CanSecWest 2015 has come and gone but the knowledge sharing continues. This was Synack’s first year sponsoring and we met a great group of people. We had a great meetup the first night of the conference and then raffled off an Atari 2600 on the last day.
At CanSecWest, Patrick Wardle, Director of R&D at Synack, presented his research on ‘dylib hijacking’ on OS X. Despite the projectors going blank for a minute during his talk (hijacked?!?), his talk was well received!
The talk initially covered DLL hijacking on Windows, before introducing ‘dylib hijackings’ on OS X. Patrick demonstrated that by abusing weak or run-path-dependent imports found within many Apple and third-party applications, this attack opens up a multitude of attack scenarios to both local and remote attackers. For example, it showed how local attackers could stealthily persist and inject malicious code into external processes, while remote attackers could bypass Gatekeeper (thus facilitating remote infections). The talk culminated with some proof of concept code, which via ‘dylib hijacking’ could maliciously infect a user and exfil/infil data – all while fully bypassing all popular OS X security tools! The slides for the talk can be found at: http://syn.ac/cansecw15 and a technical white paper is available on Virus Bulletin.
The Few days before CanSecWest, there was also a great Bsides event. Wes Wineberg, a Synack Security Research Engineer and Vancouver native, presented his research on the Rainforest Automation EMU-2 Home Energy Monitor. This included analysis of hardware, software, and the Zigbee Smart Energy protocol.
Wes’ presentation examined the functionality of the EMU-2 device, and showed how it interfaces to smart meters using the Zigbee protocol. Several undocumented commands were found through analysis of the associated software, which can be used via USB communications to the EMU-2. While the EMU-2 device stores the majority of its data in an encrypted format, this talk demonstrated techniques that could be used to retrieve the original unencrypted data. Finally, the Zigbee Smart Energy profile was detailed, including the mechanism for pairing devices. It was demonstrated that it is possible to retrieve the necessary encryption keys from the EMU-2 to fully intercept or spoof its Zigbee communications (temporary physical access is required). The slides for this talk can be found at: http://syn.ac/1BUemV9
We hope you enjoyed the conferences and/or following online. Hope to meet you in person next year or at the next conference!