DEF CON 24, the world’s largest hacker conference, ended Aug. 7, and I must say I enjoyed every moment of it. There was so much to see in so little time; I definitely regret missing some great stuff that happened. Even so, I still managed to catch some very interesting events that I would like to highlight.
The DARPA Cyber Grand Challenge
The theme of the conference was “Rise of the Machines,” and the machines undoubtedly rose.
The main event was the DARPA Cyber Grand Challenge, an occurrence of historic proportions. The challenge pitted autonomous hacking machines against each other in a Capture the Flag (CTF) contest created in the likeness of the regular contests that occur every year at DEF CON.
The machines were fed buggy software in compiled form. They were then asked to analyze the software for flaws, patch it dynamically and even develop exploits. The machines absolutely succeeded. Even more amazingly, they identified vulnerabilities of which the creators of the challenge were not even aware.
Figure 1: The hacking systems participating in the DARPA challenge (Source: Paul Ionescu)
Mayhem, a system created by Carnegie Mellon University, won the challenge and the $2 million prize. After defeating its computer counterparts, Mayhem went on to participate in the annual DEF CON CTF against actual human teams. Based on the information that emerged, Mayhem was successful in solving at least some challenges, but eventually lost out to human teams.
Anatomy of a Hacking Machine
If you’re like me, you’re probably dying to know how the hacking machines actually work. To find out more, I attended the talk held by the Shellphish CTF team from the University of California, Santa Barbara (UCSB), which placed third in the challenge.
Mechaphish, the hacking system developed by UCSB, used a combination of dynamic analysis (fuzzing), binary analysis and symbolic execution to identify vulnerabilities. Tools used for the purpose were American Fuzzy Loop (AFL), a well-known fuzzer, and ANGR, a binary analysis and symbolic execution platform developed by UCSB.
The team used AFL to input a huge amount of number and character variations in the code paths identified by ANGR. A crash in the tested binary indicated a memory violation. Weaknesses targeted and identified in the contest were limited to memory-related flaws — not so much the usual injection and crypto issues that we are seeing every day.
In addition to identifying the vulnerabilities, the machine both exploited and patched the issues by writing its own code, which is even more outstanding. However, the team ran out of time and had to describe these techniques hastily without much detail. The entire Mechaphish code will be made available on Github.
Humans Take the First Swing
During the closing ceremony, DARPA’s Mike Walker expressed hope that machines and humans will work together and not against each other, making an analogy to computer-augmented chess. It does seem, however, that just like in the “Matrix” universe, the humans were the first to attack, albeit to make the machines safer and prevent other humans (cybercriminals) from taking advantage of the flaws.
During the conference, humans presented a large variety of attacks conducted against unsuspecting self-driving cars, solar arrays, seismographs, drones, speedometers, surveillance cameras, SCADA controllers and more. Below are some more examples of human aggression against machines at DEF CON 24:
Deafening and Blinding Autonomous Cars
Jianhao Liu, Chen Yan and Wenyuan Xu, researchers from Zhejiang University presented extremely thorough research showing how the sensors of self-driving cars can be annihilated, leading to accidents.
The deafening was achieved by jamming the ultrasonic and MMW radar sensors of various cars. The attack resulted in the car’s self-parking feature failing to detect obstacles and hitting the researchers. The researchers conducted the blinding attack using a laser, which was quite scary since it can result in permanent destruction of the onboard cameras.
Stealing Data Through Solar Arrays
IoT enthusiast and security expert Fred Bret-Mounet hacked his own solar panel array by attacking its web administration interface with basic SANS 25 items such as predictable login credentials, path traversal and command injection.
Once he was able to execute commands, Bret-Mounet found out that the solar array was connecting him to other customers through a common VPN subnet. Imagine that your personal documents stored on some network share could be accessed by others using their own array.
Shaking Up Seismograph Security
Owners of an IoT search engine described how they found and accessed a sensor that detects earthquakes through an unauthenticated web administration page. The $30,000 device was placed at the bottom of the ocean and, as it turns out, is accessible over the internet.
This presentation is an example on how not to conduct security research. The two hackers executed security tests on a live scientific device even after the company explicitly removed its authorization from support materials. They could have bricked a very expensive device, and it is not clear from the talk that the responsible disclosure process was even followed, so the company may still be unaware of the issues.
Still, this painful story highlights the dangers of ignoring computer security. It is well-known that the cost of security bugs is much higher post-release, but can you imagine the cost to this company? To conduct repairs, the company may have to retrieve all affected devices from the bottom of the ocean!
Security an Afterthought in SCADA Controllers
Trend Micro ZDI senior manager Brian Gorenc, with security researcher Fitz Sands, provided a thorough analysis of over 100 vulnerabilities in SCADA controllers provided to the company through its bug bounty program. Most prominent vulnerability types were memory corruption, credential management, insecure defaults, authentication/authorization and injection.
The researchers quickly concluded that SCADA devices were “not built with security in mind.” The same basic SANS 25 vulnerability types and a disregard for security were common themes across the other DEF CON talks, and also in our own X-Force research on building automation systems.
Lessons Learned at DEF CON 24
Besides application developers, most security professionals are probably unprepared to deal with unusual applications of software and data transmission standards. But one thing is clear: Software now lives in the most unexpected places and is almost always connected to the internet. We need to change the mentality that only traditional applications require application security testing.
Should you point an automated scanner to the web interface and source code of a solar panel, router, SCADA controller or seismograph? Absolutely! It will help find the path traversal and injection issues before they are featured on the stage in Las Vegas in front of thousands of hackers. You can also hire the likes of the DEF CON crowd to perform penetration tests before your product is released.
Check the DEF CON media server for more outstanding content.