Category Archives: Hack

Hacking the pacemaker

Posted on by
Reply

A team of University of Amherst (Massasuchets, USA) studied the security and privacy of commercial pacemaker. They discovered that it was weak. Current pacemakers and implantable cardiac defibrillators have some means to wirelessly communicate with external programmer device. The programmer device can collect patient data and adapt the therapy of the patient. Furthermore, it can generate fibrillations in test mode.

The communication is not protected. Of course, through eavesdropping, the team was able to reverse engineer the protocol. Then, they were able, through simple replay attacks to get patient data, change the therapies of the patient, and even to induce fibrillations. Another attack was a denial power attack where continuous communication diminished the lifetime of the implanted battery.

The hack itself is not extremely interesting (from the technical point of view). Hacking an unprotected wireless link is not a big deal. Is it really dangerous? In any case, any person who would be ready to play with an implanted pacemaker is necessarily murder minded (and then he has other means perhaps more efficient at his disposal)

The problem is more interesting when looking how to secure it. Due to the specific characteristics of the target, there are some important constraints:
– The power consumption is important. Replacing the battery require surgery! Cryptography requires power. Strong cryptography requires even more power. Furthermore, this type of devices is very sensitive to power denial attacks.
– The access to the pacemaker must be easy and fast for every practitioner. He must not have to look through many credentials, and secure database to find the right key in case of emergency.
– It must be reliable.
In this case, there is a tradeoff to find between security and practicability.

With the advent of the wireless interconnected area, this type of challenge will become extremely common. There will be more and more power supplied constrained devices to protect. Low power consumption cryptography: A new field of exploration?

Goolag Scanner: the latest product from Cult of the Dead Cow

Posted on by
Reply

Recently, the Cult of the Dead Cow (cDcreleased a new powerful hacking tool: Goolag Scanner. cDc is a famous group of hackers. They are used to provide serious “hacking” tools such as the famous BackOrifice (remote administration of a computer).

Goolag Scanner scans a web site for more than 1000 known vulnerabilities. The originality of this new tool is that the scan is not direct. It is down using Google requests. Thus, the scanned site is not aware that it is scanned!! Facing this new method, Google decided to limit the number of simultaneous queries for a site. The risk is that Google may blacklist the querying IP address. This makes the scan fastidious. We may expect that cDc will issue soon a version allowing to make a “batch” solution that would counterstrike this black listing.
goolagscan2.JPG

The obvious countermeasure is to have all the vulnerabilities patched. Another one is to have the file robots.txt listing the files allowed to be indexed by the bot and listing the forbidden ones. Google obeys to the rules defined by robots.txt. Unfortunately, some indexing tools do not care about robots.txt.

Is Goolag Scanner an evil tool? As for all cDc’s tools, they will of course be used by hackers. But, they can also be used by administrators as administration tools. BO2K is an efficient remote administration tool. GoolagScan is an efficient vulnerability scanner. Administrators should use them, at least to be level with hackers.

Virus: even HP

Posted on by
Reply

HP announced that some USB keys shipped with floppy disk reader for HP ProLiant servers are infected by two minor virus; SillyFDC and Fakerecy. Up-to-date anti-virus detect them. But, if you install the floppy reader before the anti-virus software …

It was already troublesome that some consumer electronic devices (see security newsletter 9 to be published tomorrow) were infected by virus. It is really problematic in case of professional devices and applications.

USB keys become pervasive. They are a perfect vector for worms. A good protection is to disable autorun for every USB port. And of course keep your anti-virus always up-to-date.

“Big Gun” is back

Posted on by
Reply

Is History always stuttering? In 2002, French broadcaster Canal+ sued NDS for having reverse engineered the software of its smart card, and having organized the leakage of the pirated software through the site DR7.com. Christopher TARNOVSKY, a former hacker known as “Big Gun” and employee of NDS, was supposed to have participated to the operation. The complete story is worth the best spying books or Hollywood action movies.

Six years later, the same story again but with Dish Network. Christopher TARNOVSKY is testifying in front of a court. He recognizes that he worked for NDS and that he wrote a tool “the stinger” able to communicate with any smart cards. He claimes that he did not use his skills to break Dish Network’s security. NDS recognizes that it did reverse engineer the smart cards and then enhance their security to create a better product. NDS denies that it is disseminated the code of pirate cards.

