By Franck Cecile – TheExpert Cybersecurity Squad
> See also:
- Squad at #DEFCON27 (1/3): What's that?
- Squad at #DEFCON27 (Part 3/3): My impressions
My DEF CON experience
What did I do there, what did I see there?
My DEF CON experience was marred by a canceled flight during my transfer to Philadelphia. A storm and around thirty flight cancellations meant a 48-hour delay in getting back to Las Vegas. That's two days of DEF CON missed. Never mind, the remaining two days were enough to take in the immensity of the event and appreciate all its aspects. In any case, even if you were there for all four days, you would only be able to cover 25% of the convention, such is its sheer size. Summary of the schedule:
- Half day to attend 2 talks:
- A talk at the Aviation Village
- A talk at Hack The Sea Village
- Half a day exploring the different villages
- Half day to attend two conferences:
- A conference on the possibility of injecting a backdoor into a microcontroller
- A conference on the possibility of injecting ransomware into a digital camera
- Half a day exploring DEF CON as a whole, punctuated by the closing meeting
That's it for the overview. Let's move on to the details.
Aviation & Safety
The first Talk I attended was given by four speakers (with impressive résumés) from Aviation Village. Their profiles were very complementary (a doctor, a researcher, a hacker, and a former pilot). The talk focused on the state of aviation security policies.
A brief introduction by thefirst speaker onair traffic control safety regulations, using the case study of a Boeing 737 MAX. The floor is then given to his colleagues, who get straight to the heart of the matter.
Thesecond speaker draws parallels with other industries (particularly the automotive industry) in terms of the organizational and regulatory complexity involved in addressing vulnerabilities identified in aircraft. These include the age and obsolescence of systems, difficulties in procuring equipment (banks are less willing to grant credit for the purchase of a Boeing than for a Golf, for example) and in testing bugs under real conditions, and finally, the (extremely cumbersome) implementation of widespread corrective measures, whether technical, organizational, or physical.
Thethird speaker presents a vulnerability that he has (proudly) brought to light, concerning the hijacking of air traffic via the ADS-B (Automatic Dependent Surveillance-Broadcast) protocol. An airliner sends its GPS position to anyone who wants to hear it via this protocol, which is unauthenticated and unencrypted. A $1,000 radio is therefore sufficient to transmit a false GPS signal to the control tower. Several chaotic (but not catastrophic) scenarios are therefore conceivable. For more information, click here.
Finally, the last speaker, a former US Air Force pilot, gave his professional opinion on how to deal with safety, security, or cybersecurity incidents when in flight. According to him, pilots have three options in the event of an incident while in the air: return to base, return to base urgently (or even eject), or ignore the incident. Under no circumstances can pilots afford to waste time in the air analyzing, diagnosing, or resolving the incident. It is easy to understand that a pilot cannot handle this type of incident, which exceeds both his skills and his ability to deal with it in addition to the actual piloting.
The speeches were complementary, of course, but sometimes gave the impression of being disconnected (I would even go so far as to say that the speakers were indirectly taking jabs at each other when discussing their work or missions, showing little consideration for each other's work).
I also wonder about the possibility of carrying out an attack by hijacking air traffic, and its real impact. Some research indicates that the risk exists, but is not as excessive as one might fear. Other security measures (defense in depth principle) prevent the scenario from turning into a disaster so easily. The information and insights provided were nonetheless very interesting.
Maritime & Propulsion
The second talk concerned Hack The Sea Village, dedicated to maritime issues. The talk was given by a hacker (again, with a very impressive CV and experience) on vulnerabilities discovered in a ship's propulsion control system following a bug bounty.
Initial explanations were provided on the generic operation of a diesel engine, noting in passing that the maritime world is not familiar with IT/OT. Then we moved on to the choice of equipment to be tested: two ICS devices from Auto-Maskin – Propulsion Management (DCU 210E Engine Controller and RP210E Remote Panel). The reasons for this choice are as follows: it is a widely used brand and, above all, it is not necessary to prove that you are building a ship in order to purchase the equipment, as seems to be the case with the competition.
The speaker then provides us with a list of warships equipped with these systems, information obtained directly from the company's sales representative: we are talking about aircraft carriers and combat ships. A little more sensitive than a ferry boat, after all.
Next comes a presentation of the lab that has been set up, with direct network access to the ICS, as well as wireless access to use the company's Android app (yes, you read that right). And finally, a presentation of the bug bounty methodology. Very classic, backed up by solid skills. Network scans, code analysis, brute force, etc. Basic stuff, and it's the hacker himself who points this out and reminds us: nothing drastic! The result: four CVEs (Common Vulnerabilities and Exposures) discovered, including one concerning hard-coded identifiers in the system! Technical details were then provided and explained about these discoveries.
And that's it. For my part, I felt a little frustrated after such mind-blowing discoveries. I expected them to mention the threat hanging over these systems and the real risk involved.
