DEF CON might be the conference known for lots of bad behavior, but Black Hat has its share of bad actors as well. Some of them are doing research, but many are simply itching to test out their skills on other cybersecurity pros. From researchers breaking into ATMs for their latest talk to the Jeeps that keep getting owned, a lot of craziness is going on at both cons.
The Pwnies get an inside look by using our tools to see what’s going on under the surface - in the world of Bluetooth and wireless and (possibly) rogue cell towers. DEF CON is pretty famous for its share of curious guys walking around with an antenna and a computer to sniff out what kind of mischief is happening out on the floor. Pulse automates and visualizes that process.
For those who are unfamiliar, Pulse provides device threat detection of rogue or malicious devices, misconfigured devices, IoT devices that cannot host an agent-based solution, employee devices brought into the company network with little to no oversight, and Bluetooth devices (oh, and others). What this means for the floors of Black Hat and DEF CON is that we can see devices behaving badly, and we can also frequently see how severe the attack was - the number of people who connected to an attack, for example.
This year's Vegas shows did not disappoint - we caught major attacks at both shows. Most notably, the team found a karma attack - essentially an access point that pretends to be various networks that it’s not - at Black Hat.
Karma attacks produce many different SSID's that use the same labeling as the networks that various devices are looking for. We caught 35,000 people connecting to this particular one, which is a substantial number for any attack. If the users were not careful about what they sent over that connection, any traffic that went over that connection may have been caught - everything from passwords to emails to confidential information.
While something like a large-scale Karma attack is easier to find over time, part of what we try to do is to see the things that might pose a problem from the get go. In addition to the attack above, we stumbled upon wireless printers that may have been misconfigured and could provide beachheads into the network they were connected to:
We saw a lot more on and around the Black Hat network, which you can see in the video below:
The karma attack was definitely not the only one suspicious thing we found - while watching the networks we also came across an extremely suspicious 2G cell network, very possibly a rogue tower looking to see traffic coming across it. This cellular access point was only broadcasting in 2G, which suggests that it wasn't a modern AP (which tend to be 3G or 4G). If a hacker jammed other cell networks in the area, your phone would automatically connect to the best connection in the area - in this case, an attacker's.
It was less surprising to see bad behavior at DEF CON, as the show is well known to be a hotbed of hacks. What was more surprising is that many of the same techniques work at both shows. Users using open wireless and then connecting to a poisoned SSID seems to be a popular way of accessing personal info, so as our own commodon says, #DONTUSEWIFI.
First, a DEF CON Karma attack:
A lot of these attacks rely upon users using open wifi, and then allowing their devices to connect at will in the future. Here are the most popular broadcast probes from the 50,000 client devices we saw at DEF CON (and yes, this list should be concerning):
Want to see what kinds of devices and attacks are happening near your networks?
For more on the subject, you can read Max Eddy’s article from PC Mag.