News
PHDays 8: hunting for IP camera zero-days at CAMBreaker
More than 5,000 visitors came to Positive Hack Days this year, the majority of them security professionals. Their creativity and fine-tuned technical intuition were on full display in the hacking contests. CAMВreaker was no exception. In this article, we describe the preparations, techniques, and victors in this marathon of IP camera hacking. At CAMBreaker, any visitor could try out the role of surveillance camera hacker by attempting to obtain unauthorized access to IoT devices and searching for vulnerabilities in firmware source code. Fun prizes awaited the most successful bug hunters! Preparations for the contest began two months in advance. It was not easy by any means! This process consisted of several stages: Choosing which cameras to include. Checking the firmware versions, software, and operability of the cameras. Obtaining the firmware for each camera. Several methods were used: Intercepting firmware during camera updates via an Android app. Downloading firmware from the vendor's official site. Connecting to the device via Telnet. Connecting to the device via UART. This physical protocol (which stands for "universal asynchronous receiver transmitter") is rather old and the most widespread one in use today. The most well-known protocol in the UART family is RS-232 (commonly known as a COM port). Clipping a programmer to the flash chips inside the camera without de-soldering. And if all else fails, de-soldering the chips and reading them with a flash programmer. Configuring static IP addresses and credentials on the cameras. Designing and setting up a local network for the stand at PHDays. Setting up the stand in the demo environment. Here are a few photos illustrating the work involved:
HackBattle 2.0: school canteen ICO under attack
In May 2017, Positive Hack Days VII presented a brand new contest named HackBattle, which attracted audience attention. Almost 100 security specialists took part in that contest. The audience was so eager to see the final that the area was packed (more details in the last year's review). Inspired by professionals' interest, we decided to hold HackBattle 2.0 at PHDays 8. Learn how the contest passed this year, and check if you can solve the tasks. Participation rules The contest was held on both days of PHDays. During the first day, there was a qualifying stage: we selected two strongest and bravest participants who solved most tasks within the minimum period. The final of the contest was on the second day. Two hackers were to attack one aim, and the first to get through and escalate privileges on the target system was the winner. The progress was commented by security experts, and highlights could be followed on a large screen. Qualification As in the previous year, the participants were to solve CTF-format tasks against the clock. Each participant had 35 minutes to solve 10 tasks and earn a certain amount of points, depending on the task complexity. Each participant could take part in qualification only once. This time we took into account the requests of participants of the first HackBattle and allowed using not only our workstations but also participants' laptops.
PHDays 8: Competitive Intelligence contest writeup
Held in the weeks leading up to Positive Hack Days, the Competitive Intelligence contest offered a chance to compete at open-source online sleuthing. This year, the contest had a bit of cryptostartup flair: tasks centered around NotSoPositive, a fictional small company holding a typical ICO. The company's imaginary founders and employees, as well as their friends and family, went under the microscope. To succeed, competitors needed to have intricate knowledge of the workings of online services and social networks, combined with skill at making inferences and inspired guesses. Tasks were designed with both veterans and newbies in mind—anyone could walk away with at least one flag. Many tasks fit with each other in a logical sequence, forming entire storylines. Other tasks could be completed independently of the rest, which was why participants were asked to keep a record of information at each step. As an easy warmup, a simple Google search was enough to find the company's page, which was the jumping-off point for all the other tasks:
PHDays 8: cash-hungry hackers refuse to Leave ATM Alone
Positive Hack Days 8 continued a number of fun traditions from past years, among them the Leave ATM Alone contest. All comers were invited to hack two ATMs provided by our Banking Security partner Alfa Bank (to make things easier for hackers, we specially configured and hid vulnerabilities on the ATMs prior to the contest start). Participants had 15 minutes to bypass security and cash out. Around 40 participants tried their luck, with a total of 40,000 rubles at stake. Leonid Krolle, the Positive Technologies banking security researcher in charge of the contest, told us about the twists and turns that followed.
Day 2 of PHDays 8: Games Over (until next year)
The eighth annual Positive Hack Days has wrapped up. Over 5,200 participants gathered in Moscow to watch hackers intercept mobile signals, take cash from an ATM, fool smart utility meters (one of the hackers was 12 years old!), and pull off dozens of other technical feats. True drama was in the air during the finale of the attacker-versus-defender showdown at The Standoff.
