By: Responsible Cyber
July 6, 2017
My BSidesTLV Talk - Magda Chelly
By: Responsible Cyber
July 6, 2017
BSidesTLV 2017 was a unique place with a very special atmosphere. Friendly, and vibrant it invites to observe and admire the shared knowledge. Exciting, spectacular, surprising, fascinating- impressions that were left to any visitor or speaker.
Security BSides is a hacker convention that runs guidelines to a close community for information security conferences. BSides was co-initiated by Mike Dahn, Jack Daniel, and Chris Nickerson in 2009.
It started from a small group of individuals curious about other security topics, outside of BlackHat.
BSidesTLV started in 2016. This year – 2017 - it is in its second edition with fabulous organizers: Keren Elazari, Inbar Baz, Ilan Gracier, Omer Cohen, Oded Levin, Yaniv Balmas, and Reut Mensahe. It leverages unique access to the world’s most influential cyber security professionals, and hackers — uniting forces to share their collective knowledge, address critical security vulnerabilities and discuss pioneering solutions, without commercial noise. Indeed, it was all about sharing knowledge.
Entering a different world with a host like Keren Elazari and her team made the experience truly exceptional. Totally honestly (I am emphasizing on purpose), I have never attended an event where the organizers were so supportive, and involved with the speakers. The event was full of personal tips, surprising expert knowledge, and amazing insights. It hosted 900 registered attendees and around 500 walk-ins.
That's why I was extremely happy to be part of BSidesTLV 2017 as one of the speakers in the underground session. Unfortunately, my laptop got stolen the night before. My talk was about acoustic hacking and therefore I had some demos that I could not address anymore. This did not stop me :). I will share more details in this article so everyone can benefit, and raise awareness about the topic.
Beforehand, I am giving here an exclusive preview of this incredible experience, and sharing the BSidesTLV experience highlights.
1- The Dinner
BSidesTLV hosted a private dinner for the speakers on the 27th June evening. Needless to say, putting together an event like this with a distinct dinner is incredibly time overwhelming. Everything—the planning, guest follow-ups, logistics, the exceptional hospitality — took the team, I – guess - huge efforts. Clearly, a dinner for all the speakers required many hands. We were welcomed in a local restaurant called Yosef Hummus and guess what was for dinner? :) Hummus!!! A very yummy hummus.
With every single part of the dinner —from table setting to a menu with yummy food, and drinks — prepared to feel the local delights, there was a lot to choose from. The evening was very cool. We had the chance to meet every speaker before the actual event.
We enjoyed culinary delights and friendly service. The restaurant was located near Tel Aviv University. It excelled with its offering and we - the guests - were pampered with local redefined dishes. Accompanied with an awesome special lemonade, we had everything to be ready for the BIG day.
2- My Talk
I was the third speaker in the underground session, alongside with brilliant speakers like Yaron King, Avi Douglen, Dave Lewis, and Tal Melamed.
In conjunction with VOTIRO sponsorship, BSidesTLV organized a security challenge that took place before the conference. The winners were invited to the underground session. I am also thanking VOTIRO for their support with my laptop drama!😊
My talk was about acoustic hacking, and the title was: ...
How do I hack any device with sound?
Let’s start with the beginning …
Cyber attacks are increasingly using non-traditional methods. The cyber risk surface is growing exponentially in the latest years following our technological tsunami. This increase of connected devices with the rise of Internet Of Thing has shaped legal and security challenges. In fact, with the current technami, smartphones and other smart devices are even equipped with various sensors. These sensors can vary, and usually are low cost. This raises questions about vulnerabilities and secure design practices within, in priority the manufacturers.
In fact, cyber criminals take the shortest path to discover the right exploit and they, then perform the attack with easily accessible tools. A lack of security by design reflects an open door for side channels. I have been analyzing these vulnerabilities to find out the most common acoustic attacks and the future usage cases, especially in an inter-connected world.
