During Defcon 25 one of the biggest information security event that took place in Las Vegas on July 27-30 this year, a new eavesdropping attack technique was introduced.
At the BioHacking Village’s Pisa Room, the Brazilian information security researcher and senior security consultant at CIPHER, Rafael Fontes Souza presented a proof-of-concept demonstrating a new exploitation technique that can be used to hack user credentials and to intercept sensitive data.
The ‘Dog in the Middle’ technique, aka DitM, used man’s best friend as an attack tool. Rafael adapted a chest collar to carry a mobile phone and wireless network adapter.
The most noticeable feature of this technique is that the attack vectors are triggered automatically without any human interaction and include near field attacks such as fake access point, cellular base stations or local user attacks on a network.
A comprehensive set of exploitations can be implemented using DitM, like DNS hijacking, packet injection, evil twin, rogue router or ISP, among others.
How that’s done?
The targeted device will connect to a rogue wi-fi access point generated by the dog collar and clever DHCP configurations can push rules to allow IP allocation by the fake AP and traffic forwarding to fake and/or malicious websites.
“Information and user data can be easily stored and malicious files can also be injected remotely to control the compromised device”, explain Rafael.
The video demonstrating how the chest collar was assembled can be seen at Vimeo through the following link https://vimeo.com/227596613
and Rafael’s presentation can also be accessed through Slideshare here https://pt.slideshare.net/rafa_el_souza/my-dog-is-a-hacker-and-will-still-your-data.
This technique is as very good example of how rather conventional technology can be used to social engineering to compromise users. Who’d think man’s best friend could be used as an attack tool?
Article by Pedro Silveira (Marketing Director at Cipher)
(Security Affairs – DiTM, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.