Day 1 of PHDays 8: staking it all on the Digital Bet
The first day of Positive Hack Days was full of participants (over 3,800) and events (over 50 talks, plus hands-on labs, roundtables, and nearly a dozen hacking contests). Under the headline topic of the Digital Bet, experts explored how to fool biometric identification systems, discussed whether blockchain security is necessary, and described how office life will change in the digital age—and also demonstrated techniques for hacking mobile networks, IoT devices, industrial control systems, and more. Here are some of the highlights from the first day of PHDays 8. Insight from those in the know The forum was kicked off by Positive Technologies experts, who presented their findings from real-world protection work in 2017. The experts covered the security of corporate systems, industrial equipment, telecom and financial companies, blockchain projects, and vulnerabilities in Cisco ACS and Intel Management Engine. Corporate systems remain vulnerable to both outside and inside attackers. Almost half of companies encountered at least one advanced persistent threat (APT) in 2017. Despite all the software, hardware, and organizational measures usually in place, Positive Technologies penetration testers (in the role of insiders) were successful at every single company tested in obtaining full control of infrastructure. As pointed out by Boris Simis, Deputy CEO at Positive Technologies, only 5 percent of companies even detected pentesting activity. Breaching the network perimeter as an outside attacker, such as by using social engineering or Wi-Fi attacks, was accomplished by Positive Technologies testers at 68 percent of clients. In some ways, the security situation deteriorated year-over-year. Obtaining access to LAN resources was "trivial" at 27 percent of companies in 2016, which increased to 56 percent in 2017. Critical vulnerabilities worsened as well: they made up 84 percent of the total in 2017, compared to 47 percent in 2016. Simis closed by sharing his recipe for protection: "You have to do three simple things: install antivirus protection everywhere, eliminate critical vulnerabilities on the external perimeter at the very least, and realize that you have very likely already been hacked—which is why you need to scour your network for indicators of compromise." Elmar Nabigaev, Head of Threat Response at Positive Technologies, looked at recent developments in attacks. The company's research shows that attacks are increasingly destructive in nature, with the purpose of damaging digital infrastructure. Attacks are also becoming more sophisticated, as they make greater use of zero-day vulnerabilities and complex malware. Among the key findings: even without zero-day vulnerabilities in hand, hackers weaponize public vulnerabilities extremely quickly, making it essential to install patches the moment they become available. Experts predict a rise in targeted attacks, especially on the part of hacker groups sponsored by nation-states—world tensions are a contributing factor. Other predictions include increased attack sophistication plus higher numbers of attacks on industry, the IoT, and cloud services (as a method for third-party compromise), plus low-level attacks. Dmitry Kurbatov, Head of Telecom Security at Positive Technologies, described recent trends in the telecom industry. The last two years have shown minor improvement, but mobile subscribers and their data remain under threat. Smart contract vulnerabilities and attacks on investors were the focus of Arseny Reutov, Head of Application Security Research at Positive Technologies. Since August 2017, hackers have managed to steal enormous amounts (around $300 million) from cryptocurrency exchanges. Research by Positive Technologies shows that these hackers are using classic techniques long seen in other spheres. Most attacks on cryptocurrency exchanges and ICOs take advantage of poor web application security. Reutov also noted that in the last year, Positive Technologies has secured many large ICO projects, including Blackmoon, Utrust, and 3DIO. The reports and other data referenced by Positive Technologies experts during the RE: search session are freely available on the company's website:
Telecom security at PHDays: we've got you covered
