BlackHat
Latest
Security researchers to unveil iPhone SMS vulnerability later today
Two security researchers, Charlie Miller and Collin Mulliner, have discovered a serious security vulnerability affecting SMS messaging on the iPhone that will be unveiled later today at the Black Hat security conference in Las Vegas. This flaw affects all iPhones and can allow an attacker to gain complete control of an iPhone, including the ability to make calls, browse the web and access the camera. This exploit is caused by corruption in the iPhone's memory handling and is executed by sending a burst of text messages by using a uncommon text character or by sending a hidden message.So far, Apple has been rumored to have a fix in the works, but there's been no confirmation yet when it will be available. The researchers also say that there's nothing you can do to protect your iPhone from this vulnerability, other than to turn off the phone. More details on this issue will be discussed later today at Black Hat, hopefully outlining a path to fix this issue. Meanwhile, the two developers have already demonstrated this flaw in action to CNET's Elinor Mills, proving its existence and extent of the threat.We'll be providing more coverage on this issue once it's unveiled, so stay tuned to TUAW.
SMS vulnerability on iPhone to be revealed today, still isn't patched
Remember that alleged SMS-based security hole on the iPhone allowing evil-doers to execute arbitrary code and do all sorts of nasty crap like create an army of mobile zombies ready and willing to execute a DoS attack? The guy who found it, security expert Charlie Miller, said that he'd reveal the details of it at Black Hat -- and Black Hat's this week. Sure enough, Miller and his cohorts plan to unleash details of the hack today, and while they claim they informed Apple of the problem over a month ago, Cupertino's yet to make a move. We'd stop short of suggesting iPhone owners all turn off their handsets and take themselves firmly off the grid and into a completely disconnected underground bunker the moment the attack becomes public, but if it's as serious as Miller claims, it definitely bumps up the pressure on Apple to get a fix out on the double -- preferably before 3.1 drops.
Apple patching nasty iPhone SMS vulnerability
Given the hype surrounding Apple's iPhone, we're actually surprised that we haven't seen more holes to plug over the years. In fact, the last major iPhone exploit to take the world by storm happened right around this time two years ago, and now -- thanks to OS X security expert Charlie Miller -- we're seeing yet another come to light. Over at the SyScan conference in Singapore, Mr. Miller disclosed a hole that would let attackers "run software code on the phone that is sent by SMS over a mobile operator's network in order to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet." Charlie's planning to detail the vulnerability in full at the upcoming Black Hat conference, but Apple's hoping to have it all patched up by the end of this month.[Via HotHardware]
MBTA affirms that vulnerabilities exist, judge lifts gag order on MIT students
No surprise here, but the kids from MIT were (presumably) right all along. The three students who were muffled just before presenting their case at Defcon have finally been freed; the now-revoked gag order had prevented them from exposing insecurities in the Massachusetts Bay Transportation Authority ticket system, but during the same court setting, the MBTA fessed up and admitted that its current system was indeed vulnerable. Of note, it only confessed that its CharlieTicket system was susceptible to fraud, while simply not acknowledging any flaws in the more popular CharlieCard option. Pish posh -- who here believes it doesn't have dutiful employees working up a fix as we speak?
Defcon duo: how-to shut off a pacemaker, almost get free rides on the T
Defcon already delivered by exposing California's FasTrak toll system for the security hole that it is, but that's not nearly all that's emerging from the Las Vegas exploitation conference. For starters, a plethora of medical device security researchers have purportedly figured out a way to wirelessly control pacemakers, theoretically allowing those with the proper equipment to "induce the test mode, drain the device battery and turn off therapies." Of course, it's not (quite) as simple as just buzzing a remote and putting someone six feet under, but it's a threat worth paying attention to. In related news, a trio of MIT students who were scheduled to give a speech on how to hack CharlieCards to get free rides on Boston's T subway were stifled by a temporary restraining order that the Massachusetts Bay Transit Authority snagged just before the expo. Don't lie, you're intrigued -- hit up the links below for all the nitty-gritty.Update: MIT published the Defcon presentation in a PDF.Read - Pacemaker hackRead - Massachusetts Bay Transit Authority sues MIT hackersRead - Restraining order on said hackers
FasTrak toll system exposed, could use a serious dose of security
Ah, Black Hat. How we adore you. Each year there's always one speaker who shows up and completely undermines something that most people assume is rock solid. This year, our pals at Hack-A-Day were in attendance to hear Nate Lawson expose California's FasTrak toll system for the security hole that it is. Essentially, toll transponders that are purchased and slapped onto vehicles offer up exactly no authentication, meaning that anyone with an ill will and an RFID reader could wander through a parking lot and lift all sorts of useful information. Think it can't get worse? The transponders reportedly support "unauthenticated over the air upgrading," which means that each tag could be forced to take on a new ID if the right equipment was present. We don't have to spell out "potential disaster" for you, now do we?[Image courtesy of Mindfully]
