The December 2022 issue of IEEE Spectrum is here!

Close bar

This Week In Cybercrime: Black Hat Edition

The gaps in computer security discovered by ethical hackers are scary indeed

2 min read
This Week In Cybercrime: Black Hat Edition

How secure do you feel about the wireless router you use at home? Maybe more than you should. Researchers at AppSec Consulting Inc., in San Jose, Calif., reported new vulnerabilities at the annual Black Hat computer security conference, which took place from 21–26 July in Las Vegas. To be sure, compromises to routers, switches, printers, and other frequently networked hardware have been discussed at Black Hat as far back as 2006.

But the associated attacks were hard to pull off back then, so the problem was never addressed. This year, though, the AppSec team demonstrated their exploit using a popular type of Linksys router. As reported by Information Week, after getting a computer user to go to a malicious website, the site pushed a JavaScript app instructing the Web browser to relay information about all locally-connected devices—including the router. A brute force attack—or in too many cases, an educated guess—can easily yield the router's login information and thus access privileges that let the attacker install malicious firmware.

"We're replacing an operating system on a network device and taking complete control of it," AppSec presenter Phil Purviance, an information security specialist, told Information Week. The exploit, which could easily go undetected,

“could be used to install custom firmware, allowing an attacker to surreptitiously monitor everything that passed through the device, for example by instructing the router to send all data to an attacker-controlled website.”

The Black Hat conferences annually supply a rich vein of revelations about just how vulnerable computers and related devices are to the machinations of people intent on doing dastardly things. Fortunately, despite the suggestive name, the presenters conduct their hacks with the aim of revealing vulnerabilities before they can be exploited for nefarious purposes.

Another of this year's hacks looked at the new cellphones that allow users to share photos and other data by tapping the devices together. They're cool and convenient, but the near-field communication that allows this swapping of data—including credit card information for making online payments—may leave handsets open to outside attacks. In a session called “Don’t Stand So Close to Me: An Analysis of the NFC Attack Surface,” researchers from Accuvant Labs reported that there are technologies capable of letting someone access another person’s phone to view stored images, videos, and documents, open Web pages in the phone’s browser, or turn the handset into a zombie that allows them to send text messages and make phone calls using the victim’s calling and data plan.

And a researcher at Universidad Autonoma de Madrid delivered a talk debunking the notion that the binary code used in biometrics databases to represent scanned iris images do not contain enough information to allow the original iris image to be reconstructed. Javier Galbally, whose research focus is on synthetic generation of biometric traits, came up with a probabilistic approach to reconstituting the images from binary templates. Subsequent experiments showed that although they wouldn’t fool a human biometrics expert, the reconstructed images may be good enough to fake out an iris recognition system.


The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
An illustration of a series
Carl De Torres

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less