Hacking skills on display at the 35th Chaos Communication Congress

35th Chaos Communication Congress had hackers spoofing a vein authentication system with a wax hand, showing off hardware wallet hacks, and outlining the first UEFI rootkit.

Hacking skills on display at the 35th Chaos Communication Congress
Yves Sorge (CC BY-SA 2.0)

If you have some time on your hands, you should really dig into the presentations given at 35th Chaos Communication Congress (35C3), as there is likely something to be found for your particular security or privacy interests. The following roundup of 35C3 presentations are just a drop in the proverbial bucket compared with the amount of talks given.

Facebook tracks Android app users even if they don’t have a Facebook account

Privacy International gave a presentation (report) explaining how Facebook infuriatingly tracks people via mainstream Android apps whether or not you even have a Facebook account (video). It doesn’t matter if you went out of your way to not ever be sucked into Facebook or if you had an account but later quit the social network; Facebook is still collecting your data and tracking “users, non-users and logged-out users outside its platform through Facebook Business Tools.”

Privacy International analyzed 34 Android apps that have been installed from 10 to 500 million times (app data), and it found 61 percent of the apps automatically sent data to Facebook as soon as a user opens the app — that data includes a user’s Google advertising ID.

“If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion,” it said.

The group found that some apps are worse than others. For example, Kayak “sends detailed information about people’s flight searches to Facebook, including departure city, departure airport, departure date, arrival city, arrival airport, arrival date, number of tickets (including number of children), class of tickets (economy, business or first class).”

While you may not use the Kayak app, you may use at least one of the Android apps analyzed, as the study included a wide range of apps — from the King James Bible (KJV) Free to Dropbox and plenty in between, such as Speedtest by Ookla, The Weather Channel, Indeed Job Search, Candy Crush Saga, the Opera Browser, and Spotify. As Privacy International pointed out, since users have no option to opt out of sharing their data, it raises the question of whether the data collection runs foul of GDRP.

And if all that unconsented data collection isn’t enough, KMPH reported that despite the Facebook scandals and data breaches, the social network may still ask you to upload your ID to restore accounts it has marked as fraudulent.  

Vendors object to hardware wallet hacks

During “wallet.fail” aka “poof goes your crypto,” three researchers showed how to break popular cryptocurrency hardware wallets, including Trezor One, Ledger Nano S, and Ledger Blue wallets, to which Ledger and Trezor objected.

First-ever instance of UEFI rootkit successfully used in attacks

ESET malware researcher Frederic Vachon presented, “First Sednit UEFI rootkit unveiled.” Sednit, as Threatpost pointed out, is also known as APT28, Sofacy, and Fancy Bear. The point of finding the first rootkit targeting Windows Unified Extensible Firmware Interface that was successfully used attacks is quite significant. As Vachon explained, “Once the UEFI rootkit is installed, there’s not much a user can do to remove it besides re-flashing the SPI memory or throwing out the motherboard.” The rootkit — called LoJax — was previously outlined in a report (pdf).

Hackers spoof vein authentication system with wax hand

From the far-out and freaky department at 35C3, Julian Albrecht and Jan Krissler explained how to beat vein authentication. Granted, that not might be the first form of biometric authentication that pops to mind, but Motherboard reported that Germany’s BND signals intelligence agency uses vein authentication at its Berlin headquarters.

So, how did they pull off the hack? They took photos of their vein patterns and then used it to make a wax hand model that fooled the system. And it only took about a month’s worth of research. Kissler suggested the photos of a target’s veins could be taken at a press conference. He added, “When we first spoofed the system, I was quite surprised that it was so easy.”

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)