Security researchers who participated in the Pwn2Own hacking contest have demonstrated remote code execution exploits against the top four browsers, and also hacked the widely used Adobe Reader and Flash Player plug-ins.
South Korean security researcher and serial browser hacker Jung Hoon Lee, known online as lokihardt, single-handedly popped Internet Explorer 11 and Google Chrome on Microsoft Windows, as well as Apple Safari on Mac OS X.
He walked away with US$225,000 in prize money, not including the value of the brand new laptops on which the exploits are demonstrated and which the winners get to take home.
The Pwn2Own contest takes place every year at the CanSecWest security conference in Vancouver, Canada, and is sponsored by Hewlett-Packard’s Zero Day Initiative program. The contest pits researchers against the latest 64-bit versions of the top four browsers in order to demonstrate Web-based attacks that can execute rogue code on underlying systems.
Lee’s attack against Google Chrome earned him the largest payout for a single exploit in the history of the competition: $75,000 for the Chrome bug, an extra $25,000 for a privilege escalation to SYSTEM and another $10,000 for also hitting the browser’s beta version — for a total of $110,000.
The IE11 exploit earned him an additional $65,000 and the Safari hack $50,000.
Lee’s accomplishment is particularly impressive because he competed alone, unlike other researchers who teamed up, HP’s security research team said in a blog post.
Also on Thursday, a researcher who uses the hacker handle ilxu1a popped Mozilla Firefox on Windows for a $15,000 prize. He also attempted a Chrome exploit, but ran out of time before he managed to get his attack code working.
Mozilla Firefox was also hacked, during the first day of the competition, by a researcher named Mariusz Mlynski. His exploit also leveraged a Windows flaw to gain SYSTEM privileges, earning him a $25,000 bonus on top of the standard $30,000 payout for the Firefox hack.
Most of the attacks demonstrated at Pwn2Own this year required chaining of several vulnerabilities together in order to bypass all defense mechanisms put in place in operating systems and browsers to prevent remote code execution.
The final count for vulnerabilities exploited this year stands as follows: five flaws in the Windows OS, four in Internet Explorer 11, three each in Mozilla Firefox, Adobe Reader, and Flash Player, two in Apple Safari and one in Google Chrome.
Electric carmaker Tesla Motors is searching for security researchers to hack its vehicles. The Silicon Valley based high-tech auto maker will hire up to 30 full-time hackers whose job will be to identify and resolve vulnerabilities in the sophisticated firmware that controls its cars.
“Our security team is focused on advancing technology to secure connected cars,” a company spokesman said via email. The focus is on “setting new standards for security and creating new capabilities for connected cars that don’t currently exist in the automotive industry. The positions are full time, and we will have internship opportunities as well.”
Tesla’s cars are among the most digitally connected vehicles in the industry with the battery, transmission, engine systems, climate control, door locks and entertainment systems remotely accessible via the Internet.
So the company has a lot at stake in ensuring that the connectivity that allows its vehicles to be remotely managed doesn’t also provide a gateway for malicious hackers.
Security researchers have already shown how malicious attackers can break into a car’s electronic control unit and take control of vital functions including navigation, braking and acceleration.
In 2013, two researchers at the Defense Advanced Research Projects Agency (DARPA) showed how they could take control of a vehicle through the controller area network (CAN) used by devices in a car to communicate with each other. The researchers showed how attackers could send different commands to a car and cause it to brake or accelerate suddenly or jerk its steering wheel in different directions.
In that study, the researchers needed physical access to the CAN bus to carry out the attack. However, researchers have noted that similar attacks can be carried out wirelessly by accessing the CAN bus through Bluetooth connections, compromised Android smartphones and vehicle tracking and navigation systems like OnStar.
Such concerns have begun gaining wider attention with the federal government’s plans to require all vehicle manufacturers in the U.S. to incorporate vehicle-to-vehicle (V2V) communications capabilities in all light vehicles over the next few years.
The goal is to have a standard in place that would allow vehicles to automatically exchange information, such as speed and location data, with each other, with a view to avoiding collisions.
Tesla has been among the most proactive carmakers in addressing potential security threats. It was the only automaker to attend the recent Def Con security conference in Las Vegas, where a security executive took the opportunity to promote the company’s responsible vulnerability reporting program and to recruit new team members.
Devices used by many radio and TV stations to broadcast emergency messages as part of the U.S. Emergency Alert System (EAS) have critical vulnerabilities that expose them to remote hacker attacks, according to researchers from security consultancy firm IOActive.
The EAS is a national public warning system that can be used by the president or local and state authorities to deliver emergency information to the general public. This information is transmitted by broadcasters, cable television systems, wireless cable systems, satellite digital audio radio service (SDARS) providers, and direct broadcast satellite (DBS) providers.
