When you finally arrive at a long-anticipated event, there’s such a high excitement in the air that if it were contagious like a virus then it would have spread through more people than some small towns have in their entire population. This intense excitement may be what ‘regular’ folks feel when arriving at Disney World, except this is better; this is bit like a magical Disney but for hackers. It’s only the first day and more than 15,000 hackers, security professionals and feds have flooded into the Rio at Las Vegas for Def Con 20. Who knows what the final numbers will be, but it is expected for more people than ever before to attend. In fact, there is a Def Con documentary in the making right now.
There is a mass sea of flashing Def Con badges moving through the casino, filling the hallways, lining up to attend ‘tracks’ or presentations on very specific topics, as well as competing in contests and events. Even better than Disney’s Epcot World Showcase are special lands at the Rio such as Lockpick, Wireless or Hardware Hacking Villages. But that doesn’t even begin to scratch the surface or sum up what’s happening at the 20th anniversary of Def Con.
So far there was an epic line of people trying to get inside the auditorium to hear NSA Chief General Keith Alexander speak about “Shared Values, Shared Responsibility,” but thousands were unable to get inside that packed talk. Maybe we'll talk more another time about General Alexander's speech as well the presentation "Changing the Security Paradigm: Taking Back Your Network and Bringing Pain to the Adversary" as delivered by former FBI Executive Assistant Director Shawn Henry.
During “Can You Track Me Now?” -- a presentation about government surveillance via mobile location data -- Christopher Soghoian mentioned that Sprint couldn’t handle the amount of government and law enforcement surveillance requests. So instead of manual requests, Sprint setup a “self-service” portal so government agencies can log in and track as many people as they wish “wholesale” style. With Sprint, it’s become a regular buffet where $30 can get government snoops all the location data they could possible “eat.”
The two “scariest” aspects of this location data surveillance include topics that we don’t have much information about such as historical cell tower dumps where hundreds if not thousands of innocent Americans are caught up in a dragnet and entered into a database simply because their phone pinged a specific tower. The other aspect We the People need to know more about is a “community of interest” so that if you were a person of interest being tracked then this would snag the location data of everyone you called and everyone that called you.
In this day and age of electronic eavesdropping, everyone should encrypt and be anti-forensic friendly. That, however, doesn’t imply that law enforcement can’t access your encrypted data anyway. In fact, both Google and Apple provide access to encrypted data. Another FYI from Soghoian included that when it comes to iPhone, Apple has a “monster skeleton key” so it can clone the data and cough it up to a government snoop. For Android users, Google approaches this by changing the password so the police can get it and spy to their hearts content. Afterwards, Google changes the password back to what it was.
While we are talking Google and Android, during a presentation called “Don’t Stand So Close To Me,” security researcher Charlie Miller easily hacked NFC when Android or Nokia are left on the default settings. Near Field Communications, or NFC, is that handy tech that allows you to wirelessly pay, as in to “wave your wallet” via your smartphone. IMS Research says there will be 80 million NFC cell phones by the end of 2012, but paying via your phone is not all that NFC can do. Miller demonstrated how, in a crowd such as Disney or Def Con, an attacker only needs to brush up against a victim to hijack the phone.
Miller, a former NSA analyst, didn’t actually compromise NFC, but utilized the Android Beam that “allows simple peer-to-peer data exchange between two Android-powered devices.” This automatic beaming “feature” was meant to be easier since it requires neither pairing, nor device discovery. Just as we saw with the keycard hotel door hack, Android Beam is currently insecure by default.
Although it is highly unlikely your phone will be pwned in such a matter, the Android Beam feature allowed Miller to use an NFC tag to make the browser open a malicious webpage without the user’s approval. That could be further exploited by using a Webkit vulnerability to download the attack payload. It would be possible then to take complete control of the phone. Some of the issues were corrected in Ice Cream Sandwich, but Google will no doubt be working on securing the feature. Miller also found NFC security issues with Nokia N9.
That’s all for now as I need to get back to hacker heaven. We’ll look at more from Def Con 20 next week.