Hacking reCAPTCHA (2)

In 2012, the hacking team DefCon 949 disclosed their method to break Google’s reCaptcha. They used weaknesses in the version dedicated to visually impaired persons. End of 2014, Google replaced its letter-warping version with a user-friendlier version. It is based on the recognition of a set of images illustrating an object within a set of nine images.

At Black Hat Asia 2016, S. Sivakorn, J. Polakis and A. Keromytis from Columbia disclosed a method to break this visual captcha. They used many tools, but the core of the attack is the use of image annotation services, such as Google Reverse Image Search (GRIS) or Clarifai. These tools return a best guess description of the image, i.e., a list of potential tags. For instance, for the picture of a go-ban illustrating the blog post about AlphaGo, Clarifai returns chess, desktop, strategy, wood, balance, no person, table, and game, whereas GRIS returns go game. They use many tricks to increase the efficiency. My preferred one is to use GRIS to locate a high-resolution instance of each proposed challenge. They discovered that the accuracy of these annotation services decreased with the resolution of the submitted image.

They obtained a 70% accuracy for Google reCaptcha and 83.5% for Facebook’s version.

Sivakorn, Suphannee, Jason Polakis, and Angelos D. Keromytis, “I’m Not a Human: Breaking the Google reCaptcha” presented at Black Hat Asia, Singapore, 2016.

 

Easier fingerprint spoofing

In September 2013, the German Computer Chaos Club (CCC) demonstrated the first hack of Apple’s TouchID. Since then, they repeatedly defeated every new version both from Apple and Samsung. Their solution implies to create a dummy finger. This creation is a complex, lengthy process. It uses a typical photographic process with the copy of the actual fingerprint acting as the negative image. Thus, the master fingerprint is printed onto a transparent sheet at 1,200 dpi. This printed mask is exposed on the photosensitive PCB material. The PCB material is developed, etched and cleaned to create a mold. A thin coat of graphite spray is applied to improve the capacitive response. Finally, a thin film of white wood glue is smeared into the mold to make it opaque and create the fake finger.

Two researchers (K. CAO and A. JAIN) at the Michigan State University disclosed a new method to simplify the creation of the fake finger. They use conductive ink from AgIC. AgIC sells ink cartridges for Brother printers. Rather than making a rubber finger, they print a conductive 2D image of the fingerprint. And, they claim it works. Surprisingly, they scan the user’s fingerprint at 300 dpi whereas the CCC used 2,400 dpi to defeat the latest sensors.

As fingerprint on mobile devices will be used for more than simple authentication but also payment, it will be paramount to come with a new generation of biometrics sensors that also detect the liveliness of the scanned subject.

Attackers are smart

In 2010, Steven MURDOCH, Ross ANDERSON, and their team disclosed a weakness in the EMV protocol. Most Credit / Debit card equipped with a chip use the EMV (Europay, MasterCard, Visa) protocol. The vulnerability enabled to bypass the authentication phase for a given category of transactions. The card does not condition transaction authorization on successful cardholder verification. At the time of disclosure, Ross’s team created a Proof Of Concept using an FPGA. The device was bulky. Thus, some people minored the criticality.

The team of David NACCACHE recently published an interesting paper disclosing an exemplary work on a real attack exploiting this vulnerability: “when organized crime applies academic results.” The team performed a non-destructive forensic analysis of forged smart cards that exploited this weakness. The attacker combined in a plastic smart card the chip of a stolen EMV card (in green on the picture) and an other smart card chip FUN. The FUN chip acted like a man in the middle attack. It intercepted the communication between the Point of Sales (PoS) and the actual EMV chip. The FUN chip filtered out the VerifyPIN commands. The EMV card did not verify the PIN and thus was not blocked in case of the presentation of wrong PINs. On the other side, the FUN chip acknowledged the PIN for the PoS which continues the fraudulent transaction.

Meanwhile, the PoS have been updated to prevent this attack.

This paper is an excellent example of forensics analysis as well as responsible disclosure. The paper was published after the problem was solved in the field. It discloses an example of a new potential class of attacks: Chip in The Middle.

Law 1: Attackers will always find their way. Moreover, they even read academic publications and use them.

Using temperature as a covert channel

CaptureFour researchers from the Ben-Gurion University disclosed a new covert channel.   A covert channel is a mean to transfer information through a channel that was not supposed to transfer information.   Covert channels are at the heart of side channel attacks.  Many covert channels have been investigated, e.g. power supply, radio frequency, or sound.

Their system coined BitWhisper uses temperature as the carrying ‘media.’  The interesting feature of BitWhisper is that it may cross air-gapped computers.   Air-gapped computers have no digital connections (wired or wireless).  Air-gap is the ultimate isolation between networks or computers.

In BitWhisper, the attacker owns one computer on each side of the air-gap.  Furthermore, both computers are in the same vicinity.  Modern computers are equipped with thermal sensors that can be read by software.  On the emitter computer, the attacker increases or decreases the computation effort drastically, thus creating a variation of the internal temperature, for instance by using CPU and GPU stress tests.   The higher the computation effort, the higher the internal temperature.   The receiving computer monitors stays with a constant computing power and measures the variation of its internal thermal probes.

Obviously, this covert channel has a big limitation.  The distance separating both computers should not exceed 40 cm.  At 35 cm, they succeeded to induce a one degree Celsius variation in the receiving computer.   The system would probably not work in a data center.     The orientation of the computers is also impacting.  The overall throughput is of a few bits per day.

