Researchers hack toys, attack iPhones at ToorCon

Security experts demonstrate their software exploits and hardware hacks at annual security conference in San Diego.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
6 min read
This IM-Me instant messaging toy for teen girls can be turned into a wireless tool for opening garage doors, cloning RFID tags, and other less innocent activities.
This IM-Me instant messaging toy for teen girls can be turned into a wireless tool for opening garage doors, cloning RFID tags, and other less innocent activities. Elinor Mills/CNET

SAN DIEGO--From "weaponized" iPhone software to hacked toys and leaked cookies, researchers at the ToorCon security conference here this weekend showed how easy it can be to poke holes in software and hardware with the right tools, know-how, and curiosity.

One researcher demonstrated how to take control of an iPhone using an exploit that targets a hole in Safari, which has been patched. The iPhone had an app installed that allowed it to process credit card numbers, which could then be stolen if this were an attack in the wild.

Eric Monti, a senior security researcher at Trustwave, "weaponized" an exploit that was launched as the Jailbreakme.com program this summer, designed to allow iPhone owners to use unauthorized apps.

For the demo, he directed the "victim" iPhone to a Web address that opened a PDF file that contained the exploit code. Then a rootkit was downloaded giving him complete control of the iPhone. Once a rootkit is downloaded, an attacker has access to all data, e-mails, voicemails, and text messages, as well as the microphone and speaker. "You can easily eavesdrop on someone if you're on their iPhone remotely," Monti said.

If the iPhone has the free Square app installed, which is used for processing credit card numbers, the attacker could also steal those numbers, he said, adding that there is not a security issue with the Square app. "We will see people processing credit cards in stores using iPhone apps," transactions using highly sensitive data that should be on only secured devices, Monti told CNET in an interview after his talk.

Two researchers gave a light-hearted talk, titled "Real Men Carry Pink Pagers," about how they turned a toy into a wireless tool that could be used to open garage doors and clone RFID tags used for inventory control on shipping docks and RFID-based passports, among other uses. The pink plastic IM-Me device, with a "Girl Tech" brand on it, was designed to allow young girls to send instant messages with friends on a private network.

The IM-Me device also uses the same wireless chip that some smart meters use and could be turned into a diagnostic tool to test the security of those devices, said wireless researcher Michael Ossmann. He worked on the project with Travis Goodspeed, who wrote software that gives the IM-Me functionality that most teen girls can't fathom.

"We took old hardware and repurposed it...It's fun to turn it into something useful and to learn about it," Ossmann said, summing up a core element of the true hacker spirit.

This isn't the first toy Ossmann has worked his hack magic on. During Defcon in August, he used the hackable badge from the event to try to turn a toy guitar into an electric instrument. The guitar, which he played for a select audience this weekend, remains acoustic at this point, but Ossmann did manage to create a very cool electronic light oscillator for tuning the strings using RGB (red, green, and blue) LEDs.

Two other presenters showed how limited encryption used on many popular sites on the Web--like Facebook, Twitter, Hotmail, and Flickr (but not Google)--can put user accounts at risk of compromise by someone snooping on session traffic between the user's computer and the site's server. Sites typically encrypt the username and password as they are transmitted, but unless the entire Web session is encrypted with "https," or secure hypertext transfer protocol, someone sniffing the network could capture the cookie information and use that to access the accounts, according to security researchers Eric Butler and Ian Gallagher.

Web surfers don't even have to be on one of the sites to have their cookie data exposed. Any site that even just hosts a Facebook or Twitter widget or has a Flickr image embedded can leak a user's cookie data if the user is logged into the relevant host site, they said. "The cookie allows you to do everything you can with a password," Butler said. "It is hard for users to protect themselves."

So-called HTTP session hijacking, or "sidejacking," is not new; another researcher released a tool last year to enable this on Facebook. But Butler and Gallagher said users will be vulnerable to such attacks until Web sites move to full session, end-to-end encryption and configure sites to indicate that browsers only should send data over encrypted channels. They are releasing a Firefox extension tool, called Firesheep, that automates an attack, and said that they hope doing so will bring attention to the problem and motivate Web site owners to use encryption more broadly.

Butler has detailed information about Firesheep on his blog, and he and Gallagher wrote an excellent followup blog post that clearly describes the problem, what Web sites should be doing to address the issue, and what people can do to protect themselves in the meantime.

"Any motivated attacker could do this without this tool," Butler said. "We think this will shine light on the issue."

Eric Monti demonstrates how he is able to surreptitiously take control of an iPhone during a ToorCon presentation.
Eric Monti demonstrates how he is able to surreptitiously take control of an iPhone during a ToorCon presentation. Elinor Mills/CNET

Another researcher talked about the security problems with the Absolute Manage (formerly LANrev) software, which was designed to remotely update software and which was used to secretly take photos of high school students in Philadelphia earlier this year. Joel Voss, security consultant at Leviathan, said it took him only 48 hours to develop a proof of concept and another dozen hours to create a working exploit to break the encryption on the software.

Voss' exploit renders all computers with the Absolute Manage client software installed vulnerable to compromise by an attacker who could not only spy on the computers, but even run malware on them. Voss informed the company about the problem in July but the current release of the software does not resolve the issue, he said. "It's bad for anyone to be running software that is that insecure," he said, adding that he is not releasing the exploit. Absolute Manage could not be reached for comment on Sunday.

Developers need to be aware of the privacy implications of the software they create, said David Kane-Parry, a principal security consultant at Leviathan Security Group. His talk focused on potential unintended privacy issues related to location-based mobile apps, like Google Maps, in which the data is not encrypted between the consumer's device and the app server. He also noted, for example, that mobile photos uploaded to sites like Facebook can be geo-tagged to reveal the coordinates of where the photo was taken, unbeknownst to the picture taker.

And in a keynote at the event, Dan Kaminsky, who discovered a security flaw with authentication in the Internet's Domain Name System last year and an even more serious problem the year before, talked about the need for the industry to adopt DNSSEC, which stands for Domain Name System Security Extensions. DNSSEC deployment has been slow because it's not easy to do, he said.

To solve that problem Kaminsky has developed software he jokingly dubbed "Phreebird" that allows DNSSEC to be deployed as an upgrade to the existing infrastructure without having to "massively change their processes," he said. A test version of the software will be released at Black Hat Abu Dhabi in November. Meanwhile, a member of the Google Chrome team has developed an "unofficial, unsanctioned" build of Chrome that uses DNSSEC to validate Web sites, he said.

"There's a huge bug in one of the core concepts of the Internet," Kaminsky said in an interview. "DNSSEC is a fix, but we need to deploy it."

Updated October 27 to correct spelling of Ossmann, Updated 9:35 a.m. PDT October 26 with links to Firesheep blog posts. Updated at 4:32 p.m. PDT October 25 to include name of Butler's Firefox extension for snooping on unsecured sites. And updated at 4:25 p.m. PDT to correct the spellings of Joel Voss and David Kane-Parry.