Cyberhacks and attacks are typically talked about with negative connotations, but not all cyberhacks are bad news.
Security researchers are constantly on the lookout for “good hacks” that will help them better understand the bad guys and beef up security on current technology and devices. Lightbulb and ‘do-gooder’ worms, machines replacing humans to hack other machines and high-speed car hacking were among the most innovative white-hat hacks that happened in 2016
MouseJack attack finds vulnerabilities with non-Bluetooth wireless mice
With a $15 dongle, researchers at Bastille were able to sniff traffic from PCs, Macs, and Linux machines that use non-Bluetooth wireless mice and keyboards, thanks to the unencrypted communications employed by seven different wireless dongle vendors. This “MouseJack” attack exploited nine vulnerabilities across devices from Logitech, Dell, HP, Lenovo, Microsoft, Gigabyte, and AmazonBasics. The researchers could take control of the input devices and ultimately infiltrate the machines and their networks from over 300 feet away from the victim’s machine.
MouseJack exploits wireless proprietary protocols that operate in the 2.4GHz ISM band and don’t encrypt communications between a wireless mouse and its dongle. An attacker then could spoof a mouse and insert his own clicks and inputs to the dongle, and generate keystrokes instead of mouse clicks on the victim’s computer.
The lights-out worm
While there was talk of hackers attacking power companies, researchers realized all it takes is one “smart” lightbulb rigged with a worm to spread to nearby lights within minutes. At Black Hat USA this summer, researcher Colin O’Flynn outlined work he and fellow researchers Eyal Ronen, Adi Shamir, and Achi-Or Weingarten conducted with the Philips Hue smart lighting system to demonstrate how a worm could be unleashed to turn out (or on) the lights in a city or local area or even to wage a distributed denial-of-service attack.
“The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity,” the researchers wrote in a research paper. They were able to show how plugging in just one infected bulb anywhere in a city using the smart lights could then spread to adjacent lights throughout the city.
Who needs humans? We’ve got machines hacking machines
DARPA hosted a contest at DEF CON this year: the first-ever all-machine “capture the flag” contest. Researchers brought their hacking machines to go into a live forum against the contest’s testbed of challenges as well as their opponents’ machines.
The Cyber Grand Challenge featured high-performance autonomous systems that were tasked with finding and fixing security flaws in the contest’s air-gapped network. Seven teams associated mainly with various universities for 12 hours watched their machines reverse-engineer binary software, write new intrusion detection system signatures to protect themselves from opposing teams, and patch and defend their own machines. Six of the seven machines patched the contest’s SQL Slammer flaw/flag, and six of the seven did the same with Heartbleed all within a matter of minutes.
These “good hacks” are beneficial to the security industry, allowing researchers and infosec professionals to better understand flaws within current systems and technologies and how to prevent future cyber attacks. Here is the look at the biggest bad hacks and attacks of 2016.