Nevertheless, it is an interesting idea, although not practical.   In another setup where the attacker could use an external thermal camera as a receiver, rather than a generic computer, the efficiency of this covert channel could be increased.

 

Guri, Mordechai, Matan Monitz, Yisroel Mirski, and Yuval Elovici. “BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations.” arXiv, March 26, 2015. http://arxiv.org/abs/1503.07919.
PS:  this draft version does not describe the communication protocol

Stealing account with mobile phone-based two-factor authentication

Attackers often entice users to become the weakest link.   Phishing and scams exploit the human weakness.  These attacks become even creepier if the attacker circumvents legitimate security mechanisms.   Two factor authentication offers better security than simple login/password.  The use of mobile phone as the second factor is becoming mainstream.  It is impossible to steal our account without stealing our phone.  We feel safer.  Should we?

Symantec reported a new used method to steal the account of users despite the use of a two-factor authentication.   Here is the scheme.

Mallory wants to gain access to Alice’s account.  He knows Alice email address and her mobile phone number as well as her account.  For a social engineer, this information is not difficult to collect.  It is part of the usual exploration phase before the actual hack.   Mallory contacts the service provider of Alice’s account and requests a password reset.  He selects the method that sends a digital code to Alice’s mobile phone.   The service provider sends an SMS to Alice’s mobile phone with this code. Simultaneously, Mallory sends an SMS to Alice impersonating the service provider.  Once more, this is not difficult as many providers do not use a specific number.  This SMS explains to Alice that there was some suspicious activity on her account.  To verify her account, she must reply to this SMS with the code that was sent previously to her.  Gullible Alice obeys.  Mallory has now the code that the service provider requests to reset Alice password.  Mallory gains entire access to Alice’s account with the involuntary help of Alice.

This type of attack can be used on most web services, e.g., webmails like gmail.  Obviously, Alice should not have replied to this SMS.  She should have followed the known procedure and not an unknown one.  She may have been cautious that the two phone numbers were different.

This is a perfect example of social engineering.   The only answer is education.  Therefore, spread this information around you,  The more people are aware, the less they will be prone to be hacked.  Never forget Law 6: You are the weakest link.

Crashing a plane through IFE?

4549185468_d28a2709e2_zThis week end, Chris Roberts made the headlines of the media.  He was presented as the hacker who succeeded to control a plane by hacking the In-Flight Entertainment  (IFE) system. This is not the first time that planes are supposed to be controlable by hackers.  In 2013, a researcher claimed to control the flight management system with an Android phone.  As usual, not properly analysed documents were used to create a false sense of truth.  I have seen mainly two big “pieces of evidence’ that demonstrated it must be true.

  • It is written in an FBI affidavit that Roberts hacked IFE and controlled a plane.  He was arrested, and his electronic material seized.
  • The US Government Accountability Office (GOA) stated in a report that it was feasible.

I decided to read these “evidences”.  As FBI arrested Roberts, the FBI agent wrote an affidavit.  Some interesting facts:

  • Roberts was two times interviewed by FBI about vulnerabilities on IFE: 13 February 2015 and 5 March 2015.  During these interviews, Roberts explained his operating mode as well as his tools.  He  claimed to have entered about twenty times in Panasonic and Thales IFE.  He claimed that one time he was able to access the avionics system.
  • He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight.  He stated that he successfully commanded the system he had accessed to issue the “CLB” or climb command.  He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane…

  • The affidavit does not state that he provided any proof of this statement.
  • In February, FBI agents advised him that accessing the IFE without authorization may be a violation and may result in prosecution.  He acknowledged this fact.
  • On 15th April, Roberts twitted that he may “play” with the avionics once more.
  • United Airlines informed FBI who then arrested Roberts.
  • Investigation showed that two boxes used by IFE were tampered.  One of these boxes was at his seat (3A) and the second one was one row in front of him (2A)
  • … showed that the SEBs under seats 2A and 3A showed signs of tampering.  The SEB under 2A was damaged.  The outer cover of the box was open approximatively 1/2 inch and one of the retaining screw was not seated and was exposed.

  • It is interesting to note that the “opened” box was one row in front on a first class seat.

Despite was media infers, the affidavit does not present any proof that he hacked the IFE and even less that he accessed the avionics.

The governmental report from GOA is even less conclusive.  The statement is

Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.

This broad statement cannot be challenged.   It is Law 8.  The same can be said from any car automotive systems.  Nevertheless, this does not mean that avionics can be accessed from IFE.

In other words, there is no real evidence that Roberts hacked the avionics.  It may be possible that Roberts hacked the IFE network with physical access to the network carrying video.  Most of the wired IFE systems may assume that the physical network is trusted.   It is usually expected that the attending crew would spot a user tampering the hardware.  Fortunately, the IFE and the avionics are air-gapped. I know the Airbus and Thales security teams. They would never have accepted the risk to not air gapping the systems.  All the IFE systems I was exposed to were air-gapped from avionics.  Roberts did never explain how he would have succeeded to cross the air gap.  (Current attacks on air gap, use either file sharing in the cloud, contaminating files exchanged over USB thumbs or sophisticated side channels such as audio or thermal)

Conclusion:  don’t panic when you see a guy with a computer in a plane.

 

image credits: by-sa Sarah Klockars-Clauser 2010