Live, Laugh, Lyrical Injection: Hacking Karaoke for Fun and Profit

next up we've got Nate Norton with live the laugh lyrical injection hacking karaoke for Fun and Profit so let's give a big welcome to grenade hi so I'm Nate and before we begin I am legally required to inform you that I am a CI double SP which will make sense in a minute I am also legally required to inform you that this information is for research purposes only and should not be used for Mischief wink so uh who am I I am a security engineer I play guitar and I sing in a rock band uh I build giant puppets that light up at night and I love karaoke and uh my parents are very proud of me despite all of those things so somebody once told me that in order to hack something you have to know it so let's get to another karaoke protocol so first of all uh who who knows what karaoke is all right most of us who has been to karaoke all right who has sung at karaoke my people all right um so for those of you who do not know uh karaoke is a form of entertainment in which Brave or intoxicated individuals sing along to pre-recorded instrumental versions of popular songs where the lyrics are displayed for the singer on a screen in time with the music an attempt to mirror the original performance of the song all right so what is the karaoke protocol it turns out that the authors of the karaoke protocol have neglected to submit an RFC so we have to make a lot of inferences about what the karaoke protocol actually is but it goes something like this you go to karaoke first step you flip through a book usually and you pick out a song that you want to sing and then you sign up for karaoke by putting your name on a piece of paper along with the song title and handing it to the karaoke host at some point they call your name they give you a microphone you go up and you sing the song if you're having fun you repeat steps two through four and nothing bad happens and you go home in all as well so let's take a look at some terms in order to further understand what the karaoke protocol is the first and most important one is the karaoke session this is where people go to sing karaoke then we have the karaoke host which is the person that facilitates the karaoke session there can be more than one host we call this a karaoke Network then we have the karaoke guest who participates in the karaoke session regardless of whether they are singing we have my personal favorite the karaoke service which is the bar and then some specific terms we have DNS which stands for do not sing you are cut off go home and then perhaps the most egregious offender that threatens the health and safety of the karaoke session is the APT or the advanced persistent talker someone who will not shut the hell up when other people are singing the reason I'm here today is because I have discovered not one but two vulnerabilities in the karaoke protocol that I wanted I would like to share with you the first one is weak Authentication and in some cases no Authentication the second one is a term that I have coined lyrical injection and unfortunately karaoke vendors have still not patched these vulnerabilities so who knows what else is out there I have been studying karaoke for 20 some odd years at this point I have participated in many karaoke sessions as a guest I have hosted a few karaoke sessions of my own I even played bass in a live karaoke Rock Band for a number of years and so for the last couple of years or so I have been researching threats to karaoke and uh I ain't the sharpest tool in the shed but I think that I have discovered the motivation uh for these miscreants uh can anybody guess what that might be fun close it's lulls so let's take a look at the first vulnerability weak Authentication it turns out that if you go to a certain place at a certain time and you write down any name and I mean any name on a piece of paper and you hand it to somebody they will give you a microphone for five minutes big mistake this vulnerability is often exploited to escalate privileges in order to gain an audience and when you have an audience what could possibly go wrong but don't just take my word for this if you for whatever reason against my warning would like to exploit this for yourselves this is the methodology you go to karaoke you write down a name and a song title you hand the karaoke host the piece of paper which initiates a reverse shell on the karaoke host when your name is called and they will call your name or whatever name that you wrote down retrieve the microphone your privileges are automatically escalated congratulations this attack from happening how do we stop this in its tracks what is the mitigation I'm afraid there is none this is just the way this system was designed so the reason that I know that this exists in the first place is uh because I have personally exploited these vulnerabilities I went to Defcon for the first time this year who was a Defcon awesome so uh Friday night I stumbled into hacker karaoke and I wrote down my name I wrote down my real name and I realized that this is poor operational security however I desired attribution for this attack so I felt that it was an okay compromise so I wrote down my real name and a song title and I handed it to the karaoke host initiating the reverse shell and a couple of hours later they called my name and I retrieved the microphone and my privileges were escalated and from there I pivoted into giving an unofficial Defcon talk at karaoke the subject of which was lyrical injection vulnerability number two so what is lyrical injection it is a timing based exploit where an attacker chooses a song and replaces the words with the lyrics and the melody of another song an attempt of denial of service to the original song when lyrical injection is performed at karaoke it can become viral and infect the guest who often helplessly Echo the lyrical payload it usually results in the karaoke host shaking their damn heads this is actually how you know that the attack has succeeded the methodology that I am