Re: Awesome work coming out of....Academia?

[Ralf-Philipp Weinmann <ralf () coderpunks org>]

On Sep 22, 2011, at 8:46 PM, Dave Aitel wrote:

> In this paper John Regehr who is a professor of Computer Science in like, Utah or something, wrote about integer 
> overflows http://blog.regehr.org/archives/59 , and it's great!

Quick link correction, Dave:

http://blog.regehr.org/archives/593

> It's funny and a good read, and frankly, that's the bar for success these days from Academia. :>
>
> But in all seriousness, one thing that came up yesterday on the paper review concall is that there are a lot of good 
> , academic talks we'd like to see at INFILTRATE[1]. There's no reason every talk has to be about 0days or heap 
> internals. Most of the work we are all doing is on solving bigger problems. Maybe our theme should be "If you solved 
> it for Mudge you should come talk about it at INFILTRATE over mojitos!" 

I'm not sure how many of you have read the recent work done by joint UW and UCSD research team on the attack surface of 
automobiles [1]. I remember some snide remarks about academics not being able to write proper exploits -- or rather, 
seldomly being motivated enough to go through with it. Albeit being in the embedded space and hence not having to deal 
with mitigations, instead of other academic papers I've recently seen, the authors of [1] do not take prisoners:

"To be clear, for every vulnerability we demonstrate, we are able to obtain complete control over the vehicle’s 
systems. We did not explore weaker attacks."

To cut to the biggest bag of lulz, jump right ahead to section 4.4,  A telematics unit that was exploited using with an 
"by manually dialing our car on an office phone and then playing this “song” [modulated post-authentication exploit 
payload] into the phone’s microphone". From the description of things, I'd guess this telematics unit to be running QNX 
(because of the LD_PRELOAD trick and the mentioning of "a variant of Linux" -- I guess they mean Linux-compatible here, 
something QNX has been touted as for a while). To achieve this they had to reverse-engineer the proprietary aqLink 
protocol (no, that box doesn't use SMS or data connections for the initial call-in). Not only that, but they get 
massive style points for writing and running their own IRC bot on the telematics unit that can pass on messages to the 
CAN bus. (can you say /msg davescar auths3cr3t brakeandswerve ?) Just as cute are the WMA files on CDs ("hey Dave, 
here's some fresh tunes for your drive back!") that pop your car or the wirelessly propagating malware for PassThru 
devices (diagnostic testers).

This group has been the first to push serious offensive research in the automotive context, but given the hilariously 
bad state of security in that industry you can bet there have been others who have achieved similar results but have 
not published them...

Cheers,
Ralf

[1] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage,
    K. Koscher, A. Czeskis, F. Roesner, T. Kohno:
    Experimental Security Analysis of a Modern Automobile
    20th USENIX Security Symposium, San Francisco, August 10-12, 2011
    http://www.autosec.org/pubs/cars-usenixsec2011.pdf




_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave