BSides Edmonton 2023 Keynote: Alissa Knight

that's my presentation thanks for coming no just kidding can you imagine if I did that you just came for a bio um so I'm going to start out with a video it's an oldie but [Music] goody becoming Cy then we walk out of the Shadows quietly walk out of the [Music] dark what did you do tra it was never supposed to be that many banks the authentication and authorization vulnerabilities in the apas were only in a handful of them the problem is they outsourced the development and the company reused that same code across 300 other Banks what was I supposed to do okay so we call everyone and explain what happened what do you think I'm doing on October 26th money 2020 invited me as their keynote speaker I'll tell the world on stage how I hacked these Banks their apis it's time so this was a video that played at money 2020 that I created um where I hacked 55 banks in less than a week and um the original Target list of banks was only supposed to be 55 and it turned out that one of the banks outsourced the C their development for their apis to a company that develops apis in mobile apps for banks and it turned out that they rinsed and reused that same vulnerable code across all 300 of their clients so the 55 Bank Target list ended up becoming 355 banks that I hacked in less than S 7 days so um what I'm going to be talking about in today's keynote is the Last 5 Years of API hacking uh that I'm calling princess of Thieves um I I think did a pretty good uh bio for me so there's really not much to say here uh other than you know yeah I started hacking when I was 13 I was arrested for hacking into a government Network at 17 and then the charges were dropped because the da didn't want to touch the charges because they interrogated me without my parents there so I got off on a technicality um so my guardian angel was with me that day um and then I went to go work for the US intelligence community and cyber warfare supporting counterinsurgency operations in Afghanistan and Iraq uh trained in CQC CQB first woman to go through private Seer training and uh trained sniper uh and traded in my keyboard for an M4 uh I then went on to start and sell two cyber security companies uh I'm a published author for those of you who are interested my book is available on Amazon I walk you through actually hacking connected cars which I'm going to talk about today where I was able to take remote control of any law enforcement vehicle on the road as long as you knew the VIN number so I'll talk about that today I'm also a Hollywood director uh and movie producer uh and uh my wife Mel is here with me she's my um executive producer as well so we've uh actually produce seven TV series now uh we're in the process of uh starting a new uh feature film uh and all of our stuff is cyber genre entertainment we actually own a coffee company as well so yeah that's weird um for those of you are interested you can buy our coffee on Amazon as well uh we own multiple companies including an events company where we put on annual cyber security conferences uh night Studios which is our Hollywood production company our Publishing Company as well as our coffee company coffee company and we started a venture capital fund to invest in cyber security startups uh what I'm going to talk about today is pretty much all of the researches that you guys can guys and girls can all go and download uh today these are all of the papers with the evidence and the screenshots of what I'm going to talk about so because of the some of the uh findings like hacking 55 banks in less than a week or hacking millions of patient records uh is s sounds so crazy and unbelievable uh I've included screenshots in today's presentation all those screenshots are in those papers you can all download them for free uh I think some of the vendors do gate it so you might have to provide an email address use a fake one whatever but um you can go download them for free um so here's the interesting little tidbit that I found out about and wasn't told uh two congressmen actually held that report uh playing with fire um up on Capitol Hill as a reason for why things need to change in healthcare cyber security um I that actually affected public policy so when it was released the office of Inspector General for Health and Human Services contacted me because I was able to hack fire apis uh which gave me access to millions of patient records on millions of Americans um so I'm going to talk about that today uh and if any of you are interested in getting more details I would just refer to the white paper so this is my timeline of hacking apis so over the last 5 years I first started out with hacking Banks wanted to figure out if I could rob banks for my living room for my with my pajamas on and then uh moved on to mobile Health apis uh during the pandemic there was a huge influx of um uh M Health apps where you could visit your doctor and talk to your doctor through your mobile phone um that sparked Intrigue for me as a hacker um knowing that all of our patient data is out there on these apis and I wanted to know how well they were being secured uh then I moved on to hacking law enforcement Vehicles so this was interesting um so I I can't get into too many details on this but basically a senior official with the intelligence committee contacted me um it turned out that the drug cartels were hacking into law enforcement vehicles to find out where they were being parked at night so they could kill the families of the law enforcement law enforcement officers and they wanted to figure out how they were doing it so I worked with law enforcement for about a year and I found out not only was it possible to do it without authentication or authorization but you could also remotely lock and unlock the doors and remotely start and stop the engines of any FBI NSA DOD uh cop whatever law enforcement vehicle you wanted as long as you knew the VIN and we all know how top secret VIN numbers are this is going to be a really interesting presentation hopefully you had your C coffee um I'm also going to go into my data on how I hack cryptocurrency exchanges so pretty much everything in the world today is powered by apis it's the plumbing of pretty much everything uh I'll try and demystify all this tea for those of you who have no idea what an API is um I'm going to be explaining a lot of this in better detail so this is my favorite analogy for an API think of apis as kind of like the electrical socket in your house right right so it doesn't care what you plug into it it'll provide you electricity as long as it can fit in