The Best from Global Cybersecurity Conferences: NFC, Apple Pay Hacks, and Knocking People Off Hoverboards
We continue to keep you updated on the most interesting presentations from global hacker conferences. Today’s roundup covers everything related to vulnerabilities in wireless technologies. And by the way, share in the comments any lectures or talks you’ve found on your own—user-generated content hasn’t been banned yet! 🙂
Hacking a Smart Gun
Popping a Smart Gun // DEF CON 2017
Smart guns are sold with the promise that they will only fire in the hands of authorized users. While this might work in the movies, reality is different. This talk explores the security of a commercially available smart gun and demonstrates three vulnerabilities: firing the gun remotely, blocking the gun even for its rightful owner, and firing the gun without authorization, physical contact, or modification.
DirtyTooth: Get Music, Lose Your Contacts
Kevin Mitnick. DirtyTooth: Put Music & Lose Your Contacts // ToorCon 2017
Legendary hacker Kevin Mitnick presents a trick/hack for iOS 10.3.2 (and earlier) that exploits a flaw in profile management. Due to improper profile handling, attackers can extract a significant amount of confidential data from iOS devices via Bluetooth communications, which are increasingly popular for connecting to peripherals.
Manipulating IoT Devices with Radio Signals
Caleb Madrigal. Controlling IoT Devices with Crafted Radio Signals // DEF CON 2017
This talk is a perfect introduction to wireless communications. It demonstrates how to capture digital data in real time using SDR, explains how to view, listen to, replay, and manipulate wireless signals, disrupt communications, and even generate new radio waves from scratch (radio injection). The speaker also showcases custom SDR-based tools for intercepting and generating wireless digital signals.
Real-Time RFID Cloning in the Field
Dennis Maldonado. Real-time RFID Cloning in the Field // DEF CON 2017
While many solutions exist for cloning RFID tags, the process is usually slow, tedious, and error-prone. This talk introduces a smarter, field-ready method for cloning RFID badges in seconds. It reviews popular tools and methods for long-range RFID cloning and demonstrates a new approach for rapid, real-time cloning in the field.
New MiTM Attack: Man in the NFC
Haoqi Shan. Man in the NFC: Build a NFC Proxy Tool from Scratch // DEF CON 2017
NFC (Near Field Communication) is widely used in finance and access to sensitive information. Where there’s money, there are hackers, and new attacks are constantly being developed. This talk presents UniProxy, a hardware tool based on the PN7462AU microcontroller, consisting of two devices (leader and follower) with radio transmitters and high-frequency card readers. The leader reads almost any ISO 14443A smart card (bank cards, IDs, passports, access cards, etc.) and relays the data to a legitimate card reader via the follower device, with communication possible up to 200 meters apart.
Radio Hacking Basics: Wireless Attack Methods
Matt Knight, Marc Newlin. Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods // DEF CON 2017
What do hacking Dallas tornado sirens, electric skateboards, and smart locks have in common? Vulnerable wireless communication protocols! As IoT and mobile-controlled RF protocols become more popular, wireless device hacking is on the rise. This talk lays the foundation for modern radio hacking, classifies wireless threats, and draws parallels with classic wired network exploits, highlighting what’s unique to wireless. Live demos using SDR devices and hardware radios illustrate the concepts, helping attendees understand how to apply wired network exploitation skills to wireless networks.
New Adventures in 3G/4G Spying
New Adventures in Spying 3G and 4G Users: Locate, Track & Monitor // Black Hat 2017
3G/4G devices are everywhere, and their vulnerability to IMSI catchers (a.k.a. Stingrays) is well known. This talk discusses new attack vectors for tracking and monitoring mobile device activity, including a newly discovered vulnerability in a widely used 3G/4G cryptographic protocol. The speaker demonstrates various exploitation methods using inexpensive equipment and shows the real-world consequences for end users.
Ultrasonic Gun vs. Smart Gadgets
Sonic Gun To Smart Devices: Your Devices Lose Control Under Ultrasound/Sound // Black Hat 2017
MEMS sensors like accelerometers and gyroscopes are essential in modern smart gadgets. Researchers found that these sensors resonate at certain acoustic frequencies, distorting their readings. By fine-tuning attack parameters, they could manipulate sensor data, including combined attacks using both sensors. The talk details the impact on various devices: VR headsets, self-balancing vehicles, drones, and more. Using a homemade ultrasonic system, the speaker attacks popular VR devices (including iPhone 7 and Galaxy S7), showing how ultrasonic resonance can manipulate “virtual reality”—for example, controlling gaze direction or simulating earthquakes, potentially causing users to fall off hoverboards and get injured. The speaker also demonstrates altering a DJI drone’s trajectory. Such attacks can deprive users of control over their smart gadgets and, in the case of VR and self-balancing vehicles, lead to serious physical harm.
Apple Pay: The “Most Secure” Payment Method
Timur Yunusov. The Future of ApplePwn — How to Save Your Money // Black Hat 2017
Despite Apple Pay’s reputation for security—dedicated payment processors, secure enclaves, and encrypted data—this talk presents open-source software that bypasses these protections, turning an Apple Pay-enabled iPhone into a customizable card-cloning device. The speaker also shows that the Apple Pay API offers far more functions than needed for card emulation, giving attackers extensive capabilities to manipulate point-of-sale equipment via iPhone. The conclusion: “Some may think Apple Pay is the most secure payment method, but we know it’s a promising tool for carding.”
WiFuzz: Detecting and Exploiting Logical Flaws in Wi-Fi Handshakes
Mathy Vanhoef. WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake // Black Hat 2017
Encrypted Wi-Fi is becoming more popular, with new standards like Hotspot 2.0 and Opportunistic Wireless Encryption. However, if there are mistakes in the four-way cryptographic handshake, all security guarantees are lost. This talk demonstrates how to find and exploit logical (not just programming) vulnerabilities in Wi-Fi handshake implementations. The speaker tested twelve Wi-Fi access points and found vulnerabilities in all, including authentication bypass, fingerprinting, downgrade attacks, DoS, and more. The most critical flaws were found in OpenBSD, MediaTek, Broadcom, Windows 7, Aerohive, Apple, Cisco, Hostapd, and Windows 10 implementations.
“Ghost Telephonist” Impersonates You via LTE CSFB
“Ghost Telephonist” Impersonates You Through LTE CSFB // Black Hat 2017
This talk presents a vulnerability in 4G LTE CSFB switching, where the authentication procedure is missing. This allows attackers to intercept all victim communications. The “ghost telephonist” attack lets an attacker impersonate the victim, receive and initiate calls or messages, and use the victim’s phone number for advanced attacks like account takeovers. The attack can target random or specific victims, requires no fake base station, is low-cost, and is undetectable by the victim.
One Car, Two Frames: Attacking Hitag-2 Car Keys
One Car, Two Frames: Attacks on Hitag-2 Remote Keyless Entry Systems Revisited // USENIX WOOT 2017
Despite the Hitag-2 algorithm’s cryptography being broken for years, it’s still used in the automotive industry. Recent vulnerabilities in Hitag-2-based RKE (Remote Keyless Entry) systems allow car unlocking by capturing just four to eight radio packets. However, some implementations use clever countermeasures. This talk analyzes such systems and reveals a new cryptographic vulnerability that allows creating fake packets and unlocking a car by capturing only two radio packets—without extracting the cryptographic key. Instead, attackers can compute equivalent keys to generate the same keystream as the genuine key, bypassing countermeasures with a single extra packet capture.