Earlier this month in Las Vegas, Karamba’s Adili Shimoni had a classic fish out of water experience at DEFCON. In this post, she looks back on an eye-opening week in Vegas, and her takeaways about what it all means for the world of connected devices.
Held in Vegas every summer, DefCon is one of the world’s largest and oldest hacker conventions. Before I flew out to the desert earlier this month, my colleagues showered me with warnings.
“Don’t carry a credit card!”
“Disconnect your smartphone!”
Oh, and “send emails only via a secure VPN, if you don’t want your email address and password to appear on a wall of shame.”
‘Ok, I’m going to be a fish-out-of-water’ I thought.
It turns out that was an understatement, but I must admit — I had a great time!
The Car Hacking Village participants reflected the eclectic, come one, come all kaleidoscope that is DEFCON. Coming right on the heels of Black Hat, a more strait-laced cyber industry event, DEFCON brings in hackers from across the world for briefings, challenges, corporate events, networking, and fun parties. For me, it seemed like a way for people of all types — from cybersecurity industry executives to hobbyists and everything in between — to brainstorm, break stuff, and cut loose (including when I may or may have not become a human crash-test-dummy for a few priceless minutes — but more on that later).
While running our “Hack a Traffic Light” challenge, I got the chance to meet with 10 different teams of cybersecurity experts from the US, Japan, Korea, and Germany. It was interesting to see how some of them faced such a challenge for the first time and how they were racking their brains thinking of creative ways to crack it, while others found it relatively easy and managed to go through all 5 stages in 2 days. Putting my fun ‘fish-out-of-water’ experience aside, I found it a bit unnerving. In real life, far from fun and games in a Vegas hotel, such successful attacks on traffic lights and larger infrastructure systems could have wide-reaching, catastrophic effects.
If you’ve seen ‘The Italian Job,’ then you have an idea of how this scenario can play out. A solitary hacker manipulating a single traffic light causes gridlock in moments, bending the main arteries of Los Angeles to his will. And while most people probably won’t ever need to steal an armored truck full of gold from Edward Norton, the finale of the 2003 film gave some hint of a hacking threat that has only become more dangerous 16 years later.
This is part of the issue we tried to tackle at DEFCON this year. Our challenge featured two traffic lights — one for vehicles and one for pedestrians — and invited all comers to try their hand at remotely seizing control of the lights.
Every day teams would come in at around 10am and work through the day on the challenge until we’d have to close at 6pm.
First things first though, we provided them with the traffic light server binary file which they had to reverse-engineer, as well as the PCAP file of the traffic light. The PCAP file contains the communication information between the machines at the junction — the traffic light and the controller that assesses how many people are waiting at the light and sends a signal. By manipulating the communication, the participants were able to understand the network communication between the devices.
The challenge had five sections: In stage 1, participants were asked to identify the communication mechanism between the control system and the traffic light, and then manipulate the communication payload in order to remotely turn the light green. In challenge 2, they were tasked with finding a way to make the light go to maintenance mode — the blinking yellow light setting for traffic lights suffering a malfunction. Finally, in challenges 3 through 5, they were asked to trigger the self-test mode (when the traffic light runs a series of erratic, random lights) by various means, including by exploiting a buffer overflow vulnerability to carry out a remote code execution, abusing the configuration protocol, and bypassing ASLR.
The tasks did not require command injection, rather, they called for the participants to use a control flow manipulation to cause the system to execute code that wasn’t part of the design code.
One of the DEFCON participants who tried his hand at the challenge was Brandon Barry, the CEO of Detroit’s Block Harbor Cybersecurity. When asked for his feedback after the events, Barry said that the challenge was “relatively easy once you got an understanding of what the infrastructure was.”
When asked if he thinks such a hack would be easy for a hacker to carry out in real life, he said “I hope not. However, I truly believe that if national governments don’t step in to regulate security in these kinds of new technology applications, this kind of exposure WILL happen.” He added “my company does some work in industrial control system applications, and this is a perfect example of how an inherently unsecured protocol meant for these sort of control systems is haphazardly connected to a network. We see these kinds of systems all the time, EXPOSED ON THE INTERNET, not even isolated to a LAN.”
The traffic light hacking challenge also served as a way for us to highlight the security issues that are facing the IoT revolution. It was the brainchild of Karamba Director of Innovation, Eli Mordechai, who together with the team back in Israel, built the 2 traffic lights and crafted the five hacking challenges. When DEFCON ended and we analyzed the different successful attacks on the traffic light, we discussed the challenges of building security into connected devices, and how Karamba’s XGuard platform protects connected systems even when a hacker has a head start.
“Even if a hacker has reverse-engineered the binary, found a vulnerability, and gotten past ASRL, we can still keep a buffer overflow vulnerability from allowing remote code execution,” Eli explained.
“It’s not just traffic lights. Large-scale critical infrastructure systems are vulnerable to attacks and these can have a catastrophic effect. Just like we can protect traffic lights, we can protect against larger infrastructure systems as well.”
And with billions of connected devices from critical infrastructure controllers to connected cars to smart hair straighteners hitting the market in the coming years, the stakes couldn’t be higher. Our lives have become more connected and convenient than ever before, but if there’s one thing I learned at DEFCON, it’s that every connected device can be cracked, and there is no shortage of talented people waiting to do just that.
P.S: I can neither confirm nor deny the identity of the crash test dummy in that pic :)