What happens when you hack the infotainment system of a car and then sell your hack as a service? What happens when you do that but forget to defend yourself?
You get hacked.
As a member of the of Axway Product Security team, I explained to the audience at DefCamp 2019 security conference how I broke into what I call “Hack as a Service.” I used a chained attack technique, abusing different weaknesses in the services offered by an anonymous hacker who was “selling” a utility application for Honda infotainment systems. I showcased the whole process, step by step, including the incentives but also the tools I used, along with the (most important): The how and why’s that his attack was successful.
Because security research is fun but, in the end, we must learn something from it, right? I explained how a mix of weak password policy, lack of brute force attack mitigation, security misconfiguration, security best practices ignorance plus a broken application license mechanism can break your business. While the full presentation video can be watched on YouTube, here is a summary of my talk:
Chapter I: Content Discovery
Phase 1 of the attack was brute-forcing resources URLs in order to find hidden but available content on the website. The main purpose was to find the APK file that was supposed to be hosted on the server. For such scenarios, tools like dirb or Burp Proxy are handy.
Chapter II: Brute-forcing password-protected resources
Chapter III: Reverse engineering the Android application
Having the app installed revealed that it was asking for a key in order to upgrade to the Pro version and use all the features. For getting the key, I performed both static and dynamic analysis of the application and reverse-engineered the key validation system. This attack was facilitated by several mistakes that the developer did, and I explained them during the talk. After all, the entire attack chain was successful because of weaknesses identified in each component of the system: infrastructure, web application, APK source code.
During my presentation, the audience had the chance to hear this story taken from the real world and it was well-received. One of the main benefits of Infosec Community is that we can exchange ideas, share knowledge and experience that can be further applied in our daily job, ending up with a more secure digital world.
DefCamp is the most important annual conference on Hacking & Information Security in Central Eastern Europe. Each year it takes place in Bucharest. This year it celebrated its 10th edition. This conference has grown rapidly over the years and the numbers speak for themselves. This edition of DefCamp brought together over 2,000 decision-makers, security specialists, entrepreneurs, developers, academic, private and public sectors.
A funny fact: the very first edition of DefCamp had as many attendees as this year’s edition had speakers.
Each year, Axway has a strong presence at the most important security conferences all over the world. Axway security experts are active members of the Infosec community, participating with content, code and engagement in CTF competitions.
Learn more about API Security, checking it twice.