Security in the mobile industry is making headlines: eavesdropping, SMS interception, spoofing, and SIM card hacking are only a few of the possible attacks. At Positive Hack Days, we invite you to learn about the vulnerabilities in mobile networks and try to hack a mobile operator that we've set up specially for the event. Read on for an overview of PHDays contests and talks covering all aspects of telecom security. Today it's hard to find an industry that does not depend on mobile network operators. A payment terminal in a café, an alarm system in a country house, a gas meter, a truck driving down a highway—all these now have a SIM card inside. Connectivity has brought convenience and efficiency, but not security. Concerns abound: SIM cards carrying viruses, SDRs and IMSI catchers, tracking and eavesdropping via SS7, denial of service on LTE networks, and over-the-air GSM eavesdropping, to name a few. On May 15 at 2:00 p.m., Positive Technologies Director of Telecom Security Dmitry Kurbatov will give a talk entitled "Telecom security: getting better or worse?" (Seliger Hall). The speaker will tell about threats to the connected world and the weaknesses lurking in today's smart cities, transportation, and electrical grid. The forum venue will also have its very own mobile network, for testing and hacking purposes. Positive Technologies telecom security experts will demonstrate popular methods for attacking mobile subscribers: IMSI disclosure, geotracking, SMS interception, and call redirection. Visitors can follow the actions of the "attackers" on large screens, as well as see how this is monitored and logged by PT Telecom Attack Discovery. In addition, the test stand will provide a chance to practice exploiting SS7 vulnerabilities, using protection tools, intercepting and eavesdropping on GSM traffic, and putting SDRs to use. On May 15, technical talks in the Press Hall will be given by Positive Technologies telecom security experts. At 10:00 a.m., Sergey Mashukov will speak on the topic "Exploiting vulnerabilities in the 4G Diameter interoperator network," which will detail security issues with the Diameter protocol. The speaker will share results of security audits conducted for different MNOs. He will also describe successful test attacks he has performed in these environments. Later at 11:00 a.m., Vadim Yanitskiy and Warsaw University of Technology graduate student Piotr Krysik will describe how to use open-source software (OsmoBTS or OpenBTS) to turn an SDR into a GSM mobile phone. Today's phreakers are still targeting telecom companies—and you can become one of them thanks to MITM Mobile. Intercept the airwaves of our on-site mobile operator. The two participants completing the most tasks will win prizes. To take part, bring your own Osmocom, SDR, virtual machines, and other necessary equipment. Of course, the forum will also include The Standoff, a 30-hour cyberbattle in which teams of attackers, defenders, and security operations centers fight for control of a virtual city. The battleground: the full-scale digital infrastructure of a mock metropolis. Attackers will have plenty of interesting targets, including a telecom operator, Internet provider, residents who actively use cell phones and the mobile Internet, plus IoT and VoIP devices. During the game, attacker teams will be able to probe the security of telecom systems identical to those used in real cities. Participation in The Standoff is restricted to teams that have registered in advance. We hope to see you at PHDays! The cost of a ticket is RUB 14,400 for two days and RUB 9,600 for one day.
PHDays 8: come visit Hardware Village
For five years, the Hardware Village team has been offering something special for hackers who aren't afraid to get their hands dirty. At Positive Hack Days this year, the team has several talks and interactive tasks planned to entertain and educate. During both days of the forum, the Hardware Village stand will offer all comers the chance to hack hardware and solder to their heart's content. Piles of hackworthy hardware will be available for modification and hands-on use. We will also talk about JTAG/SWD debugging and all the popular wireless interfaces in the wide 125 kHz to 5 GHz range, plus details of the RFID, NFC, Wi-Fi, and Bluetooth data exchange protocols. For those anxious for the full technical story, talks have been prepared for the second day, covering wired interfaces from low-level UART to the high-speed PCI Express. As in past years, we invite you to test your skill with a tension wrench, as well as savor the company of the DC7499 community, at Lockpick Village. Drop by and have fun!