EAS participants are required to install and maintain special decoding and encoding devices on their infrastructure that allow the transmission and relay of EAS messages.
IOActive Labs researcher Mike Davis found several critical vulnerabilities in EAS devices that are widely used by radio and TV stations nationwide, said Cesar Cerrudo, chief technology officer of IOActive.
The vulnerabilities allow attackers to remotely compromise the devices and broadcast fake EAS messages, he said. “We contacted CERT [U.S. Computer Emergency Readiness Team] almost a month ago and CERT is coordinating with the vendor to get the issues fixed.”
At least two products from one of the main vendors of EAS devices are affected, so many radio and TV stations could be vulnerable, he said.
Cerrudo declined to name the vulnerable products or the affected vendor before the vulnerabilities get fixed. He hopes that this will happen soon so that IOActive researchers can discuss their findings at the RSA 2013 security conference in San Francisco later this month.
“We found some devices directly connected to the Internet and we think that it’s possible that hackers are currently exploiting some of these vulnerabilities or some other flaws,” Cerrudo said.
Concerns regarding cyberterrorism was front and center this week among security experts at the RSA security conference in San Francisco, who find that some people with extremist views have the technical knowledge that could be used to breach computer networks.
Cyberterrorism does not exist currently in a serious form, but some individuals with extremist views have displayed a significant level of knowledge of hacking, so the threat shouldn’t be underestimated, said F-Secure’s chief research officer Mikko Hypponen on Thursday at the RSA security conference in San Francisco .
Other security experts agree. “I think it’s something that we should be concerned about. I wouldn’t be surprised if 2012 is the year when we start seeing more cyberterrorism,” said Mike Geide, a senior security analyst at security vendor Zscaler.
Extremists commonly use the Internet to communicate, spread their message, recruit new members and even launder money in some cases, Hypponen said during a presentation about cyberterrorism at the conference.
Based on the data Hypponen analyzed, most groups of radical Islamists, Chechen terrorists or white supremacists seem at this stage more concerned about protecting their communications and hiding incriminating evidence on their computers.
They’ve even built their own file and email encryption tools to serve this goal and they use strong algorithms that cannot be cracked, Hypponen said. However, there are some extremists out there that possess advanced knowledge of hacking, and they are trying to share it with others, he added.
The researcher has seen members of extremist forums publish guides on how to use penetration testing and computer forensics tools like Metasploit, BackTrack Linux or Maltego. “I don’t think they’re using these for penetration testing though,” Hypponen said.
Others have posted guides on website vulnerability scanning, SQL injection techniques, and on using Google search hacks to find leaked data and more, he said.
Although such extremists have mainly succeeded in unsophisticated Web defacements so far, Hypponen believes that cyberterrorists could become the fourth group of Internet attackers after financially-motivated hackers, hacktivists and nation states engaging in cyberespionage.
The closest we’ve come to a real cyberterrorist attack was the DigiNotar breach which resulted in rogue digital certificates being issued for high-profile domain names, said Richard Moulds, vice president of strategy and product marketing at French defense contractor Thales.
Other countries — and many companies — are using social-networking tools to their advantage, while the U.S. government has taken tiny steps forward, said Rand Waltzman, a program manager focused on cybersecurity at the U.S.Defense Advanced Research Projects Agency (DARPA).
The Chinese government pays citizens to patrol social-networking sites and dispute negative talk about all levels of government or any aspect of Chinese life, and companies such as Dell and Best Buy are training workers to respond to complaints on Facebook and other social-networking services, Waltzman said at the Suits and Spooks security conference in Arlington, Virginia.
U.S. regulations prevent the government from undertaking similar campaigns, he said. “Any time you want to go to the bathroom, you need presidential approval,” he said.
The U.S. will not be able to protect its residents if it cannot engage in its own covert social-media operations, Waltzman said.
Waltzman told about a U.S. special forces unit in Iraq in 2009 that attacked an insurgent paramilitary group, killed 16 of the members of the group and seized a “huge” weapons cache. As soon as the U.S. unit left the scene, the Iraqi group returned, put the bodies on prayer mats, and uploaded a photograph from a cheap mobile phone, he said. The group put out a press release in English and Arabic.
The insurgent group “made it look like someone had come in and murdered these guys in the middle of prayer, unarmed,” Waltzman said.
Meanwhile, it took the U.S. soldiers three days to get approval to post their video of the fighting, he added. “In social media time, three days is forever,” he said. “The damage has already been done, and there’s no way to take it back.”
U.S. politicians seem to be conflicted about using social media covertly, Waltzman said. Some denounce China for its social-media propaganda efforts, yet there are several examples in the 2010 congressional election campaigns of astroturfing, of using fake grassroots campaigns to support candidates, he said.