There is no doubt that with such easy access to this information (whether through sales or bug bounty programs), there is a risk. But I wonder about the possibility of exploiting these vulnerabilities, knowing that even if one is well informed, the attacker would have to overcome other security measures to gain access to the system and carry out their attack. Not easy, but not impossible given what is at stake.
The conferences
I also attended two conferences. Thefirst intrigued me because of the possibilities it offered: injecting a payload onto a microcontroller to set up a backdoor. Thesecond interested me more for personal reasons, as a photographer: the possibility of injecting ransomware onto a digital SLR camera.
At a time when there are suspicions about possible backdoors in Huawei, Kaspersky, Android, F35 fighter jets, and so on, with issues of national sovereignty at the forefront, what is the reality of the situation? Without going into technical details or the methodology used (my skills limited my understanding, but the subject was nonetheless extremely well presented), the speaker showed several videos with quite impressive results: the retrieval of text messages received by a phone, as well as the (partial) control of a car. A little more detail here.
However, once again, I question the realism and feasibility of such an attack, given that physical access to the microcontroller is required. Who would have an interest in setting up such backdoors, and above all, who would have the financial, organizational, and even political means (the technical aspect being almost irrelevant at this level) to do so without it being noticeable?
Finally, the last presentation was on injecting ransomware into a Reflex camera via wireless connection. In this case, a Canon EOS 80D (running DryOS, a proprietary operating system). Here again, I will skip over the technical details and methodology discussed, which, once again, according to the speaker (who works for the CheckPoint research center), remain very basic, but which, in my opinion, do not detract from the hacker's success.
See here. The vulnerabilities discovered can be exploited via USB cable, Bluetooth, or Wi-Fi. The ransomware (which is fake in this case) is injected through vulnerabilities in the PTP (Picture Transfer Protocol), which is not sufficiently secure. It should be noted that the CVEs have been confirmed by Canon and have already been patched through a firmware update.
The demonstration is shown in a video, and indeed, the device ends up being locked and the photos encrypted. Another detail pointed out by the speaker is that the PTP protocol is used by other manufacturers (Nikon, Sony, etc.). The same flaw is therefore (potentially) exploitable.
Ransomware on a DSLR camera—another masterstroke by those pesky hackers! That was pretty much the consensus across the media following the conference. The news spread far and wide, making quite an impact on the general public immediately after DEF CON. But this time, as a photographer, I can judge for myself and assess the threat and risks to my favorite activity.
As the owner of a Canon EOS 7D, 6D, and Sony A7, my point of view is as follows:
- 7D: no wireless, not applicable, it's simpler
- 6D: Wi-Fi, but I don't use it at all, so I've disabled it. Not relevant either.
- A7: I use wireless technologies extensively to quickly transfer my photos to smartphones and immediately back them up to my cloud, with minimal effort. I think I use these technologies much more than the average photographer. But as an ordinary person, am I affected by this?
The answer: no, not at all. Why? Because I prefer NFC (which I only activate when necessary) for wireless transfer (so no PTP). I do sometimes use Wi-Fi, it's true (so probably the PTP protocol), but it's rarer. When I do, I either connect to my device point-to-point with a preconfigured and secure ad hoc network using my smartphone (so I'm not affected), or occasionally (but very rarely) I connect to my home Wi-Fi (so I'm hardly affected). It should be noted that for battery reasons, I only activate Wi-Fi when necessary.
In what circumstances could you be attacked? By connecting to public Wi-Fi, which is extremely rare for a photographer, in my opinion. And unless you are a well-known photographer and a prime target, I highly doubt (but this is only my opinion) that an attacker would have any interest (financial or otherwise) in carrying out this type of attack.
So, once again, the technical achievements are impressive, but their real-life significance needs to be examined.
What about the rest?
Apart from the talks and conferences I attended, and not having the technical skills to participate in CTFs, Bug Bounties, and Workshops, I was able to explore the Villages and the different areas of DEF CON without seeking specific information. It must be said that there was plenty of choice, as there were so many Villages. Among the main topics covered were:
- AI (Artificial Intelligence)
- Aviation
- Blockchain
- Cars
- The Cloud
- Encryption
- Drones
- Maritime (Ships & Ports)
- The IoT (Internet of Things – Connected Objects)
- ICS (Industrial Systems – SCADA)
- Social Engineering
- The Red/Blue Teams
- The Wireless
- Etc.
I didn't have much opportunity to talk to people, but I was able to admire and appreciate the various technologies and products on display, whether for promotional purposes or to test them out.
It must be said that simply walking around DEF CON is a spectacle and an enriching experience in itself. There is something to amaze and impress any enthusiast of new technologies, and despite the apparent complexity of the topics covered, they remain accessible to those less knowledgeable, as they are so well presented. The atmosphere is friendly, the world is crazy—in short, DEF CON is, in itself, a real spectacle.
Next: Feedback – Squad at #DEFCON27 (Part 3/3): My thoughts.
