Just say no: Wi-Fi-enabled appliance botnet could bring power grid to its knees

Princeton researchers find army of high-wattage IoT devices could cripple electric grid.

Enlarge / Reddy Kilowatt is not ready for IoT botnets. (credit: EC Comics (formerly Educational Comics))

BALTIMORE—At USENIX Security Symposium here on Wednesday, Saleh Soltan from Princeton University's Department of Electrical Engineering presented research that showed that if Wi-Fi-based high-wattage appliances become common, they could conceivably be used to manipulate electrical demand over a wide area—potentially causing local blackouts and even cascading failures of regional electrical grids.  The research by Soltan, Prateek Mittal, and H. Vincent Poor used models of real-world power grids to simulate the effects of a "MaDIoT" (Manipulation of Demand Internet of Things) attack. It found that even swings in power usage that would be within the normal range of appliances such as air conditioners, ovens, and electric heating systems connected to "smart home" systems would be enough to cause fluctuations in demand that could trigger grid failures.

These kinds of attacks—focused on home-automation hubs and stand-alone connected appliances—have not yet been seen widely. But the increasing adoption of connected appliances (with many home appliances now coming with connectivity by default) and the difficulty of applying security patches to such devices make a Mirai-style botnet of refrigerators increasingly plausible, if not likely.

Soltan and his team looked at three possible categories of potential malicious demand manipulation:

Read 2 remaining paragraphs | Comments

Credit card skimmers now need to fear the Reaper

SkimReaper, subject of a USENIX Security paper, detects most common card skimmers.

Enlarge / The SkimReaper, shown here with a sample card skimming device, can help law enforcement find and shut down card skimming operations. (credit: Sean Gallagher)

BALTIMORE—At the USENIX Security Symposium here today, University of Florida researcher Nolen Scaife presented the results of a research project he undertook with Christian Peeters and Patrick Traynor to effectively detect some types of "skimmers"—maliciously placed devices designed to surreptitiously capture the magnetic stripe data and PIN codes of debit and credit cards as they are inserted into automated teller machines and point-of-sale systems. The researchers developed SkimReaper, a device that can sense when multiple read heads are present—a telltale sign of the presence of a skimmer.

Nolen and his fellow researchers worked with data provided by the New York City Police Department (NYPD) to assess the types of credit-card-skimming gear currently in the wild. They uncovered four broad categories of skimming gear:

  • Overlays—devices that get placed on top of the slot for the ATM or point-of-sale system. They can be modeled to match a specific ATM type's card slot or, in some cases, overlay an entire device such as a credit card reader at a retail point of sale. Overlays on ATM machines are sometimes accompanied by a keypad that is placed atop the actual keypad to collect PIN data.
  • Deep inserts—skimmers engineered to be jammed deep into the card reader slots themselves. They're thin enough to fit under the card as it is inserted or drawn in to be read. An emerging version of this is a "smart chip" skimmer that reads EMV transactions passively, squeezed between the card slot and the EMV sensor.
  • Wiretap skimmers—devices that get installed between a terminal and the network they connect to. This suggests there's a fundamental security problem to begin with.
  • Internal skimmers—devices installed in-line between the card reader of a terminal and the rest of its hardware. These, Scaife said, are more common in gas-pump card readers, where the attacker has a greater chance of being able to gain access to the internals without being discovered.

Overlays and deep inserts are by far the most common types of skimmers—and are increasingly difficult to detect. Police, Scaife noted, often find them only by looking for the cameras used by skimmers to capture PIN numbers, because most of the common detection tips—including trying to shake the card slot to see if it dislodges—are ineffective.

Read 3 remaining paragraphs | Comments

Honoring the ’80s, Def Con’s badge is also a text adventure

A masterpiece of tech nostalgia and hardware hackery, this year’s badge elevates the game.

Enlarge / My DEF CON badge, complete with Wall of Sheep add-on. My puzzle quest is far from complete—it may require reprogramming and flipping a component. (credit: Sean Gallagher)

Nearly 30,000 people came to Las Vegas last week for the 26th edition of DEF CON, the iconic security conference. And no small amount of the mental energy of that vast crowd was spent on one particular thing: the conference badge.