In my talk, I explain the limits of the sound used to obtain information and how to run an attack itself through sound.
In the first section, I described vulnerabilities on the current smartphones commonly used for social engineering attacks with voice, as per the use of Siri. Few vulnerabilities have been fixed however many are still working and users are easily victims of attacks.
So, what is sound?
A sound is defined by portable vibrations through the air or another medium and is audible by the human ear when the frequencies vary from 20 to 20 000 Hz.
Nowadays, conversational user interfaces (CUI) are using sound and artificial intelligence as the heart of new developments. The sound is part of the speech recognition, and there have been many fascinating progressions in the area.
Analysts and researchers forecast the global speech recognition for computer electronics market to grow more than 28%. Speech recognition works using algorithms through acoustic and language modeling. The language model is in charge for modeling the word sequences in the language and acoustic modeling represents the relationship between linguistic units of speech and audio signals.
Various products are nowadays contributing different AI abilities such as speech recognition and natural language processing. Speech recognition is present in our daily lives. It’s manufactured into our phones, our game consoles and our smart watches, and many other devices, that we use every day to facilitate our lives. Andrew Ng, a Chinese American computer scientist, has foreseen that speech recognition will become a key technique for human-machine communications. Therefore, we must raise questions.
Let’s have an overview. For speech recognition, we crack the sound wave into numbers, and we just record of the altitude of the wave at intervals. Then, we predict the whole sample. This is called digital sampling. I will pass on the technical details of speech recognition to a later stage.
So, what does Siri?
Talking to Siri is an easier, faster way to get things done. It’s always with you — on your iPhone, iPad, Mac and Apple Watch — ready to help throughout your day. Ask Siri to set an alarm or a destination. Book a ride or a meeting. Send a payment or a love note. And the more you use Siri, the better it knows what you need at any moment. Just say it and Siri does it. Source: https://www.apple.com/sg/ios/siri
Siri is an intelligent personal assistant, used by Apple Inc. for its speech recognition applications. We use it on Apple Iphones, Ipads, etc. Siri uses voice requests and a language user interface to reply questions, and many other queries, like recommendations, alarm setting, etc. The software familiarizes to users' individual practices, and preferences, with ongoing adaptability. Results are individualized and customized.
Until recently, Siri was available when the phone was locked by default. A user could use Siri even with the phone locked and access to the calendar, call some numbers, set up a meeting, etc. This capability was overcoming the authentication process, and therefore was presenting a real danger for users. Since that time, Apple has addressed the vulnerability and offers the choice to the user to enable or disable Siri on the user’s phone. As the below figure shows the settings, Siri can be accessed when locked or disabled.
Apple publicized a new interface to Siri, and additional capabilities, like language translation. Siri is correspondingly receiving a new voice entirely produced by machine learning algorithms. In the meantime, from my experience and research, users have by default Siri enabled when the phone is locked. This feature enables a stranger to access the phone calendar, call history, or even call someone or access to a banking application.
Really though, this feature helps mitigate the risk associated with Siri. However, it still relies heavily on user’s awareness and responsibility.
I have, therefore, tried to experience some new usage of Siri, and discover how the speech recognition works with frequency variations. This obviously means new ways to interact with the application, and maybe as well with inaudible sound by humans. This experience opens up a new attack vector on Siri, that might be very interesting to analyze and deeply research.
So where does that takes us on Siri?
These few weeks, I have tried to sample various sounds on Siri, and I found interesting results, as shown in the below screenshots.
This was a low-tech experiment for the demonstration, where an online web source is used to generate the frequencies. NoiseAddicts generated sounds tuned to specific frequencies.
I played with various sounds changing frequencies. After playing the sound “hello”, Siri detected the same sounds even through various frequencies, and not understandable frequencies as well. I was able to introduce tonnes into Siri fooling it to output certain replies. These acoustic interferences enabled to interfere with the sensors. Furthermore, I hijacked my device with a sound on various frequencies, from audible to inaudible.