going to describe for this attack is based on the Lockheed Martin cyber kill chain it is seven steps that follows an attacker's path as they exploit lyrical injection the first stage is Recon so first step of Recon is pick a Target song that you would like to exploit the more popular the song is the more vulnerable this song is step two pick another song and extract the lyrics and the Melody I recommend using fuzzing techniques pick a karaoke session to go to now luckily for those of us in Portland there is a and I quote venerable tiki bar with nightly karaoke also known as The Alibi Tiki Lounge right here in northeast Portland and it's right next to the weedland Portland dispensary so you can't miss it let's weaponize a payload the first step is to replace the lyrics of the target song and then practice this superposition and if you are having a difficult time getting the timing of this correct I recommend that you study the techniques of the lyrical injection researcher Pioneer Neil sisioriga he has produced no less than four albums in which he has superimposed the 1991 1999 critically acclaimed hit All-Star onto other songs uh step three delivery go to karaoke [Music] exploitation uh step one write down any name and I mean any name and the target song title step two hand this to the karaoke host reverse shell initiated there will be no input validation as a matter of fact in the history of karaoke there has never been a single instance of input validation at this step so if you've made it this far your attack will succeed congratulations foreign retrieve the microphone when the name you wrote down is called command and control perform the song perform the modified version of the song move laterally around the stage actions on objective step one finish the song step two walk off the stage but please do not drop the microphone it hurts step three uh do a little dance or something and profit congratulations you've just hacked karaoke so how do we prevent this how do we mitigate lyrical injection there are three controls that are possible in this scenario the first is a deterrent control which is projecting the lyrics on a screen that is visible to both the singer and the audience however much like a security camera that is not turned on this is a very weak control then we have the corrective control which is turning down the microphone once the attack is detected unfortunately by the time the attack is detected it is too late and the song will continue for as long as the attacker intends it too the third control which is perhaps the only effective control in this situation is a compensating control of acceptance because if you can't beat them you might as well join them all right so before we continue I for those of you who are not going to heed the legal notice that I put out at the beginning of this presentation I feel that as my due diligence to inform you of the consequences should you decide to attempt lyrical injection yourself the absolute best case scenario if you attempt lyrical injection is that you get permanently banned from karaoke the slightly worse outcome is If you experience extreme disapproval from the audience and or the karaoke host even worse than that is if you get extreme approval from the audience and or the karaoke host and the absolute worst thing that can possibly happen to you if you attempt lyrical injection is that you now have a horde of followers and you are a leader of a cult good luck have fun but don't take my word for it let's hack some karaoke so at this point I believe that we may have to mute the live stream and so if if you are watching this from afar and you do not hear anything it is nothing to do with you we just have to be careful with copyrights IP intellectual property right all right so um we're at karaoke and I have a weaponized payload that is delivered and I am about to exploit the song John Lennon's imagine right here we go thank you and once again um this is for research purposes only uh so time for a q a critical injection that I would refer to as the Weird Al attack um and whether you thought about deploying that in the wild um oh yeah So Weird Al is uh he is an inspiration for this type of attack I would consider that the uh the spray and pray variant of lyrical injection strictly for research purposes only for research purposes only when you see the lyrical injection attack happening would a counter Brute Force attack mitigate the issue that's a great question you will have to try that out and let me know how it goes you're missing the most important part how are you going to cover Your Tracks how am I going to cover if I delete the logs I haven't thought about this more research is required thank you what is the best karaoke song for this type of injection and why is it Bohemian Rhapsody that question speaks for itself uh do you have any recommendations for generating aliases for anonymization purposes oh that is a that is a great question um what I really like is like you know in the password generators how you can generate three words uh at a time yeah yeah exactly so that that's my preferred method I'm looking to create a new startup around machine learning how can AI be used to prevent this injection yes um all right well I I presume that there are investors here and um yes yes we will get your company funded have you ever tried this on uh that's actually how I test out my lyrical injection attempts so yes all right I think that's it for those who have the slides I've linked to a couple of resources including my experience at Defcon and um I've linked to a couple of Neil CeCe Arrigo videos I highly recommend that you listen to those and then um here there's for those who get the slides there is a very good source song to extract the lyrics from um which is most definitely not uh Rick Astley he's never going to give you up uh thank you so much uh find me on Twitter at nortron that is with zeros instead of O's because I'm one of those people and I'm also on LinkedIn and thank you so much besides it's been real