC, SanFrancisco, Los Angeles, Boston, Seattle, etc.Worldwide: United Kingdom (London, Blackburn; Belfast), China,Canada, Australia, France.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 22 / 33
Italian-job style hacks
Hacking traffic lights
Exploitation quite easy, software exploit, commodity availablehardware, up to 100 USD.Tested from a drone flying at over 200 meters, worked.Theoretically possible up to 1 or 2 miles away with a better droneand hardware equipment.Flying a drone is not illegal in the US (due to court precedent).Possible to create a worm, that can infect vulnerable devices inorder to launch attacks affecting traffic control systems later.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 23 / 33
Italian-job style hacks
Hacking traffic lights
Exploitation quite easy, software exploit, commodity availablehardware, up to 100 USD.Tested from a drone flying at over 200 meters, worked.Theoretically possible up to 1 or 2 miles away with a better droneand hardware equipment.Flying a drone is not illegal in the US (due to court precedent).Possible to create a worm, that can infect vulnerable devices inorder to launch attacks affecting traffic control systems later.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 23 / 33
Italian-job style hacks
Hacking traffic lights
Exploitation quite easy, software exploit, commodity availablehardware, up to 100 USD.Tested from a drone flying at over 200 meters, worked.Theoretically possible up to 1 or 2 miles away with a better droneand hardware equipment.Flying a drone is not illegal in the US (due to court precedent).Possible to create a worm, that can infect vulnerable devices inorder to launch attacks affecting traffic control systems later.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 23 / 33
Italian-job style hacks
Hacking traffic lights
Exploitation quite easy, software exploit, commodity availablehardware, up to 100 USD.Tested from a drone flying at over 200 meters, worked.Theoretically possible up to 1 or 2 miles away with a better droneand hardware equipment.Flying a drone is not illegal in the US (due to court precedent).Possible to create a worm, that can infect vulnerable devices inorder to launch attacks affecting traffic control systems later.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 23 / 33
Italian-job style hacks
Hacking traffic lights
Exploitation quite easy, software exploit, commodity availablehardware, up to 100 USD.Tested from a drone flying at over 200 meters, worked.Theoretically possible up to 1 or 2 miles away with a better droneand hardware equipment.Flying a drone is not illegal in the US (due to court precedent).Possible to create a worm, that can infect vulnerable devices inorder to launch attacks affecting traffic control systems later.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 23 / 33
Italian-job style hacks
Hacking traffic lights
If device is compromised, almost impossible to detect it (veryexpensive).Numerous devices could be already compromised.Very difficult to upgrade firmware.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 24 / 33
Italian-job style hacks
Hacking traffic lights
If device is compromised, almost impossible to detect it (veryexpensive).Numerous devices could be already compromised.Very difficult to upgrade firmware.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 24 / 33
Italian-job style hacks
Hacking traffic lights
If device is compromised, almost impossible to detect it (veryexpensive).Numerous devices could be already compromised.Very difficult to upgrade firmware.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 24 / 33
Italian-job style hacks
Exploitability
Make traffic light to stay green more or less time.Stay red and not to change to green.Flashing traffic lights (a.k.a. idle mode).Cause electronic signs to display incorrect speed limits.Could cause serious (even deadly) issues.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 25 / 33
Italian-job style hacks
Exploitability
Make traffic light to stay green more or less time.Stay red and not to change to green.Flashing traffic lights (a.k.a. idle mode).Cause electronic signs to display incorrect speed limits.Could cause serious (even deadly) issues.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 25 / 33
Italian-job style hacks
Exploitability
Make traffic light to stay green more or less time.Stay red and not to change to green.Flashing traffic lights (a.k.a. idle mode).Cause electronic signs to display incorrect speed limits.Could cause serious (even deadly) issues.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 25 / 33
Italian-job style hacks
Exploitability
Make traffic light to stay green more or less time.Stay red and not to change to green.Flashing traffic lights (a.k.a. idle mode).Cause electronic signs to display incorrect speed limits.Could cause serious (even deadly) issues.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 25 / 33
Italian-job style hacks
Exploitability
Make traffic light to stay green more or less time.Stay red and not to change to green.Flashing traffic lights (a.k.a. idle mode).Cause electronic signs to display incorrect speed limits.Could cause serious (even deadly) issues.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 25 / 33
Italian-job style hacks
Proof-of-the-concept
"passive" on-site tests ("no hacking and nothing illegal").
