BlackHat USA is one of the world’s leading information security events, providing attendees with the very latest in research, development and trends. This year’s conference was no different and delivered its attendees with an extensive amount of valuable insight. The RH-ISAC Threat Intelligence Team had the pleasure of attending and has provided a brief summary of several briefs from this year’s conference that were of note.
Finding and Exploiting Vulnerabilities in Mobile Point of Sales Systems
Security researchers at Positive Technologies have discovered that mobile payment systems have vulnerabilities that could allow hackers to steal credit card info or change the value of what customers pay. According to the brief, cybercriminals can steal troves of financial data from weak cybersecurity on point of sale terminals, and attacks on these systems can affect millions of people at hotels, stores and restaurants. The researchers were able to find multiple flaws targeting the most popular mobile point-of-sale, or mPOS, providers in the US and Europe including Square, PayPal, SumUp and iZettle.
RH-ISAC Analysis: Point-of-sale terminals, such as credit card readers, are increasingly a common target for hackers, due to the large amount of financial data available. Researchers estimate that 46 percent of all noncash payments will be done through a mobile reader by 2019. Organizations should remain vigilant of the threats targeting PoS systems and limit access to these devices where highly sensitive information is stored.
Outsmarting the Smart City
Security researchers from Threatcare and IBM X-Force Red joined forces to test several smart-city devices that are widely deployed, with the specific goal of investigating “supervillain-level” attacks. The researchers found 17 zero-day vulnerabilities in four smart city systems — eight of which are critical in severity. Initial testing of the smart city yielded some common security issues which have been found in most IoT devices, such as default passwords, authentication bypass and SQL injections.
The researchers also provided some attack scenarios, where if threat actors were to abuse vulnerabilities like the ones documented in the smart city systems, the effects could range from inconvenient to catastrophic. While no evidence exists that such attacks have taken place, the researchers have found vulnerable systems in major cities in the U.S., Europe and elsewhere.
Here are some examples they found disturbing:
- Flood warnings (or lack thereof): Attackers could manipulate water level sensor responses to report flooding in an area where there is none — creating panic, evacuations and destabilization. Conversely, attackers could silence flood sensors to prevent warning of an actual flood event, whether caused by natural means or in combination with the destruction of a dam or water reservoir.
- Radiation alarms: Similar to the flood scenario, attackers could trigger a radiation leak warning in the area surrounding a nuclear power plant without any actual imminent danger. The resulting panic among civilians would be heightened due to the relatively invisible nature of radiation and the difficulty in confirming danger.
- General chaos (via traffic, gunshot reports, building alarms, emergency alarms, etc.): Pick your favorite crime action movie from the last few years, and there’s a good chance that some hacker magically controls traffic signals and reroutes vehicles. While they’re usually shown hacking into “metro traffic control” or similar systems, things in the real world can be even less complicated. If one could control a few square blocks worth of remote traffic sensors, they could create a similar gridlock effect as seen in the movies. Those gridlocks typically show up when criminals needed a few extra minutes to evade the cops or hope to send them on a wild goose chase. Controlling additional systems could enable an attacker to set off a string of building alarms or trigger gunshot sounds on audio sensors across town, further fueling panic.
In summary, the effects of vulnerable smart city devices are no laughing matter, and security around these sensors and controls must be a lot more stringent to prevent scenarios like the few that have been described.
Last Call for SATCOM Security
Ruben Santamarta, a security researcher from IO/Active, presented BlackHat attendees with his discovery of major vulnerabilities in satellite equipment that could be abused to hijack and disrupt communications links to airplanes, ships, military operations, and industrial facilities. Santamarta was able to discover these vulnerabilities by successfully hacking into in-flight airplane WiFi networks and satcom equipment from the ground and gaining access to important communications devices in the aircraft. These vulnerabilities, which include backdoors, insecure protocols, and network misconfigurations in the equipment, affect hundreds of commercial airplanes flown by Southwest, Norwegian, and Icelandair airlines. Satcom equipment used in the maritime industry and the military also are affected by the security flaws.
Although the vulnerabilities outlined could allow hackers to remotely gain control of an aircraft’s in-flight Wi-Fi, there are no safety threats to airplanes with such attacks. The attack can’t reach a plane’s safety systems due to the way the networks are isolated and configured. But an attacker could access not only the in-flight Wi-Fi network, but also the personal devices of passengers and crew members.
Black Box is Dead. Long Live Black Box!
Security researchers from Positive Technologies disclosed in a BlackHat brief, the details of two serious vulnerabilities affecting ATM currency dispensers made by NCR. These vulnerabilities were discovered after researchers successfully conducted a black box attack against the NCR S1 and S2 cash dispenser controllers. According to the researchers, “Our research indicated that not all requests from the ATM computer to the dispenser were encrypted. Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous.”
The researchers notified NCR of their findings and the vendor released critical firmware updates in February that should provide better protection against black box attacks. The update should address the firmware rollback vulnerability and it adds an extra layer of protection for physical authentication mechanisms.