So, this year I had the privilege of attending Def Con 25, 2017 in Las Vegas at the beginning of August. It’s one of the largest events that has hit Las Vegas before the big fight between Mayweather and McGregor. Of course, you could not go anywhere on the Las Vegas Strip this summer without seeing their faces on posters and billboards as you walked around Caesars Palace. Anyway, there were several interesting workshops at this year’s Def Con 25, 2017, some of the more interesting sessions were the IoT hacking, voters booth hacking and video hacking.

The voters’ booth hacking workshop at Def Con 25 was held in a small conference room at Caesars Palace and was a workshop. According to the hackers who used the model of the voting network which is used by several states. It was fairly easy to obtain the IPs that communicated the voting data back and forth to the central control system. Hackers were able to demonstrate their methods all day once the IPs were known.

I also attended and watched the IoT of things being hacked on stage. They tested many of the motherboards of different vendor products such as video cameras, routers, security alarm systems and other such appliances. The first thing they used was a shell code exploit designed to be used with a Raspberry Pi board device. The UIART was a hacking code specifically designed for hacking IoT products. The UAIRT code is designed to immediately obtain root on a Linux device. Usually, it takes some time to get to root. However, it took no time with the hackers exploit shell code script. The appliance did not have any semblance of security protection on their boards present. Therefore, during the demonstration stages at Def Con 25 many of the appliances gave immediate root to the device as soon as the network wire was connected to the product’s motherboard. At the time of obtaining root, the hackers (security researchers) were free to download, manipulate and execute arbitrary code on any of the exploited appliances.

The last session attended was one that the security researcher Brian Krebs had attended. The session was on “Video Jacking”. The hackers (security researchers) were able to exploit a little-known feature on modern smartphones where the smart phones are able to duplicate video from its small mobile screen to a much larger display, such as a TV monitor. Security researchers from Aries Security discovered a way for hacking this popular smart phone feature. It is considered to be a new and inexpensive way of eavesdropping on users and it is called “Video Jacking.” The exploit developed by the security researchers at Aries works as soon as you connect a vulnerable mobile phone device to an appropriate USB charging cord, the exploit is able to split the smartphone’s video display and record a video of everything you tap, type or view, as long as it’s plugged in, this includes the victims’ PINs, passwords, account numbers, emails, texts, pictures and videos. Therefore, video jacking will let a threat actor record every key and finger stroke that the user makes on their smart phone, so that the threat actor can later replay the videos and see any of the numbers or keys pressed on the smart phone which was recorded. Redport IA, LLC security researchers believes that the only way for mitigating such an exploit is to stay away from strangers’ and public charging devices and stations and do not let anyone physically handle your smart phone device or else you will be displayed on a large screen as the featured event.

By Dr. Randall Sylvertooth

References:
https://www.defcon.org/html/defcon-25/dc-25-index.html
http://krebsonsecurity.com/category/latest-warnings/



For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

Gaithersburg, MD, USA