[Dailydave] Junk Hacking Must Stop!

Marc Maiffret marc at marcmaiffret.com
Fri Sep 26 06:56:43 EDT 2014

Fade to... A young girl, with greasy blonde hair, sitting in a dark room.
The room is illuminated only by the luminescence of the Macbook Pro screen.
Taking another long drag from her Benson and Hedges cigarette, the weary
Junk Hacker hooks her jtag up to another dollar store Internet connected
smoke alarm. Busybox, fuck, no matter she has all night. Pencils Shellshock
off her list and does 1990's directory traversal against anonymously
accessible wireless diagnostic interface. Evernotes the leet vuln for
future Blackhat talk and tiredly hooks up the next potential victim device.

This seems to be the popular image of a Junk Hacker. Lame as the dudes
posting no one cares SQL injection on Full Disclosure and memory corruption
in joe bob freeware software. However, there is a far more dangerous type
of Junk Hacker out there. Ones who hack ATM machines and fuckin Cars. Ones
who don't simply do this for the fame they already have but for trying to
drive change in a lethargic industry equally filled with complacent
technology companies as some researchers.

I'll stop there with my bastardization of Farmer and Venema's historically
awesome fucking words.[1]

Around ~10 years ago I had the privilege of joining Barnaby and other eEye
folk to present a variety of research to intel community and others
pre-Blackhat. For Barns part he was presenting remote code execution
against soho routers. His payload would provide a shell and also replace
existing firmware with modified code that would watch for any executable
downloads and every 1 in X executable would be patched with a backdoor.
Therefore not only having persistence on the soho router but also
compromising machines behind it.

I think of that every time I see some crappy directory traversal or you
name it early 90s style hack of a hardware device. There are plenty of
instances where all types of vulnerabilities, both hardware and software,
are simply lame because they are unrealistic. More often though I think how
little this area of technology has improved while the number of devices has
exploded - and the ability to manipulate these devices does matter in
plenty of cases. We know clearly the bar of exploitation of say Windows
vulnerabilities in the last 10 years has definitely increased. We cannot
even begin to say the same about these other types of devices.

Surely there are plenty of legitimate examples of Junk Hacking like
unreasonable scenarios where some wireless electronic lock can be broken
but only if it is within a short distance from a mass of radio equipment
etc... But to use examples like Barnaby and his work with ATMs or related
seems to be reaching much further than is reasonable. The wow is not in
hacking XP or 90s style weaknesses. The wow is in that devices that we
depend on every day ARE using and vulnerable to these things and there is
an absolute ability for abuse and a complete lack of progress.

So yes, you could have as well as many other people hacked and shown how to
remotely dump cash from an ATM. Although probably not joked as well to the
delivery man that you needed the ATM cause you hated transaction fees. But
Barnaby did and many are thankful because that research does help if we are
looking to improve things by creating awareness about device
vulnerabilities. And one can only hope that in the case of Cars should guys
like Miller and Valasek find any nasty remote code execution bugs for their
follow up talks that they go dramatic as all hell. If it is real world and
can truly be used by bad guys (tm) to hurt people - then do it helmet and
no seat-belts, fly out the front windshield and really drive the point home
to consumers and car makers to fix their shit should that be the reality of
what needs to happen.

Lastly can we all at least agree to never use Junk Hackers and Internet of
Things in the same sentence? Like we realize at some point the tech
companies we've made fun of all these years will start making fun of us for
coming up with our own terms like this, right? Bueler?


[1] - For those less crusty:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140926/e4aa53be/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cone_of_shame_blackhat.jpg
Type: image/jpeg
Size: 60126 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140926/e4aa53be/attachment-0001.jpg>

More information about the Dailydave mailing list