Hacking 

Case Studies

Ae you looking for a taste of ISE's security research,

which Ted weaves into all keynotes?

... if so, read on

"the danger from within"

- New York Times

 

Cars

The Challenge

Car immobilizers were considered to be “unbreakable.”  We wanted to verify that claim!

The Problem

At that time, companies were very unwelcoming to security research, and often responded with lawsuits rather than fixes.

The Exploit

Nevertheless, we pushed ahead, even at our own peril.  We reverse engineered the cryptographic algorithm, built a weaponized software radio, and demonstrated the exploit by starting a Ford Escape without the authentic key!

The Impact

We empowered Ford and its cryptography partners to fix an exploitable security vulnerability that pertained to one of the most pressing problems facing car makers: more than 720,000 automobiles are stolen every year in the United States alone, totaling a property loss of more than $4.3b!

 
 
"major exploitation"

- Washington Post

 

Phones

The Challenge

We wanted to be first!  When the iPhone first came out, we wanted to be the first researchers to discover an exploitable vulnerability in it.


The Problem

We didn't have access to early release versions of the device; our contacts at Apple wouldn't give us a heads up about what might be new in this game-changing technology.  We couldn't even cut the line at the retail store! Furthermore, every other researcher at the time also wanted to be first.


The Exploit

We addressed the time problem by exploring known issues in the existing desktop version of the Safari web browser, and investigating how similar issues might appear in the mobile version.  This strategy succeeded: we discovered an exploitable buffer overflow vulnerability in the mobile version of the browser. This enabled us to take full administrative control of a victim phone; we could send and receive text messages, operate the camera, turn on the microphone, add or remove contacts, etc.


The Impact

We empowered Apple with how to fix this exploitable issue, and they had a patch issued shortly thereafter, thereby protecting the millions of consumers who would go on to buy the original iPhone.  As the press coverage on this went very wide, this also sent a message worldwide that although this new technology had security issues just like any other technology, the manufacturer was all over fixing it.

 
 
“showed the lack of robust security in important devices”

- New York Times

 

Password Managers

The Challenge

Millions of users assume password managers to be a trustworthy option for storing all of their most valued credentials. We wanted to determine the validity of this trust that users place in password managers.


The Problem

As these are security products, we assumed they would be very resilient, and difficult hard to exploit. This would require more effort and resources.


The Exploit

Instead of being hard to break, we found many of the most widely used password managers to be trivial to exploit.  Most had overwhelming foundational issues, lack of adherence to security principles etc. We discovered that a user's credentials can be extracted from a password manager, even in its locked state. 


The Impact

This is profoundly important because it undermines the claims by vendors and confidence by users about the ability for these systems to make users more secure.

 
 
“technology companies are thinking about it all wrong”

- Globe & Mail

 

Medical Devices

The Challenge

Most healthcare cybersecurity focuses on privacy of patient data; we considered a much bigger issue and wanted to investigate the ease and likelihood of an attacker causing patient harm or fatality.


The Problem

Medical devices are exceedingly hard to get your hands on: they’re very expensive, and most suppliers don’t have a sales channel to anyone that is not a healthcare provider.  We could buy used devices on resales sites like eBay, but the devices available there are so old that the findings would not be relevant to patient use cases today, and could engender unnecessary fear.


The Exploit

To address these access issues, we partnered with a number of healthcare organizations, one of whom allowed us access to their medical devices for research purposes.  We struck gold: we found exploitable vulnerabilities in patient monitors, drug dispensary equipment, and bloodworking systems. The key takeaway of all of these exploits is that each of them would enable an attacker to manipulate the behavior of physicians, in such a way that the physician unwittingly delivers harm to the patient.


The Impact

The primary impact has been awareness.  When we published our 2-year study Hacking Hospitals, it quickly garnered media attention worldwide.  Many conferences across the globe, from D.C. to Dubai, asked us to come present the research.  It made its way around the halls of Congress; and medical device manufacturers have even donated devices to us for further testing.  Such awareness is a critical first step in moving the industry forward, but due to the highly regulated, highly bureaucratic nature of the medical device industry, there is still a tremendously long way to go before these issues are solved.

 
 
"risk has spread beyond the theoretical”

- Financial Times

 

Blockchain

The Challenge

We wanted to understand if people’s money -- in the form of cryptocurrency -- is at risk of theft.


The Problem

Knowing that attackers will go for the easiest targets, we allowed ourselves only limited time to do this.  Could we figure out how an attacker might steal money in just a few man-hours of effort?


The Exploit

After developing a simple exploit kit, writing up some code to scan, and then letting the scanner run for roughly 1.5 weeks, we found nearly 800 vulnerable Ethereum keys!  As we looked closer, we discovered that these keys were used in more than 50,000 transactions, which told us these are heavily used wallets. We anticipated that these keys and their associated wallets would have at least some currency at risk, but we discovered all of them to be empty.  Or more accurately, looted.


The Impact

So what had happened? It turns out, there is an attacker out there exploiting Ethereum using the exact same method we had developed!  And now we could track him. As all transactions on the blockchain are publicly visible, we could trace all of the looted wallets back to a single wallet, that had more than $40m of stolen Ethereum sitting in his single wallet!! This was a wild outcome; we were trying to see if or how this could happen, and in the process we bumped into the real guy doing the real thing!  It’s like 2 burglars robbing the same house at the same time!

 
 
“Security by hacking it”

- New York Times

 

Internet of Things (IoT)

The Challenge

Security isn’t a development priority for most IoT makers; we wanted to change that.


The Problem

The extreme pace at which IoT is being adopted, combined with the vast scope of device types, meant that as a single organization we’d have a hard time keeping up and making a difference.


The Exploit

To address these issues, we galvanized a security research movement, known as IoT Village.  Since its inception, IoT Village as a community has published hundreds of previously unknown security vulnerabilities. These affect both known brands such as Samsung, Sharp, and GE, as well as unknown brands, such as nascent startups.  These affect more than 50 different device types and counting!


The Impact

The movement is accelerating!  What started as a few people behind a folding table in the corner of a small room is now a massive traveling event series, that visits conferences all across the U.S. as well as locations abroad.  Countless articles are written every year about the research that the IoT Village community publishes, and now even device makers themselves are involved.

 
 
“combat the threats posed by IoT devices”

- Consumer Reports