Category: Black Hat security conference

This drone can steal what’s on your phone

On By A.P.In Black Hat security conference, Cell Phone, Crime, Da Brayn, Daniel Cuthbert, data storage, drone, Electronic Frontier Foundation, Glenn Wilkinson, Human Behavior, Sensepost Research Labs, Snoopy, TechnologyLeave a comment

The next threat to your privacy could be hovering over head while you walk down the street.

Hackers have developed a drone that can steal the contents of your smartphone — from your location data to your Amazon password — and they’ve been testing it out in the skies of London. The research will be presented next week at the Black Hat Asia cybersecurity conference in Singapore.

The technology equipped on the drone, known as Snoopy, looks for mobile devices with Wi-Fi settings turned on.

Snoopy takes advantage of a feature built into all smartphones and tablets: When mobile devices try to connect to the Internet, they look for networks they’ve accessed in the past.

“Their phone will very noisily be shouting out the name of every network its ever connected to,” Sensepost security researcher Glenn Wilkinson said. “They’ll be shouting out, ‘Starbucks, are you there?…McDonald’s Free Wi-Fi, are you there?”

That’s when Snoopy can swoop into action (and be its most devious, even more than the cartoon dog): the drone can send back a signal pretending to be networks you’ve connected to in the past. Devices two feet apart could both make connections with the quadcopter, each thinking it is a different, trusted Wi-Fi network. When the phones connect to the drone, Snoopy will intercept everything they send and receive.

“Your phone connects to me and then I can see all of your traffic,” Wilkinson said.

That includes the sites you visit, credit card information entered or saved on different sites, location data, usernames and passwords. Each phone has a unique identification number, or MAC address, which the drone uses to tie the traffic to the device.

The names of the networks the phones visit can also be telling.

“I’ve seen somebody looking for ‘Bank X’ corporate Wi-Fi,” Wilkinson said. “Now we know that that person works at that bank.”

CNNMoney took Snoopy out for a spin in London on a Saturday afternoon in March and Wilkinson was able to show us what he believed to be the homes of several people who had walked underneath the drone. In less than an hour of flying, he obtained network names and GPS coordinates for about 150 mobile devices.

He was also able to obtain usernames and passwords for Amazon, PayPal and Yahoo accounts created for the purposes of our reporting so that we could verify the claims without stealing from passersby.

Collecting metadata, or the device IDs and network names, is probably not illegal, according to the Electronic Frontier Foundation. Intercepting usernames, passwords and credit card information with the intent of using them would likely violate wiretapping and identity theft laws.

Wilkinson, who developed the technology with Daniel Cuthbert at Sensepost Research Labs, says he is an ethical hacker. The purpose of this research is to raise awareness of the vulnerabilities of smart devices.

Installing the technology on drones creates a powerful threat because drones are mobile and often out of sight for pedestrians, enabling them to follow people undetected.

While most of the applications of this hack are creepy, it could also be used for law enforcement and public safety. During a riot, a drone could fly overhead and identify looters, for example.

Users can protect themselves by shutting off Wi-Fi connections and forcing their devices to ask before they join networks.

http://money.cnn.com/2014/03/20/technology/security/drone-phone/?google_editors_picks=true

Thanks to Da Brayn for bringing this to the attention of the It’s Interesting community.

Barnaby Jack dies one week before scheduled talk about how to hack implantable medical devices

On By A.P.In Barnaby Jack, Black Hat security conference, Brad Garrett, Dan Kaminsky, FBI, FDA, hacking, implantable medical devices, Las VegasLeave a comment

Branaby Jack

The mysterious death of a San Francisco “ethical hacker,” who was set to give a speech on infiltrating wireless implantable medical devices, has caused speculation that he was the victim of a targeted attack, and raised alarm about the safety of devices such as pacemakers.

Professional hacker Barnaby Jack, who famously demonstrated how to make ATMs spit out cash, was set to reveal the secrets of how implantable medical devices, specifically pacemakers, can be hacked, in a talk scheduled for last Thursday at the Black Hat security conference in Las Vegas.

“He was able to remotely exploit them, and this talk was really dedicated to how the manufacturers could improve the security of the device,” IOactive CEO Jennifer Steffens said.

But his girlfriend found the 35-year-old dead in his San Francisco home July 25. The cause of death is still under investigation, according to the San Francisco coroner’s office.

Police say they have ruled out foul play, but the cause of death might not be determined by the medical examiner for another month.

Jack dedicated his career to exposing the vulnerabilities hackers can exploit. The title of his scheduled talk at the Black Hat security conference was “Implantable Medical Devices: Hacking Humans,” and he planned to discuss how these devices “operate and communicate, and the security shortcomings of the current protocols,” according to the Black Hat website.

“He wanted to know, how could that stuff down there fail, and especially how it could fail if there were some not nice people out there trying to make it crash,” security researcher Dan Kaminsky said.

Jack’s research into the possibility of hacking medical devices is reminiscent of the plot twist in the end of the second season of the Emmy-award winning series “Homeland,” in which the fictional vice president was killed when his pacemaker was hacked by terrorists.

That scene got people wondering whether it is possible to hack implantable medical devices. In an interview with Bloomberg News before his death, Jack said that the answer is yes.

“Once I took a look, I was actually shocked to see how many vulnerabilities existed,” Jack said.

The FDA said in a statement that there is no cause for alarm for the nearly 3 million Americans who have pacemakers.

“[The FDA] is not aware of any patient injuries or deaths associated with these incidents, nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time,” the regulatory agency said.

Meanwhile, questions — and even conspiracy theories — are swirling around the Web regarding Jacks’ untimely death, with some even blaming the U.S. government.

“This is an industry where a lot of money and danger is at stake,” ABC News consultant and former FBI Agent Brad Garrett said. “The work he was doing certainly put him at some risk,” ABC News consultant and former FBI Agent Brad Garrett said.

http://abcnews.go.com/US/hackers-mysterious-death-prompts-conspiracy-theories-concerns-pacemakers/story?id=19868557