[Dailydave] Junk Hacking Must Stop!

[Wim Remes]

I couldn't have said it any better than Marc .
Isn't it our fault as a community to estimate value based on the number of
conferences something is presented at or the name/fame of those conferences?
It's equally ironic how we came from #nobugsforfree to
#plentyofbugsthatnobodywouldpayadollarforanyway.

If there is one thing where junk hacking contributes to better security,
it's in the identification of systemic issues. If I can connect to the JTAG
interface of 20 random devices and pull crypto keys out of the firmware by
just running strings on it, there's something an industry can do better. If
I identify a common (broken) component used by several vendors in a
specific industry without second thoughts, there's something that industry
can do better.

I agree that the goal of any hacking (not just junk hacking) should not be
"a talk" but junk hacking itself has (or can have) a broader impact than
what we perceive it to be for the purpose of this eloquent rant.

What would become of us if we can't hack all the things? Should we just
drink all the booze?

#BMB = Be More Barnaby

Wim

On Fri, Sep 26, 2014 at 12:56 PM, Marc Maiffret <marc at marcmaiffret.com>
wrote:

> Fade to... A young girl, with greasy blonde hair, sitting in a dark room.
> The room is illuminated only by the luminescence of the Macbook Pro screen.
> Taking another long drag from her Benson and Hedges cigarette, the weary
> Junk Hacker hooks her jtag up to another dollar store Internet connected
> smoke alarm. Busybox, fuck, no matter she has all night. Pencils Shellshock
> off her list and does 1990's directory traversal against anonymously
> accessible wireless diagnostic interface. Evernotes the leet vuln for
> future Blackhat talk and tiredly hooks up the next potential victim device.
>
> This seems to be the popular image of a Junk Hacker. Lame as the dudes
> posting no one cares SQL injection on Full Disclosure and memory corruption
> in joe bob freeware software. However, there is a far more dangerous type
> of Junk Hacker out there. Ones who hack ATM machines and fuckin Cars. Ones
> who don't simply do this for the fame they already have but for trying to
> drive change in a lethargic industry equally filled with complacent
> technology companies as some researchers.
>
> I'll stop there with my bastardization of Farmer and Venema's historically
> awesome fucking words.[1]
>
> Around ~10 years ago I had the privilege of joining Barnaby and other eEye
> folk to present a variety of research to intel community and others
> pre-Blackhat. For Barns part he was presenting remote code execution
> against soho routers. His payload would provide a shell and also replace
> existing firmware with modified code that would watch for any executable
> downloads and every 1 in X executable would be patched with a backdoor.
> Therefore not only having persistence on the soho router but also
> compromising machines behind it.
>
> I think of that every time I see some crappy directory traversal or you
> name it early 90s style hack of a hardware device. There are plenty of
> instances where all types of vulnerabilities, both hardware and software,
> are simply lame because they are unrealistic. More often though I think how
> little this area of technology has improved while the number of devices has
> exploded - and the ability to manipulate these devices does matter in
> plenty of cases. We know clearly the bar of exploitation of say Windows
> vulnerabilities in the last 10 years has definitely increased. We cannot
> even begin to say the same about these other types of devices.
>
> Surely there are plenty of legitimate examples of Junk Hacking like
> unreasonable scenarios where some wireless electronic lock can be broken
> but only if it is within a short distance from a mass of radio equipment
> etc... But to use examples like Barnaby and his work with ATMs or related
> seems to be reaching much further than is reasonable. The wow is not in
> hacking XP or 90s style weaknesses. The wow is in that devices that we
> depend on every day ARE using and vulnerable to these things and there is
> an absolute ability for abuse and a complete lack of progress.
>
> So yes, you could have as well as many other people hacked and shown how
> to remotely dump cash from an ATM. Although probably not joked as well to
> the delivery man that you needed the ATM cause you hated transaction fees.
> But Barnaby did and many are thankful because that research does help if we
> are looking to improve things by creating awareness about device
> vulnerabilities. And one can only hope that in the case of Cars should guys
> like Miller and Valasek find any nasty remote code execution bugs for their
> follow up talks that they go dramatic as all hell. If it is real world and
> can truly be used by bad guys (tm) to hurt people - then do it helmet and
> no seat-belts, fly out the front windshield and really drive the point home
> to consumers and car makers to fix their shit should that be the reality of
> what needs to happen.
>
> Lastly can we all at least agree to never use Junk Hackers and Internet of
> Things in the same sentence? Like we realize at some point the tech
> companies we've made fun of all these years will start making fun of us for
> coming up with our own terms like this, right? Bueler?
>
> -Marc
>
> [1] - For those less crusty:
> http://www.nsrc.org/netadmin/unixdocs/security/misc
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>


-- 
Wim Remes
Security Afficionado
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140926/2757d156/attachment.html>