This year's badges, designed by Tymkrs, were elevated works of printed circuit board art with a collection of LED-lit features, including red and green human figures and a color-shifting DEF CON logo. But it quickly becomes apparent that there was a lot more going on here than just blinking lights.

DEF CON alternates year to year between electronic, hackable badges and non-electronic ones; last year's badges were a throwback design intended to celebrate the conference's 25th anniversary. But every year, the badges include some sort of clue to a cryptographic challenge—three years ago, the badge was an actual vinyl record that required attendees to find a turntable to hear the puzzle clue.

Read 7 remaining paragraphs | Comments

Malware has no trouble hiding and bypassing macOS user warnings

Warnings bypass can be used to “do a lot of malicious stuff,” researcher says.

(credit: Apple)

Apple works hard to make its software secure. Beyond primary protections that prevent malware infections in the first place, company engineers also build a variety of defense-in-depth measures that are designed to lessen the damage that can happen once a Mac is compromised. Now, a former National Security Agency hacker and macOS security expert has exposed a major shortcoming in one such measure.

The measure presents a confirmation window that requires users to click an OK button before an installed app can access geolocation, contacts, or calendar information stored on the Mac. Apple engineers added the requirement to act as a secondary safeguard. Even if a machine was infected by malware, the thinking went, the malicious app wouldn’t be able to copy this sensitive data without the owner’s explicit permission.

In a presentation at the Defcon hacker convention in Las Vegas over the weekend, Wardle said it was trivial for malware to bypass the warnings by using a programming interface built into macOS to simply click the OK button. The bypass requires only a few lines of extra code. This “synthetic click,” as Wardle called it, works almost immediately and can be done in a way that prevents an end user from seeing the warning.

Read 6 remaining paragraphs | Comments

Are diesel’s days numbered? A view from a trip to BYD’s electric bus factory

Buses emit a lot of carbon dioxide, but BYD is making our fleets cleaner.

Enlarge / The lines of sight in the BYD factory are all like this: a row of buses stretching to the horizon. (credit: Megan Geuss)

LANCASTER, CALIF.—One single diesel transit bus consumes the equivalent of 10,440 gallons of gasoline a year, according to the Federal Highway Administration. Replacing that diesel-burning transit bus with an electric bus has some obvious benefits. Electric buses improve local air quality, because the particulates that come from burning diesel don't exist. And, according to the Union of Concerned Scientists, an electric bus runs cleaner than a diesel bus no matter where you plug it in on the US grid, even if you're plugging into a grid fed by a fossil fuels.

In the desert north of Los Angeles, a Chinese company called BYD (short for "Build Your Dreams") is banking on transit managers realizing this. BYD offered Ars a tour of its Lancaster facility in July, and we found a bustling factory floor filled with 900 workers who were building, welding, shaping, and painting about 90 buses in various states of completion. The company's workforce, recently unionized, is expected to grow to 1200 in the near future.

So far, BYD has put more than 250 electric buses on US roads, and as of mid-July, the company had more than 400 orders in the pipeline. That's a significant number of buses in this nascent industry: last December, Reuters estimated that only 300 public buses on US roads were electric. Of course, BYD's numbers include publicly- and privately-owned electric buses, while Reuters' statistic only tallies public buses. Still, the numbers show just how aggressively the electric bus industry is growing, considering the size of the market just six months ago.

Read 28 remaining paragraphs | Comments

Caesars Palace not-so-Praetorian guards intimidate DEF CON goers, seize soldering irons

Hotel policies drafted after last October’s mass shooting arrive just in time for DEF CON.

Enlarge / This sign is an invitation for a room search at some Las Vegas hotels. (credit: Getty Images)

In the wake of the mass shooting in Las Vegas in October of 2017, hotels in the city started drafting more aggressive policies regarding security. Just as Caesars Entertainment was rolling out its new security policies, the company ran head on into DEF CON—an event with privacy tightly linked to its culture.

