The niner noteworthy and the 12 recaps of 2016 (day 5)

Ever wondered how you can gain access to an airport lounge even though your ticket doesn’t allow it? Wonder what you find if you audit radio frequency networks? Why nuclear installations still seem to use pagers? And what happens if you hack your own devices, including your car?
These and some other uncommon stories are part of today’s instalment of the 12 recaps series.

In chronological order:

Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms

Apart from the problems highlighted in this article, there actually is one major design flaw that nearly all IOT systems platforms possess: they all require an internet “cloud” connection for control at all times.
Why do I need an internet connection when my “smart” lighting system or thermostat is just next to me?
Next to that you can find the following issues: Access privileges that are not set correctly combined with often weak passwords and authentication redirects in code as well as OAUTH private keys often found in code as well. If it just controls lights or blinds it would just be annoying, controlling safety and security features of your home this way is right out dangerous.
source: 0XICF (external link)

Airport lounges will let anyone in, provided you can fake a QR code

Yes that fancy looking QR-code on your ticket, either on paper or on your smartphone, is just a series of bits of information that can easily be reproduced. If done correctly it will let you in to the lounges, or the airport itself for that matter.
Specifically the parts of the airport that don’t require you to show an ID because it is inside the borderless zone within Europe or inside the same country.
Would a cross-reference to the passenger manifest help? Basically yes, unless the person who wants to gain access is aware of the passenger names on a certain flight. Which, with people photographing their boring passes and putting them on social media, isn’t that hard to do. Although in those circumstances you don’t need to generate the QR code either.
source: Boing Boing (external link)

Frequing Obvious – The Things You Discover When You Test RF Networks

And there is even more then what is described in this article. Effectively everything that is wireless can be intercepted and possibly decoded if not adequately protected.
The problem is that some people think that if the range they can use their wireless device in, is also the range the radio waves can be detected and recorded. This is not true. Even very close contact yet RF based systems like RFID can be overheard from a considerable distance by using the right equipment.
I won’t go into antenna theory here, but suffice it to say that the narrower and more directional the antenna is, the longer distance it can receive something, at least on most frequencies interesting enough within an office environment like DMR radio’s, bluetooth and wireless networks and cordless phones too.
source: ISBuzz News (external link)

Air gap breached by disk drive noise

Okay this one is a bit far fetched to be honest, yet the concept by itself is quite interesting. In a previous article in the “niner noteworthy series” I already wrote about the use of computer fans to exfiltrate data. Link to the related week 26 2016 article
Then again, what else can make noise inside computer systems that can be manipulated to transmit data?
source: The Register (external link)

Fax machines’ custom Linux allows dial-up hack

Who thought the Internet of things is just a recent problem, think again. Although this hack has only been “found” recently it’s not to say that’s the first time it was discovered.
Unfortunately publishing security guidance is the only thing Epson can probably do. Unless a chip or other internal component upgrade could make sure the device does check for signed software images which I suspect is pretty unlikely.
And yes, every device in your network could be a possible target or backdoor, specifically the ones that are also connected to the outside world via modems or even fax lines (which is more or less a modem as well all be it with a specific protocol).
source: The Register (external link)

Researchers sabotage 3D printer files to destroy a drone

If you were looking for an example were IT and physical security match up and cause extensive damage, look no further. This article actually sums it up nicely. If a 3d modelling file can be altered in such a way that the printed part has a “undetectable” flaw in it, the effects can and probably will be extremely damaging.
That’s not to say that parts designed and manifacturered now don’t have their flaws which in some cases went undetected as well. You only have to look at a subset of aviation accidents over time to know that undetected flaws are of all times.
What this proof of concept however introduces is a malicious remote method to achieve an intentional flaw instead of a design, overlooked or totally unexpected failure of a critical component.
source: TechCrunch (external link)

Researchers Demonstrate How LTE Communications Can Be Hacked

Ultimately all wireless communication can be sniffed, intercepted and possibly blocked. However, in this case a feature introduced to load balance handsets in case of emergencies is misused to spy or disrupt communications.
I think it is about time that standards for wireless communication protocols, like in this case the LTE protocol, are going to think about attack factors when a new specification is being drafted.
The suggestion that handsets could give a warning when a switch command is received, is interesting but utterly useless. Most people can’t look at their mobile phone’s screen whilst on a call and with smartphones doing a lot of data communications whilst the phone’s owner isn’t actively looking at the screen, the warning message more likely then not will pass unnoticed. besides the fact that most users probably wil ignore it anyway.
As for the UK emergency services wanting to switch from the current Tetra dedicated network to LTE, besides a lot of other obvious reasons why that is not a good idea, this hack needs to be taken into account for sure.
source: NetMediaEurope, Silicon Uk (external link)

It Looks Like Pagers Are Still Common In Nuclear Power Plants and This Is a Great Threat To Security

I may need to rename this instalment to wireless hacks I think, or a “amateur radio’s candy store”. So yes we still use a lot of antiquated technology like pagers, but indeed often for good reasons like lacking of good mobile phone network coverage, low power requirements and ease of use.
That these communications can be listened in to is no surprise really, as often those devices simply lack the computing power to add encryption. Besides that, maintaining a badge of pagers and also having to maintain corresponding cryptographic keys is not an easy task.
Whilst some SDR (software defined radio) and a 25 euro’s dongle (they forget the cost for a laptop) with some knowledge is enough to listen in, some additional knowledge on directional antenna’s and signal amplification could significantly boost the range over which signals can be received.
source: WCCF PTE (external link)
I doubt that these industries aren’t able to stop these practices or aren’t able to switch to more secure forms of communication, I also doubt that regulations will work in this case either.
Making these organisations aware of the dangers and actually showing them what is possible, is probably the best approach.
source: Ars Technica (external link)


Ending on a high note today, yes you can “hack” or reverse engineer your own devices within certain restrictions and if you are living in the US too. If there are restrictions similar to the one now temporarily lifted in the US exists, I don’t know.
On the one hand this is a good thing as now a lot of dedicated people can at least, without threat of prosecution, find vulnerabilities and report them. On the other hand, isn’t it time that companies should pay more attention to these matters themselves without reverse engineering hackers having to do that on their behalf?
source: Wired (external link)

Other articles in this series