those two little holes uh you can plug it in and the power company will provide you electricity this is pretty much how an API works it it really doesn't care what's at the other end that's requesting the data it's going to serve it to you some people have heard the uh sorry can can you get me some water thanks I swear I don't have Co I'm just going to dry dry dry throat okay so that's pretty much what an API is it it basically requests all of the uh provides you all the data that you're that you're requesting as an API client so I'm going to be talking about broken object level authorization today or Bola for those of you who are familiar with this it used to be called idor or insecure direct object reference a lot of the vulnerabilities that I'm going to talk about today in hacking these Banks um I did uh blur out a lot of the vulnerabilities because they're still vulnerable um it's been 3 or four years now and some of the vendors have not fixed these vulnerabilities so anyway uh baa I love the analogy for this that I came up with so the way buo works is the analogy is if I were to pull my car up to a hotel to a valet right I come up right behind a Ferrari and I'm in a Hyundai I'm like man I sure would like to take home that Ferrari uh I see that the valet gives the owner of that Ferrari the number 18 and then the valet gives me a ticket with for the with the number 17 thanks and then I take that 17 back and I use a Sharpie and I change that 7 to an eight that's basically an example of a bull of vulnerability is I'm authenticated I have a ticket and I bring it back to the valet and I drive home that Ferrari right that Ferrari doesn't belong to me but I'm I'm producing a ticket that's got the number 18 in it that's basically bull vulnerability I'm authenticated I'm supposed to be there I'm allowed to be there I have a ticket but that's not my Ferrari all right that's what a bowl of vulnerability is in the terms of oath tokens I have a token I've been issued a token the API is like oh well Liss has been authenticated she's got a token so she's requesting data let's give it to her that's basically Ebola it's I'm authenticated but I'm not authorized all right let's talk about my killchain so I'm going to have references to tools that all of you can download it for free today that I use in hacking apis so first I do reconnaissance this is basically fuzzing in content Discovery you can use tools like Kite Runner and wrestler those are my two favorite you can go download those from GitHub those are free vulnerability analysis the most common that I use are both or broken authentication and mass assignment yes there was an API that logged into and using my API client I found out that the API gave me all of the patient records in the database just by logging in um that's an example of maass assignment I'll show you that later um but OS BPI security top 10 I am a contributor to the new OS BPI security top 10 2023 that just came out so I contributed several vulnerabilities to that as well okay uh this is my process for for hacking apis to me hacking is nothing more than sending stimulus to an application that the developer didn't expect to receive that's all hacking is okay so if given that definition believe it or not the first thing that I do when I'm hacking an API is I just use the app I get a spreadsheet out and I click every button in the app and I document the request and the response it gives me an idea of what the developer expected me to do with the with the app right if you think about it it's kind of like social engineering the API I'm trying to figure out how it works so for those of you who want to take notes and learn how do I hack apis like Alysa night uh that would be it just use it like use it that's all you're really doing is trying to figure out how it works um once I figure out how it works I will then modify or manipulate those requests using an API client this is where I shut the the mobile app down or the web app down and I send my own API requests using a free client I like to use Postman um I use burp Suite as well Postman is a great API client there's free ones you you don't have to go out there and buy anything you don't have to go home and tweet Alyssa said I have to buy all this stuff it's it's free you can go download it um I basically just document all the API requests I look for hardcoded uis and tokens there's a free tool that all of you can Go download today called mob SF or mobile security framework uh what it does is it allows you to actually drag and drop APK files even iOS apps into the UI and it will actually take that APK file or that package off of the Android device and it will deconstruct it and reverse it back to the original source code and you can actually see all the developers notes all the hardcoded usernames and passwords yes that is still a thing I swear to God it is still 2023 um and developers are still doing that a lot of the screenshots you'll see today believe it or not will contain hardcoded usernames and passwords in the apps um hardcoded API Secrets like keys and tokens um so that's definitely a process that I go through is making sure I actually look at the code because a lot of the times they don't even really need to look for these you know super 31337 Elite vulnerabilities I can just go into the app and find hardcoded secrets in there uh when I'm using a web API when I'm targeting a web API is a little bit of different process than using like mob SF and and um looking at the mobile app because it's a web API right so the neat thing about burps we is it has a built-in Chromium browser where it'll actually Channel all of the requests and the responses through burps weight and uh I'm probably one of the laziest hackers you'll ever meet so if I can save time I will do that uh that's what I love about burp Suite is it you know you don't have to mess with proxies you don't have to change proxy configurations in your operating system you can just use chromium built into burp suite and it it shows you all the traffic now what I do once I capture those API requests and those responses what do I do I paste them into a spreadsheet and then I've got all the requests and then I uh send them with my API client trying to do something that the developer didn't expect to receive uh you've heard the term man in the- Middle attack I don't like that term I like to call it woman in the middle attack uh a lot of the attacks that you'll see that I ran today uh are woman in the- Middle attacks um so it's basically where I'll sit there in the middle of the communication and um listen so I'll start the the mobile