ICS/SCADA hackers: choose your own adventure at PHDays
Few people realize how much cities depend on industrial control systems. ICS components are found in the most diverse industries, including manufacturing, energy, transportation, and utilities, among many others. They do more than just make production more efficient—they help to control traffic and optimize consumption of water and power. So what would happen if someone suddenly dragged this infrastructure back to the pre-automation age? One could idly speculate, but instead we recommend coming to Positive Hack Days and seeing for yourself. Guests and participants will be invited to try to find ICS/SCADA vulnerabilities and even attack the infrastructure systems of an entire mock city. The technical zone at PHDays 8 will host the SCADA bugs comeback stand by Gleg, a company specializing in vulnerability research. Stand visitors will be able to compete at SCADA hacking. Over two days, hackers will have free reign of industrial systems made by Wonderware InTouch, iFIX, IGSS, KingView, and IntegraXor, as well as network equipment from Hirschmann and Advantech. Participants' task is simple: to find as many vulnerabilities as possible. Both beginners and experts are welcome. Laptop is required. Results will be announced on May 16 at 2:00 p.m., with fun prizes for the champions. After the awards ceremony, at 3:00 p.m. the organizers will use several SCADA systems to demonstrate how vendor efforts to fix one mistake can actually cause new issues. Throughout the entire forum, The Standoff will see teams of attackers, defenders, and security operations centers fighting for control of a virtual city. The battleground will contain the full-fledged digital infrastructure of a large modern metropolis. Participation is restricted to teams that have registered for The Standoff. During The Standoff, attackers will look for weak spots in the security of real industrial equipment used to control factories, hydroelectric plants, city transport, lighting, oil and gas operations, and more. The scope of damage is limited only by attackers' imagination and the protection systems in place on different network segments. The mock city includes systems responsible for lighting, heating, air conditioning, video surveillance, residential complexes with building management systems (BMS), smart homes, transport system, IoT devices, railroad, electrical plant and substation, hydroelectric plant, oil refinery, and petroleum storage and transportation. Although the city diorama may resemble a toy, with its miniature trains and tank farms, all of the city's digital infrastructure is the real article. We also recommend another two stands specially for those interested in ICS/SCADA hacking. The Fizpribor stand will be home to the H@rd Logic Combat contest, which pits participants against solutions used for low-level automation and accident protection for in-development Russian industrial control systems for nuclear energy. Over two days, participants will try their best against ALTLinux and QNX components, as well as algorithmic modules based on hard logic. The second stand of note is MeterH3cker, with its contest for hacking the smart grid. The contest will last for the duration of the forum and all visitors are welcome to take part. Get your PHDays tickets now! A two-day ticket costs RUB 14,400 and a one-day ticket costs RUB 9,600.
A matter of meters: hack the smart grid at PHDays
Come to the MeterH3cker stand at Positive Hack Days to have fun with the vulnerabilities in smart grid equipment. The contest will take place over both days of the forum and all are welcome to take part. Contest structure The MeterH3cker stand consists of two mock apartment buildings that have smart grid technology installed. Real meters and solar panels will be present in each building. Conditions switch between "Day" and "Night." Solar panels are anticipated to meet the full power needs of each building; surplus power can be sold to the grid at a special feed-in rate. So there are plenty of opportunities to earn money, which is credited to the account balance of the relevant building. The following equipment will be available for participants' hacking pleasure: Solar charge controller. Solar panels generate electricity, and this controller manages the flow of power they provide. During the day, solar panels are used to meet the building's power needs. Any excess power goes to the grid, in which case the meter spins backwards. Electrical meters. These meters record the amount of power that has been consumed, generated by solar panels, and offloaded to the grid. The rates used for billing by the power company depend on the time of day. Electrical devices. The buildings are filled with appliances: light bulbs, TVs, and washing machines. Some of the equipment that consumes electricity—such as central AC and heating—is managed via a programmable logic controller (PLC). In addition, each building is connected to "normal" power from a local substation. At the substation, a data aggregator gathers readings from the meters and enters information about the amount of consumed/generated energy in a local database. The electrical company's billing server then uses this information to change the account balance. Participation The contest will last two days. A preliminary round will take place on the first day. All participants will have full access to all equipment, including the ability to analyze it, find vulnerabilities, and stake out potential vectors of attack. Those with the best results will be invited to return for the finale on the second day. The finale will be a one-on-one competition. Two participants at a time will be called up to the stand. Each participant will be responsible for one building. The task of each participant is to find every way possible to fool the electrical meters and generate more energy than their "neighbor." Whoever has the higher balance when time runs out, wins. One complication: each participant can access the other's equipment, leaving plenty of opportunities for unneighborly sabotage. Forum visitors will be able to monitor events on overhead screens: graphs will visually represent electrical consumption in real time. A green line will represent the amount of electricity actually consumed. Meanwhile, a blue line will reflect the values stored on the data aggregator, which collects readings from the meters installed in the buildings (the blue-line information is what is reflected in the account balance of each building). So the blue lines will change based on the attackers' actions. Will the grid hackers succeed in fooling smart meters to reduce their bill or perhaps become rich from solar power? We'll get to find out soon at PHDays. Register and buy tickets for PHDays while you still can! A two-day ticket costs RUB 14,400; a one-day ticket costs RUB 9,600.