My experiment shows we can use radio waves to silently generate voice commands on any iPhone that has Siri enabled. This simple hack uses those various frequencies messages to trigger Siri actions. Without speaking an audible sound, a hacker could use this method to communicate with Siri to turn these sounds into actions. The phone could become an eavesdropping device.
The silent voice command hack is just an example of the possibilities around speech recognition and artificial intelligence risks. iPhones have Siri enabled from the lock screen by default, but the newest version of Siri for the iPhone 6s authenticates the holder’s voice. However, this also is related to the first learning process of the voice’s holder.
Algorithms including speech recognition and artificial intelligence need to be introduced to discard signals that are noticeably atypical. Constraints of this experiment are related to the distance to the device, as well as the possibility to see the commands confirmation on the device.
Cyber responsible users should disable Siri on their phones when locked. Additionally, the screen should be protected with a passcode. This could limit the access to a third party to use those tips to access the information on the device.
So what happens when someone types on a keyboard?
The previous experience leads to another vulnerability analysis in my second section. When a user presses a key on the keyboard, a slight electromagnetic radiation is emitted. These radiations can be captured. After various records, a criminal can define a pattern and determine the typed words. This can be effective, even few feet away and therefore, a criminal can record the radiations from another part of the building.
In the below screenshots, I show the various comparison between typed words. We can clearly see the similar frequencies. In the first example, I highlight the same radiation for closing a window on the computer, in order to record the sound. These radiations actually give much more information on the computer, not only limited to keyed words but related to actions on the computer. This leads to leakage of sensitive information.
The frequencies generated while a user is typing on the keyboard defines a firm pattern without any special equipment. The requirements are limited to a recording software and an audio editor.
The keyboards' vulnerability comes from the element that every action on the keyboard is related to a certain frequency. The manufacturers consider the radio protocols, and not these kinds of risks. This attack is undeniably a different example of key sniffers invisible eavesdropping.
First, it illustrates that far more than a single constructor is exposed to the sound hacks. This method doesn’t additionally require advanced technical knowledge.
Second, that means that a criminal looking for targets could simply locate himself at proximity and record all the frequencies from any keyboard.
My experiment is backed up by various previous researchers where it has been found that the distance to record these frequencies might reach 65 feet. This vulnerability could let criminals remotely access all information on the devices. The vulnerability uncovers a security failing that could expose theoretically millions of users, in various locations.
Manufacturers should admit the problem and inform users on the current vulnerabilities. There is no easy fix for these points, including the Siri risk as well as the keyboard issue. However, companies should advise on good practices. On the other hand, security settings should be enabled and not disabled by default, unless a clear message is delivered to the user.
The third section in my talk described techniques based on sound to collect user inputs information. These are based on the use of accelerometer sensors, previously applied by other researchers to find out the users’ PIN. The other described techniques alter the user’s inputs. My work explores the various methodologies and the damage of these attacks. The attacks are based on spoofing such sensors with deliberate acoustic interference. The attacker then delivers selected digital values to embedded systems without additional validation.
By using sound waves, we can make-up changes and affect accelerometers. The sensors detecting movement will detect a fake motion through the sound and therefore emit a different result. Counting the steps on an activity tracker is an example. These accelerometers are embedded in various devices, not only in the activity trackers.
Accelerometers define movements through changes in speed or direction. These measurements can be altered by certain frequencies. They will then deliver a false result. The limitation resides into figuring out the right frequencies to operate the devices. It can lead to forging the number of steps within a step counting device.
Growing number of companies are offering incentives to users with tools like activity trackers. For example, nowadays, insurance companies are giving up discounts for healthy lifestyles. This scenario can lead to a false declaration and therefore a very attractive monthly fee for an insurance policy. Furthermore, it would be very difficult to prove the attack.
