Researchers hack toys, attack iPhones at ToorCon

SAN DIEGO--From "weaponized" iPhone software to hacked toys and leaked cookies, researchers at the ToorCon security conference here this weekend showed how easy it can be to poke holes in software and hardware with the right tools, know-how, and curiosity.

One researcher demonstrated how to take control of an iPhone using an exploit that targets a hole in Safari, which has been patched. The iPhone had an app installed that allowed it to process credit card numbers, which could then be stolen if this were an attack in the wild.

Eric Monti, a senior security researcher at Trustwave, "weaponized" an exploit that was launched as the Jailbreakme.com program this summer, designed to allow iPhone owners to use unauthorized apps.

For the demo, he directed the "victim" iPhone to a Web address that opened a PDF file that contained the exploit code. Then a rootkit was downloaded giving him complete control of the iPhone. Once a rootkit is downloaded an attacker has access to all data, e-mails, voicemails, and text messages, as well as the microphone and speaker. "You can easily eavesdrop on someone if you're on their iPhone remotely," Monti said.

If the iPhone has the free Square app installed, which is used for processing credit card numbers, the attacker could also steal those numbers, he said, adding that there is not a security issue with the Square app. "We will see people processing credit cards in stores using iPhone apps," transactions using highly sensitive data that should be on only secured devices, Monti told ZDNet Asia's sister site CNET in an interview after his talk.

Two researchers gave a light-hearted talk, titled "Real Men Carry Pink Pagers", about how they turned a toy into a wireless tool that could be used to open garage doors and clone RFID tags used for inventory control on shipping docks and RFID-based passports, among other uses. The pink plastic IM-Me device, with a "Girl Tech" brand on it, was designed to allow young girls to send instant messages with friends on a private network.

The IM-Me device also uses the same wireless chip that some smart meters use and could be turned into a diagnostic tool to test the security of those devices, said wireless researcher Michael Ossman. He worked on the project with Travis Goodspeed, who wrote software that gives the IM-Me functionality that most teen girls can't fathom.

"We took old hardware and repurposed it...It's fun to turn it into something useful and to learn about it," Ossman said, summing up a core element of the true hacker spirit.

This isn't the first toy Ossman has worked his hack magic on. During Defcon in August, he used the hackable badge from the event to try to turn a toy guitar into an electric instrument. The guitar, which he played for a select audience this weekend, remains acoustic at this point, but Ossman did manage to create a very cool electronic light oscillator for tuning the strings using RGB (red, green, and blue) LEDs.

Two other presenters showed how limited encryption used on many popular sites on the Web--like Facebook, Twitter, Hotmail, and Flickr (but not Google)--can put user accounts at risk of compromise by someone snooping on session traffic between the user's computer and the site's server. Sites typically encrypt the username and password as they are transmitted, but unless the entire Web session is encrypted with "https", or secure hypertext transfer protocol, someone sniffing the network could capture the cookie information and use that to access the accounts, according to security researchers Eric Butler and Ian Gallagher.

Web surfers don't even have to be on one of the sites to have their cookie data exposed. Any site that even just hosts a Facebook or Twitter widget or has a Flickr image embedded can leak a user's cookie data if the user is logged into the relevant host site, they said. "The cookie allows you to do everything you can with a password," Butler said. "It is hard for users to protect themselves."

So-called HTTP session hijacking, or "sidejacking", is not new; another researcher released a tool last year to enable this on Facebook. But Butler and Gallagher said users will be vulnerable to such attacks until Web sites move to full session, end-to-end encryption and configure sites to indicate that browsers only should send data over encrypted channels. They are releasing a tool that automates an attack and said that they hope that doing so will bring attention to the problem and motivate Web site owners to use encryption more broadly.

"Any motivated attacker could do this without this tool," Butler said. "We think this will shine light on the issue."