Patrick Wardle and Mikhail Sosonkin were in Moscow for a PHDays (positive hacking). Gianna Toboni of HBO's VICE News was there too, shooting an episode. The program reached out and asked, "Can you hack our producer?" They were promised time on HBO if they succeeded. The fact that there is an HBO video at the end of this post shows that something interesting happened. "Here's a Russian flag for you, Gianna." "Thanks." "Sorry. But we bought it with your credit card. After you paid for our Uber ride. And we tweeted out on your blue-ticked Twitter account." So before reading any further, think about how easy you would be to hack. You are on a business trip. It is two days long. Do you think anyone will be able to buy a flag with your credit card, use your account to take an Uber ride, and tweet out pretending to be you? Phase 1: What Devices Does She Have? The situation was not ideal since they were two foreigners in Russia, and they only had two days. But the first step was to find out Ginna's devices onto which they would eventually try and craft a malicious payload. She's a popular figure, so we can Google and look at images and see what she's using. A MacBook Pro. Then, through line-of-sight we could see she was using an iPhone in cafés and out and about. They considered using phishing but decided that it doesn't work well for a single person. With a large organization getting at least some clicks are almost guaranteed. Instead, they decided to create a rogue WiFi access point. Phase 2: Evil Maid They decided on an "evil maid" attack, getting into her room (doesn't "evil maid" sound better than "getting into her room"?). But they didn't know what room she was in. The conference was in the Crowne Plaza and so they figured she'd be in that hotel too. There is a law in the Russian Federation that everyone must authenticate with their name before using public WiFi. In the hotel, the way this is set up is that the username is the room number, and the password is the guest's last name, which they knew was "toboni". The quickly reverse-engineered the login, and built a script to iterate through all the room numbers until they found one that let them onto the WiFi using "toboni" as the password. There are not that many rooms and soon they discovered she was in room 2086. Next, they did some social engineering. They needed an American-sounding female voice. So Patrick's wife Dana used Skype to call reception saying she's Gianna Toboni in room 2086, and that Patrick would be stopping by to pick up a key. At first the receptionist wanted to call up to confirm, but since there was a note she'd called a few minutes ago they gave him a room key. In security terms, that's a "super low bar for authentication." This wasn't some random hotel, it was a high-end international chain, and even had metal detectors and the front entrance. They just don't worry about cyber. Phase 3: Rogue Access Point They used a HooToo TravelMate, which is about the size of a MacBook power supply. It has two antennas, since it is designed to bridge two networks, and it is cheap enough to consider disposable ($21). They used it to create an access point called "crowne_plaza_guest" and then bridged that network to the real hotel network so anyone using it wouldn't notice anything unusual. Hotel WiFi is often slow anyway. They created their own fake login page, and used DNS redirection like public WiFi often does to force authentication. Once she was authenticated, they connected her so she could browse normally. They redirected a couple of networks (like vice.com and yelp.com) where, in principle, they could do a 0day attack. But they were in Russia, so even with full permission from VICE News they didn't want to do something too illegal. Plus 0days are expensive to acquire. The alternative was to make a fake Apple screen with VICE TV's IT department insisting that all users download a security update. Apple tries to stop this with a gate-keeper. While they were in her room, her laptop was lying there. So they opened it up in recovery mode (intended to troubleshoot the system) which gives access to the hard drive. They used a USB drive to install malware and later she would run it. In some ways, this simulates a border crossing, where customs agents might take your laptop into a back room. A firmware password, or full-disk encryption, would thwart this, but it is not turned on by default. They also installed a surveillance camera inside her hotel room, so that they could steal her passwords by hidden camera. Another warning: "beware when you get a room upgrade, the room may come with pre-installed surveillance." Phase 4: Credit Cards So now they had access to her MacBook. But they wanted more: her credit cards, her social media account, maybe even the video and microphone. The used Empire (which is open source, pre-existing, and extensible). They used a virtual machine on Google's cloud which shouldn't look suspicious. They also went with a launch agent that ensured it would reinstall on every reboot. They really needed the root password. Real hackers would just use a 0day to privilege escalate. But they used social engineering, and displayed a dialog asking the user to enter the root password. Computers do this regularly, at all sorts of seemingly random moments, so this wouldn't even seem suspicious. Once they had root, they could install a key-logger that transmitted every key pressed. They also dumped out the keychain, which contains private keys and passwords. You can actually dump this as a normal user, you don't even need to be root. However, there is some authentication, but it ignores synthetic events (software pretending to press menu items etc). So they used "mouse keys" where keyboard events show up as mouse clicks and get around the checks. They just did a proof of concept of this. The keylogger would give them most things they wanted. She booked a trip to Cuba with her credit card, so they had that. She tweeted something out and so they had her Twitter password. Phase 5: Grabbing Her Video Modern Macs have an LED indicator to show when the camera is on, and it is controlled by firmware so very difficult to change without doing a complete firmware build. But there is no way to tell if another program piggy-backs on legitimate use of the camera. So they set it up to record when the camera was in use anyway, such as Gianna's Skype session with her boyfriend. They could record off the video feed whenever it was being used anyway. Mitigations So what could she have done to prevent this? Or you? Firstly, if someone really wants to hack you, such as the Russian government, they will. Their advice is: Take a burner device (cheap phone you will throw away). Even with a burner device, don't download or install anything VPN for all communications Don't log into any important accounts There are some free Mac security tools, such as blockblock that monitors for persistent re-installation of code, or Lulu that monitors suspicious network connections (such as their command and control server), and oversight that watches webcam, or donotdisturb that watches for "evil maids" (or your dog!) using your computer while you are out and it is back in your room. Set a boot/firmware password, and turn on disk encryption Authenticate via biometrics (fingerprint, face recognition) Don't trust hotel safes. They have to have a master password, and there are plenty of ways on the net to find them out Keep your devices with you as much as possible Of course, some of this advice is hard to stick to, since it is hard to use your devices for stuff you need to get done without "logging into any important accounts", or only using a burner device that hardly anyone knows the number to. Summary So they had pretty much everything. They could turn the mike on and record sound. They could record video whenever the video was in use. They had her credit card number. They could tweet from her verified Twitter account. They took Uber rides on her credit card. “Anything you couldn’t get?" “Not really. And these are not really sophisticated attacks” Skip to 8 minutes in the video. Sorry, our blogging platform ignores my instruction, so you have to do it yourself. www.youtube.com/watch After the presentation, someone from the audience asked how Gianna really felt. They said that she was a good sport on camera, but in reality, she was pretty freaked out when they handed her her room key. She had no idea she was being targeted. When the camera crew was supposedly filming some B-roll, they were actually filming her being hacked. It was a complete surprise just how completely she had been pwned. Sign up for Sunday Brunch, the weekly Breakfast Bytes email.![]()
↧