August 11, 2016 By Paul Ionescu 5 min read

DEF CON 24, the world’s largest hacker conference, ended Aug. 7, and I must say I enjoyed every moment of it. There was so much to see in so little time; I definitely regret missing some great stuff that happened. Even so, I still managed to catch some very interesting events that I would like to highlight.

The DARPA Cyber Grand Challenge

The theme of the conference was “Rise of the Machines,” and the machines undoubtedly rose.

The main event was the DARPA Cyber Grand Challenge, an occurrence of historic proportions. The challenge pitted autonomous hacking machines against each other in a Capture the Flag (CTF) contest created in the likeness of the regular contests that occur every year at DEF CON.

The machines were fed buggy software in compiled form. They were then asked to analyze the software for flaws, patch it dynamically and even develop exploits. The machines absolutely succeeded. Even more amazingly, they identified vulnerabilities of which the creators of the challenge were not even aware.

Figure 1: The hacking systems participating in the DARPA challenge (Source: Paul Ionescu)

Mayhem, a system created by Carnegie Mellon University, won the challenge and the $2 million prize. After defeating its computer counterparts, Mayhem went on to participate in the annual DEF CON CTF against actual human teams. Based on the information that emerged, Mayhem was successful in solving at least some challenges, but eventually lost out to human teams.

Anatomy of a Hacking Machine

If you’re like me, you’re probably dying to know how the hacking machines actually work. To find out more, I attended the talk held by the Shellphish CTF team from the University of California, Santa Barbara (UCSB), which placed third in the challenge.

Mechaphish, the hacking system developed by UCSB, used a combination of dynamic analysis (fuzzing), binary analysis and symbolic execution to identify vulnerabilities. Tools used for the purpose were American Fuzzy Loop (AFL), a well-known fuzzer, and ANGR, a binary analysis and symbolic execution platform developed by UCSB.

The team used AFL to input a huge amount of number and character variations in the code paths identified by ANGR. A crash in the tested binary indicated a memory violation. Weaknesses targeted and identified in the contest were limited to memory-related flaws — not so much the usual injection and crypto issues that we are seeing every day.

In addition to identifying the vulnerabilities, the machine both exploited and patched the issues by writing its own code, which is even more outstanding. However, the team ran out of time and had to describe these techniques hastily without much detail. The entire Mechaphish code will be made available on Github.

Humans Take the First Swing

During the closing ceremony, DARPA’s Mike Walker expressed hope that machines and humans will work together and not against each other, making an analogy to computer-augmented chess. It does seem, however, that just like in the “Matrix” universe, the humans were the first to attack, albeit to make the machines safer and prevent other humans (cybercriminals) from taking advantage of the flaws.

During the conference, humans presented a large variety of attacks conducted against unsuspecting self-driving cars, solar arrays, seismographs, drones, speedometers, surveillance cameras, SCADA controllers and more. Below are some more examples of human aggression against machines at DEF CON 24:

Deafening and Blinding Autonomous Cars

Jianhao Liu, Chen Yan and Wenyuan Xu, researchers from Zhejiang University presented extremely thorough research showing how the sensors of self-driving cars can be annihilated, leading to accidents.

The deafening was achieved by jamming the ultrasonic and MMW radar sensors of various cars. The attack resulted in the car’s self-parking feature failing to detect obstacles and hitting the researchers. The researchers conducted the blinding attack using a laser, which was quite scary since it can result in permanent destruction of the onboard cameras.

Stealing Data Through Solar Arrays

IoT enthusiast and security expert Fred Bret-Mounet hacked his own solar panel array by attacking its web administration interface with basic SANS 25 items such as predictable login credentials, path traversal and command injection.

Once he was able to execute commands, Bret-Mounet found out that the solar array was connecting him to other customers through a common VPN subnet. Imagine that your personal documents stored on some network share could be accessed by others using their own array.

Shaking Up Seismograph Security

Owners of an IoT search engine described how they found and accessed a sensor that detects earthquakes through an unauthenticated web administration page. The $30,000 device was placed at the bottom of the ocean and, as it turns out, is accessible over the internet.

This presentation is an example on how not to conduct security research. The two hackers executed security tests on a live scientific device even after the company explicitly removed its authorization from support materials. They could have bricked a very expensive device, and it is not clear from the talk that the responsible disclosure process was even followed, so the company may still be unaware of the issues.

Still, this painful story highlights the dangers of ignoring computer security. It is well-known that the cost of security bugs is much higher post-release, but can you imagine the cost to this company? To conduct repairs, the company may have to retrieve all affected devices from the bottom of the ocean!

Security an Afterthought in SCADA Controllers

Trend Micro ZDI senior manager Brian Gorenc, with security researcher Fitz Sands, provided a thorough analysis of over 100 vulnerabilities in SCADA controllers provided to the company through its bug bounty program. Most prominent vulnerability types were memory corruption, credential management, insecure defaults, authentication/authorization and injection.

The researchers quickly concluded that SCADA devices were “not built with security in mind.” The same basic SANS 25 vulnerability types and a disregard for security were common themes across the other DEF CON talks, and also in our own X-Force research on building automation systems.

Lessons Learned at DEF CON 24

Besides application developers, most security professionals are probably unprepared to deal with unusual applications of software and data transmission standards. But one thing is clear: Software now lives in the most unexpected places and is almost always connected to the internet. We need to change the mentality that only traditional applications require application security testing.

Should you point an automated scanner to the web interface and source code of a solar panel, router, SCADA controller or seismograph? Absolutely! It will help find the path traversal and injection issues before they are featured on the stage in Las Vegas in front of thousands of hackers. You can also hire the likes of the DEF CON crowd to perform penetration tests before your product is released.

Check the DEF CON media server for more outstanding content.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today