Posted by on Mar 8, 2017
At Virus Bulletin, we love the BSides concept and we have attended several of the BSides events around the world. So when Peter Karsai, who is soon to join the VB team, offered to write something about his experience at BSides Budapest, we jumped at the chance to publish his post.
Growing up in Eastern Europe during the final years of the Soviet bloc, my primary connection to the West was through the VCR: bootlegged Hollywood movies from Germany, copied a hundred times, with ridiculous home-brewed Hungarian voiceover, over German voiceover, over Mr. Miyagi from The Karate Kid. It was our esteemed family VCR that first introduced me to the concept of "economies of scale": when the light fell at the right angle, the built-in display revealed placeholder symbols for functions not available in our entry-level model. I was startled, so my brother took up the duty of explaining that it is often cheaper to produce zillions of the same device and let some functionality lie unused in some of them than it is to manufacture a custom device for individual models. When setup costs are high, producing many of the same brings your per-item costs down. He added that this is called "economies of scale" – because that's exactly the sort of term an eight-year-old finds indispensable in his daily adventures.
A vacuum fluorescent display from a typical VCR.
By Atlant assumed (based on copyright claims). [GFDL, CC-BY-SA-3.0 or CC BY 2.5], via Wikimedia Commons
Fast forward to 2017 and BSides Budapest, and Tobias Schrödel's presentation on smart device hacking gave a glaring example of this concept at work. He started his demonstration by showing the audience how to hack a camera-equipped RC car and enable HD camera resolution for the cheaper, SD-only variant of the toy car. Economies of scale: when setting up and changing production lines is expensive, and software configuration is cheap, it actually makes a lot of sense for the vendor to cut costs through software and not to be too concerned about plunging sales of the HD version among hacker types. However, cost efficiency and a lack of concern can be a lot more damaging when it results in a complete disregard for basic security. Much to the amusement of the audience, Tobias demonstrated this vividly by hijacking a camera-equipped adult toy (yes, it's a thing), and then just to wrap the show up he gave a handy demo of how to bring a big stage light show to your neighbour by hacking their smart lightbulbs (which is only fair payback for using the angle grinder at 7AM on a Sunday morning, I suppose).
The presentation given by Zoltán Balázs of MRG Effitas on IoT device security – and the lack thereof – only reinforced the message that vendors really need to get their act together on this front, no matter the pressure from the market to ship fast and early. Mirai, anyone?
Feeling that these two presentations had warmed me up sufficiently for more serious work, I joined the workshop on Cuckoo Sandbox custom module development. Note to self: take an intermediate subject only after your understanding of the basics is fairly solid.
via GIPHY Artist's impression of my understanding following "Welcome to the Cuckoo workshop".
The coffee breaks between conference sessions allowed for a little chat amongst fellow attendees; I loved these as much as the presentations themselves. For instance, somebody casually showed me how one could get, er, free WiFi from certain cable modems on the UPC network. This is actually a fun one: turns out that the default WiFi password of certain Ubee modems that UPC commonly deploys for consumers can be guessed from the advertised SSID. This has been a known issue for several months now, yet I had no difficulty whatsoever in finding vulnerable WiFi networks when I tried the key generator app – so maybe this is less a 'fun one' and more a 'holy macaroni!' one.
Returning from lunch, I just managed to catch Jeff Hamm's presentation on the attack and forensics arsenal offered by PowerShell and his case study on how PowerShell was utilised in a successful attack against a bank, eventually gaining the attacker access to the SWIFT subsystem and the ability to transfer money out, before destroying the systems affected. You can't say that it's called PowerShell for no reason, right?
I had to leave a bit prematurely, but the first BSides Budapest left me with very good impressions. Kudos to the organisers and sponsors for bringing together a wide variety of talks for security professionals and enthusiasts alike. And on my way home I might have won them another attendee for next year: the cab driver listened quite intently to my stories from the infosec world and said he would totally consider a second career in this area. If only it hadn't happened right after explaining ransomware-as-service – I can only hope this was responsible disclosure. See you at the next #BSidesBUD event, blackhat cab driver!