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 26 / 33
Italian-job style hacks
Proof-of-the-concept
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 27 / 33
Italian-job style hacks
Reaction
Vendor contacted in September 2013 through ICS-CERT.Researcher was told by ICS-CERT that the vendor said that theydidn’t think the issues were critical nor even important.Regarding one vulnerability:“Since the devices were designed that way (insecure) on purpose,they were working as designed, and that customers (state/citygovernments) wanted the devices to work that way (insecure), sothere wasn’t any security issue.”
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 28 / 33
Italian-job style hacks
Reaction
Vendor contacted in September 2013 through ICS-CERT.Researcher was told by ICS-CERT that the vendor said that theydidn’t think the issues were critical nor even important.Regarding one vulnerability:“Since the devices were designed that way (insecure) on purpose,they were working as designed, and that customers (state/citygovernments) wanted the devices to work that way (insecure), sothere wasn’t any security issue.”
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 28 / 33
Italian-job style hacks
Reaction
Vendor contacted in September 2013 through ICS-CERT.Researcher was told by ICS-CERT that the vendor said that theydidn’t think the issues were critical nor even important.Regarding one vulnerability:“Since the devices were designed that way (insecure) on purpose,they were working as designed, and that customers (state/citygovernments) wanted the devices to work that way (insecure), sothere wasn’t any security issue.”
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 28 / 33
Italian-job style hacks
Reaction
Vendor contacted in September 2013 through ICS-CERT.Researcher was told by ICS-CERT that the vendor said that theydidn’t think the issues were critical nor even important.Regarding one vulnerability:“Since the devices were designed that way (insecure) on purpose,they were working as designed, and that customers (state/citygovernments) wanted the devices to work that way (insecure), sothere wasn’t any security issue.”
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 28 / 33
Italian-job style hacks
Mini-news
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 29 / 33
NSA backdoors in exported servers and routers
NSA backdoors in exported servers and routers
USA accused China for backdooring exported hardware.Snowden-leaked documents suggest NSA is doing the exactlysame thing.”The NSA routinely receives – or intercepts – routers, servers andother computer network devices being exported from the USbefore they are delivered to the international customers.“The agency then implants backdoor surveillance tools,repackages the devices with a factory seal and sends them on.Eventually, the implanted device connects back to the NSA.Chineese HW represents not only an economic competition butalso surveillance one.Source: No Place to Hide, by Glenn Greenwald is published on 13May 2014 by Hamish Hamilton.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 30 / 33
NSA backdoors in exported servers and routers
NSA backdoors in exported servers and routers
USA accused China for backdooring exported hardware.Snowden-leaked documents suggest NSA is doing the exactlysame thing.”The NSA routinely receives – or intercepts – routers, servers andother computer network devices being exported from the USbefore they are delivered to the international customers.“The agency then implants backdoor surveillance tools,repackages the devices with a factory seal and sends them on.Eventually, the implanted device connects back to the NSA.Chineese HW represents not only an economic competition butalso surveillance one.Source: No Place to Hide, by Glenn Greenwald is published on 13May 2014 by Hamish Hamilton.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 30 / 33
NSA backdoors in exported servers and routers
NSA backdoors in exported servers and routers
USA accused China for backdooring exported hardware.Snowden-leaked documents suggest NSA is doing the exactlysame thing.”The NSA routinely receives – or intercepts – routers, servers andother computer network devices being exported from the USbefore they are delivered to the international customers.“The agency then implants backdoor surveillance tools,repackages the devices with a factory seal and sends them on.Eventually, the implanted device connects back to the NSA.Chineese HW represents not only an economic competition butalso surveillance one.Source: No Place to Hide, by Glenn Greenwald is published on 13May 2014 by Hamish Hamilton.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 30 / 33