Safari exploit gives hackers full control over iPhones and possibly PCs and Macs
Oops, researchers just unveiled a pretty serious security vulnerability in the iPhone. More specifically, it's Apple's Safari web browser which exhibits the vulnerability. Researchers at Independent Security Evaluators have used the vulnerability to take malicious control of the iPhone from rogue websites loaded with the exploit. Once in, researchers have full administrative access over the phone allowing them to listen in on room audio or snatch the SMS log, address book, call history, email passwords and more -- we're talking full access to your phone. Researchers note that the only way to stay safe is to check those URLs and only visit sites that you trust (which isn't very reassuring) and "may or may not be exploitable" from Mac and PC versions of Safari -- the same vulnerability exists only they haven't written the proof-of-concept exploit to test it yet. Apple has been notified of the vulnerability and a proposed fix with full public disclosure coming at the BlackHat conference on August 2nd. You listening InfoSec Sellout? That's how you report a bug. Check the exploit in video form after the break. [Via MacRumors]
Infamous MacBook WiFi hack demonstrated, dubious code to go public
This on-again / off-again storyline surrounding the infamous MacBook WiFi hack has us all in a bit of a whirlwind, but it looks like the responsible party is finally coming clean. David Maynor, who is now the CTO at Errata Security, broke the silence regarding the questionable WiFi vulnerability that he claimed existed in Apple's MacBook by actually demonstrating his findings in front of the crowds at the Black Hat DC event. The meddlesome duo elicited all sorts of backlash from Apple after the story surfaced, and a showing at the ToorCon hacker convention in San Diego was actually axed after Cupertino threatened to sue Maynor's now-former employer, SecureWorks. Yesterday, however, Maynor streamed rogue code from a Toshiba laptop while his MacBook (running OS X 10.4.6) scanned for wireless networks; sure enough, the laptop crashed, and he insinuated that the code could actually be used to do far worse things, such as control functions of the computer -- but interestingly enough, it wasn't noted whether the MacBook's WiFi adapter was Apple's own or of the third-party variety. The angst still felt by Maynor primarily stems from Apple's outright denial of his claims, only to provide an elusive patch that fixed the issue in OS X 10.4.8, essentially making its operating system more secure without giving David his due credit. Mr. Maynor also said that he would no longer attempt to work with Apple and wouldn't report any further findings to them, and while most Macs have certainly done their duty and upgraded to the latest version of OS X, users can reportedly expect a public release of the rogue code to hit the web soon.
Janus Project PC can scan 300 WiFi networks at once
You've heard of black hat hackers and white hat hackers, but what about leather hat hackers? Meet the first: Kyle Williams. This creative genius has built the ultimate network hacking PC, the "Janus Project," which can focus its eight WiFi cards to break your standard WEP encryption in under five minutes. Beyond that, it can sniff 300 WiFi networks simultaneously, store and continuously encrypt all the data with AES 256-bit keys. In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will.[Via The Raw Feed]
Editorial: Behind the MacBook "Hack"
The web has been on fire the past few days with news of a presentation given at the BlackHat computer security conference featuring the compromising a MacBook Pro by executing very low-level code on the drivers of a wireless card. Whether or not the exploit presented actually counts as hacking of a Macintosh (they used a third party wireless card) is not at issue in this post. What I think is more important is the fact that these guys chose to demonstrate the vulnerability on a Mac, instead of a Windows or Linux machine, which are also vulnerable to the exploit. The presenters cited the "Mac userbase aura of smugness on security" as their reason for choosing a Mac as their guinea pig.Some readers might attribute this negative attitude toward Mac users as one held only by uninformed Windows users and malicious hackers, but that is far from the case. Many very intelligent and highly respected members of the tech community feel the same way. Some of them even used to love Macs. Before pointing any fingers and making any accusations about who lost their mind when, I think we need to take a step back and examine our behavior.
HP dons white hat to hack customers' servers
Usually the term "hacking" has some rather negative connotations, so it almost seems counterintuitive to pay someone good money for breaking into your system, but that's exactly what HP is offering to do for its corporate customers with a new service called HP Active Countermeasures, or HPAC. As you'd imagine, HP's hackers won't do anything malicious once they break into a client's server -- propagating a worm, for instance, would seem to be bad for business -- but they will use a combination of buffer, heap, and stack overflows to exploit a system in much the same way that black hatters cause Internet terror on a daily basis. Specifically, the company will employ one of its own servers to launch attacks using eight to ten scanning clients for every 250,000 devices that are part of the program, and offer customers a temporary patch until they're able to hire a dedicated security firm for shoring up any vulnerabilities. Pricing is promised to be "aggressive," with firms using less than 20,000 IP addresses expected to pay only a few dollars per user per year for the privilege of learning how shoddy their security really is.[Via The Inquirer]