Wearable fitness technology includes devices that retain user information such as heart rate and steps taken. Insurance companies are using data from these devices to define individual premiums. The insured can earn rewards or discounts. The insurance company thinks about the risk profile of the user. They perceive the risk as lower when the user is having a healthy activity. This is clearly leading and encouraging criminals to forge the data for financial gain.
The researchers on the accelerometers vulnerabilities are pretty new. Kevin Fu and other researchers have found a technique to take control of devices using these devices. They represent a security fault. It's crucial that this vulnerability is included and taken into consideration within the designing phase of the electronic devices.
Let’s wait to see.
The fourth section described the different use cases within the future Internet of things and clearly defines the vulnerabilities related to sound. Currently, we have medical applications, navigation, transport, and consumer electronics using and incorporating accelerometers, and other similar sensors. With the rise of connected devices and usage cases, there would be endless application possibilities where a low-cost sensor can be used as a side channel. Like any other innovative technology, these sensors have the possibility to cost-effectively provide the date for additional usage, however, most usually compromising the security factor.
Given the research, and previous results using the various sensors, I concluded with a thought how crucial it is to amend the security model for on-board sensors on connected devices.
As fast as things progress with speech recognition and artificial intelligence, it is valuable to study these vulnerabilities and provide ways in which machine learning handle these risks.
Special thanks again to Keren Elazari, and team for the opportunity to participate at BSidesTLV. Please do not hesitate to comment and ask questions regarding this research and my paper.
3- Other Talks:
Chris Nickerson, co-founder BSides Security Movement was speaking at the conference, for an opening speech. Chris was amazing on stage and the ambiance was ON for the show.
Other confirmed speakers of the conference included ALPER BASARAN, Chief Hacking Officer at Garnizon, GUY BARNHART-MAGEN, security research manager at Intel, YAIR AMIT, Co-Founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center, JOSH CORMAN, Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative at the Atlantic Council, TAL LIBERMAN, cyber security research team lead at enSilo, AMIT SERPER, security research at Cybereason's Boston HQ, CHRIS ROBERTS, world’s foremost experts on counter threat intelligence within the Information security industry, OMER GIL, information security team leader in EY Advanced Security Center in Tel Aviv, MOSHE ZIONI (DALMOZ), security researcher, and Iftach Ian Amit, Co-Founder of DC9723 and Board of Directors BSidesLV. Speakers were from around the world from Turkey to Singapore. They assembled to share insights through the main session in the afternoon, covering the wide range of topics.
The new cyber women power was on the spot with Luda Lazar. The themes for the conference went from phishing kits, mobile containers, healthcare devices, Atom Bombing to cache deception, and many more.
Follow me on YouTube for more cyber talks !
4- The After Party:
Blending house vibrations, plus the ultimate cool vibes, here’s was an event that everyone enjoyed.
After the full day of knowledge sharing, it was time to relax. The after-party was hosted in a terrace bar near Tel Aviv University, with incredible views at night. Above and beyond, who doesn’t love a good outdoor party?! One of the most thrilling highlights of the night was all the pizza and drinks in concurrence with the great company 😊
During the afterparty, I met Evgeny Belenky, Director of Community at Peerlyst - a community of InfoSec experts, and media partner for BSidesTLV. It was great catching up and discussing great opportunities to share and expand free quality knowledge within the cyber security community.
I LOVE THAT PLATFORM!
Peerlyst is building a community where information security professionals can gather together online through great content and innovative solutions for security challenges.
Through the evening, I also had a chat with Omer Cohen. Omer was part of the BSidesTLV organization committee. He actually was an amazing support and help through the journey with all the adventure. I am sending a great thank you back from Singapore.
My participation in BSidesTLv would not have been possible without the support of an amazing team, especially with Keren Elazari, equipped with incredible knowledge and research skills that are contagious to anyone who is part of the infosec community.
Thank you, Keren, Inbar, Ilan, Omer, Oded, Yaniv, and Reut for an incredible experience.
7. My BSIDESTLV Talk