Communicating with any card is not the difficult part. Accessing the code and data of the card is difficult. Reverse engineering a piece of software, or hardware is a common practice in security research. The only way to validate the strength of a secure system is to attack it. And that must be done by a team different from the team that designed the system. Furthermore, the attacking team must have hacking skills to “mimick” the real world environment.
Therefore, for a security company to hire skilled people to evaluate their security is a good practice. Of course, there is always some related risk. There must be a strong trust relation between the attacking and designing teams.

Once more, security is about TRUST.

A glimpse at hacking mentality

Posted on by
Reply

While reading spring 2008 issue of hacker magazine 2600, I had fun with the paper Password Memorization Mnemonic from Agent Zero. The paper in itself is not extraordinary. Agent Zero has reinvented the notion of key derivation. He proposes, in a non formalized way, to use a password generating function for each site that would use the name of the site has parameter. He ends up with passwords in the format <site name><code name><number>. This is a typical trick and you may devise your own function adding for instance special characters.

Is it a good trick? In fact, it is hardly more secure than using the same strong password on all sites. The security relies on the secrecy of the <code name> and of the algorithm (Kerckoff!). And with such a weak algorithm (mandatory weak because it is a mnemonic), if you have the password for one site, it is not difficult to guess the algorithm.

The interesting point comes at the end of the paper. Some sites, for instance mySpace, limit the length of the passwords. This ruins the algorithm. Normal users would propose a derived function that would concatenate to stick in the requested length. But Agent Zero is a hacker, therefore he proposes:
1. Find a similar site with a better password policy.
2. Crack the webpage, system, or server. Show the webmaster or system administrator just how weak their current policy is, thereby spurring them to strengthen it. Admittedly, this is a more extreme-not to mention illegal-road to take, but it has been taken, and it has gotten results. (Extract)
I love option 2. Definitively another mentality  :Wink:

No free Linux equal call for hack?

Posted on by
Reply

A presentation about XBOX security at last Chaos Computer Camp (CCC) in December 2007 sheds some interesting lights on the hack of game consoles.

During the first five minutes, Michael Steil analyses the latest hacks. According to him, the influence of the Linux community is important. PS3 is still not yet hacked perhaps because it authorized Linux community to play homebrew applications. Thus, the linux hacker community had no incentive to hack. According to his figures, where Linux community was involved, hack occurred faster. I would like to remind that DVD Jon claimed that he wrote DeCSS, the software breaking the protection of DVD, because DVD play back was not available under Linux.
After this introduction, Felix Domke detailed the hack of XBOX360. Some interesting statements, unfortunately true :Sad:

  • Hackers own the flash memory, in fact the hacker controls all
  • The chain of trust does not work

The analysis of the attacks and countermeasures is impressive. It is also a good introduction to secure coding techniques.

Once more, a perfect illustration of Law 1. A lesson is that game console designers should not assume that their console is trusted. The hackers may control it.
Second lesson: enthusiasm is better incentive for hacking than commercial incentive. This is true for serious hacking: reverse engineering. It is perhaps less true for IT hacking (spam, intrusion, defacing, malware, …)
How long will PS3 resist?

Many thanks to Yves for this link  :Happy:

KeeLoq hacked

Posted on by
Reply

KeeLoq is a RFID system that protects many anti-theft cards, and garage openers. Already some published cryptanalysis highlighted the weaknesses of the cipher. But the attack were not practical. A group of six German and Iranian researchers designed a set of very practical attacks.

Using Differential Power Attack (DPA), they were able to extract the device key . What is impressive is that they did the attack without the knowledge of the chip. They were working with a black box. For instance, they had to guess when the encryption process occurred. They extract the device key in less than one hour Of course, DPA required physical access to the emitting device. The performed a similar attack to extract the manufacturer from the receiver. It took less than one day.

With this information, by eavesdropping a receiver, it is possible to impersonate it. They extract the seed, the secret and the current counter value. The counter value has to been “loosely” synchronized with the one of the receiver. Of course, by impersonating the emitter, it is easy to desynchronize the receiver from the genuine emitter. The owner of the genuine emitter will have to push his key 2^15 times to open his door. Nice denial of service.

This is the second hack of RFID security in a month. Recently it was NXP Mifare that was hacked. Once more, the security of a RFID was too weak. It has at least two types of known flaws:

  • a weak LFSR based cipher
  • No protection against side channel attacks.

The industry of secure processors is aware of these types of weaknesses for about one decade and fights them. It is time, that RFID industry adapts also to them. Is it compatible with the price constraints.

A paper at Eurocrypt08 will present this attack. The details of the attacks are available on Ruhr University site