NSA backdoors in exported servers and routers
NSA backdoors in exported servers and routers
USA accused China for backdooring exported hardware.Snowden-leaked documents suggest NSA is doing the exactlysame thing.”The NSA routinely receives – or intercepts – routers, servers andother computer network devices being exported from the USbefore they are delivered to the international customers.“The agency then implants backdoor surveillance tools,repackages the devices with a factory seal and sends them on.Eventually, the implanted device connects back to the NSA.Chineese HW represents not only an economic competition butalso surveillance one.Source: No Place to Hide, by Glenn Greenwald is published on 13May 2014 by Hamish Hamilton.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 30 / 33
NSA backdoors in exported servers and routers
NSA backdoors in exported servers and routers
USA accused China for backdooring exported hardware.Snowden-leaked documents suggest NSA is doing the exactlysame thing.”The NSA routinely receives – or intercepts – routers, servers andother computer network devices being exported from the USbefore they are delivered to the international customers.“The agency then implants backdoor surveillance tools,repackages the devices with a factory seal and sends them on.Eventually, the implanted device connects back to the NSA.Chineese HW represents not only an economic competition butalso surveillance one.Source: No Place to Hide, by Glenn Greenwald is published on 13May 2014 by Hamish Hamilton.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 30 / 33
NSA backdoors in exported servers and routers
NSA backdoors in exported servers and routers
USA accused China for backdooring exported hardware.Snowden-leaked documents suggest NSA is doing the exactlysame thing.”The NSA routinely receives – or intercepts – routers, servers andother computer network devices being exported from the USbefore they are delivered to the international customers.“The agency then implants backdoor surveillance tools,repackages the devices with a factory seal and sends them on.Eventually, the implanted device connects back to the NSA.Chineese HW represents not only an economic competition butalso surveillance one.Source: No Place to Hide, by Glenn Greenwald is published on 13May 2014 by Hamish Hamilton.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 30 / 33
NSA backdoors in exported servers and routers
NSA backdoors in exported servers and routers
USA accused China for backdooring exported hardware.Snowden-leaked documents suggest NSA is doing the exactlysame thing.”The NSA routinely receives – or intercepts – routers, servers andother computer network devices being exported from the USbefore they are delivered to the international customers.“The agency then implants backdoor surveillance tools,repackages the devices with a factory seal and sends them on.Eventually, the implanted device connects back to the NSA.Chineese HW represents not only an economic competition butalso surveillance one.Source: No Place to Hide, by Glenn Greenwald is published on 13May 2014 by Hamish Hamilton.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 30 / 33
IETF mull anti-NSA crypto-key swaps in future SSL
TLS v1.3
Planning to drop RSA key exchange removed from the standard.Ephemeral keys are preferred (Diffie-Hellman key exchange,Elliptic Curve Diffie-Hellman key exchange).RSA cons: if long term secret compromised, ability do decryptpast sessions.Desired property of key e.m.: Perfect Forward Secrecy.”The removal of RSA in the next version of TLS is a perfectexample of how Snowden has improved our privacy“, MatthewGreen, a professor of CS @ Maryland’s Johns Hopkins University.
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 31 / 33
IETF mull anti-NSA crypto-key swaps in future SSL
Questions?
Questions?
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 32 / 33
IETF mull anti-NSA crypto-key swaps in future SSL
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196
https://github.com/torvalds/linux/commit/4291086b1f081b869c6d79e5b7441633dc3ace00
https://www.ethz.ch/en/news-and-events/eth-news/news/2014/04/
der-bancomat-schlaegt-zurueck.html
http://lizwason.wordpress.com/2013/01/22/hugabug-1-bombardier-beetle/
http://biol2205mattsbombardierbeetles.weebly.com/physiology.html
http://www.freepatentsonline.com/6605685.html
http://www.gizmag.com/bioinspired-foam-defense-system/32017/
http://blog.ioactive.com/2014/04/hacking-us-and-uk-australia-france-etc.html
http://www.theguardian.com/books/2014/may/12/
glenn-greenwald-nsa-tampers-us-internet-routers-snowden
http://www.theregister.co.uk/2014/05/08/rsa_depreciated_from_tls
Dušan Klinec (FI MUNI) Klinec, N-Talk 13. 5. 2014 33 / 33