The resulting clash of worlds—especially at Caesars Palace, the hotel where much of DEF CON was held—left some attendees feeling violated, harassed, or abused, and that exploded onto Twitter this past weekend.

Caesars began rolling out a new security policy in February that mandated room searches when staff had not had access to rooms for over 24 hours. Caesars has been mostly tolerant of the idiosyncratic behavior of the DEF CON community, but it's not clear that the company prepared security staff for dealing with the sorts of things they would find in the rooms of DEF CON attendees. Soldering irons and other gear were seized, and some attendees reported being intimidated by security staff.

Read 6 remaining paragraphs | Comments

Speedier broadband standards? Pai’s FCC says 25Mbps is fast enough

FCC kicks off annual analysis of nationwide broadband deployment.

Enlarge (credit: Jan Fabre)

The Federal Communications Commission is proposing to maintain the US broadband standard at the current level of 25Mbps downstream and 3Mbps upstream.

That's the speed standard the FCC uses each year to determine whether advanced telecommunications capabilities are "being deployed to all Americans in a reasonable and timely fashion."

The FCC raised the standard from 4Mbps/1Mbps to 25Mbps/3Mbps in January 2015 under then-Chairman Tom Wheeler. Ajit Pai, who was then a commissioner in the FCC's Republican minority, voted against raising the speed standard.

Read 21 remaining paragraphs | Comments

In-the-wild router exploit sends unwitting users to fake banking site

DLink vulnerability lets attackers remotely change DNS server settings.

Enlarge (credit: DLink)

Hackers have been exploiting a vulnerability in DLink modem routers to send people to a fake banking website that attempts to steal their login credentials, a security researcher said Friday.

The vulnerability works against DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B models that haven’t been patched in the past two years. As described in disclosures here, here, here, here, and here, the flaw allows attackers to remotely change the DNS server that connected computers use to translate domain names into IP addresses.

According to an advisory published Friday morning by security firm Radware, hackers have been exploiting the vulnerability to send people trying to visit two Brazilian bank sites—Banco de Brasil’s www.bb.com.br and Unibanco’s www.itau.com.br—to malicious servers rather than the ones operated by the financial institutions. In the advisory, Radware researcher Pascal Geenens wrote:

Read 5 remaining paragraphs | Comments

Hack causes pacemakers to deliver life-threatening shocks

Researchers criticize device maker Medtronic for slow response.

Enlarge (credit: Lucien Monfils / Wikimedia)

Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday.

At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.

Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.

Read 8 remaining paragraphs | Comments

In-vehicle wireless devices are endangering emergency first-responders

Gateways are supposed to make cops safer. Many leak their locations in real time.

Enlarge (credit: Emergency Vehicles)

In late 2016, security researcher Justin Shattuck was on assignment for an organization that was under a crippling denial-of-service attack by a large number of devices, some of which appeared to be hosted inside the network of a large European airport. As he scanned the airport’s network from the Internet—and later, with the airport operators’ permission, from inside the network—he was eventually able to confirm that the devices were indeed part of several previously unseen botnets that were delivering record-setting denial-of-service attacks on websites.

One of the infected devices was a wireless gateway from Sierra Wireless. Authorized IT administrators used it to connect to the airport network in the event primary connection methods failed. Surprised that such a sensitive piece of equipment could become a foot soldier in a denial-of-service attack, Shattuck began to investigate. What he found shocked him. Not only did an Internet scan show that 40,000 such gateways were running in other networks, a large percentage of them were exposing a staggering amount of sensitive data about the networks they were connected to.

Affecting human life

Worse still, it turned out that many of the unsecured gateways were installed in police cars, ambulances, and other emergency vehicles. Not only were the devices openly broadcasting the locations of these first responders, they were also exposing configurations that could be used to take control of the devices and, from there, possibly control dash cameras, in-vehicle computers, and other devices that relied on the wireless gateways for Internet connections.

Read 12 remaining paragraphs | Comments