app I'll intercept the traffic using a tool like mum proxy or burp suite and I listen and I and I look at the requests and I for them on but I manipulate them in transit now some of you are like Alyssa that's not possible it's encrypted it's TLS well if you send your own certificate to both sides of the conversation you can decrypt it so it really doesn't matter if it's TLS it doesn't matter if it's encrypted as long as you have the keys um you can decrypt that traffic and it helps me understand how the API Works yes I am a new bunto user um I a lot of you are probably like why don't you use Kelly that's so fast I I I like to build my own systems the thing about C don't I'm not hating on C I actually love off sec I'm keynoting at their conference soon but I love c um but the here's the thing I like to build my own boxes because I want to install the libraries I want to know what versions of libraries on there all of you I'm sure a lot of you know what happens when you install two different versions of a library on Linux um I I just I want to know what's there I want to know that I'm the one who built it so I also will use an Android tablet now some of you are like Alysa how do you get those Android apps off that tablet there's a great tool in the Google Play store called APK extractor and it will actually allow you to pull the Android app off of the Android device so what did I do I downloaded 55 mobile banking apps and and uh cryptocurrency exchange apps onto my Android and I extracted them and then I put them on my workstation for Fun and Profit um so that's all I did was APK extractor uh burp site Pro uh that's what I use you can use the free Community Edition uh I just bought it because I want to support Port swier uh Postman mum proxy and then Kite Runner okay you ready for the fun stuff the screenshots all right so this is a real screenshot of all of the keys and tokens of me trying to figure out how do you squish over 8,000 hardcoded keys and tokens for mobile apps into a PowerPoint um I have no idea I'm still trying to figure that out um but you will see the keys and tokens here you'll see some usernames and passwords you'll see some Firebase fund stuff for those of you who are familiar with Google Firebase there's all kinds of fun goodies in there and here's more um this I know you guys and girls probably can't see um but basically this is what I do is I I just open up Excel and I copy and paste all of my findings into an Excel spreadsheet uh Keys tokens all of the requests so I can document that's the biggest uh recommendation I can give all of you if any of you are pentesters is that Corey what's up man what's up boy that's my man thanks for coming um so uh yeah so I mean that's the best advice I can give any of you who are pentesters is document everything as you go right I'm 45 yeah this is purple hair dye this is all gray um I'm old my memory isn't like what it used to be um so I just document everything because I I can't remember what I did um it also lets me I'll even store screenshots in the sales like you know like oh wa we need to go buy this really expensive pen testing documentation app and not just Excel this is a fun one so during Christmas a bank asked me to try and hack their apis I did and um I was able to change the PIN code of any Bank customer in the entire bank for their ATM debit pin card and transfer money in and account in and out of accounts using the apis and uh this is a screenshot of that where you can see I'm specifying the card number and I can specify any pin code I want the neat thing about this was is I didn't even need to be authenticated originally authenticated because I got my hands on on actual authentication uh credential but ended up commenting it out and just sending the API request and the API was executing it so I you just you wouldn't believe it's 2023 and I can still communicate with apis without even authenticating and as long as you know the correct syntax of the API request that it's expecting a lot of these apis that you'll see today executed them several of them cryptocurrency exchanges one of which I'm sure you can use your imagination I won't mention the name of it doesn't exist anymore um I swear to God that wasn't me um so uh yeah why ran someone you can just take the Bitcoin yourself um so all right so so this is here's the fun thing um this is the first time I'm presenting these particular slides so uh I I'm pretty sure they fixed a lot of these the last time I checked they were fixed except one or two of them but the automaker is Ford so this is the first time I'm talking about this research um this affected every Ford on the road so as long as you knew I I picked on law enforcement just because it was sexier and cool than just to say you know Ford uh but you know if you get arrested and you're in the back seat and you need me to unlock the car door because you want to jump out just give me a call and make me your first call um this affected every single law enforcement V united in the United States um pretty much every law enforcement agency including the intelligence Community uses Ford um Ford is a big supplier of vehicles for fleets in law enforcement um so this affected Secret Service this affected um you know God when I presented these findings pretty much every three-letter agency was in the audience this is every single API request for controlling Fords through their apis um so what happened was I was able to add any car any Ford to my virtual garage um this is the API request to do that including being able to uh approve the request on behalf of the uh driver since I know Corey's here I'll pick on him so let's say I find out that Corey's got a Ford um what I found out with their apis was that I could add Corey's Ford to my virtual garage in the in the Ford mobile app through the API and then I could approve it on behalf of Corey it was the weirdest thing I mean this I kid you not that I probably spent a year and a half just understanding all of the intricacies of the API um so I could send the requests on behalf of Corey and then I could also approve it on behalf of Corey obviously the security there is that Corey should be the one to approve it not me um but once I added once I added his car to my virtual garage I could then start the engine stop the engine and this could be done anywhere and I have a video that I've made that I'm going to show you um but uh it's super cool so this is a screenshot of another bank oh I'm sorry is this this is sorry this is the cars so um yeah I found out I couldn't figure out how to unlock the doors you could use the put command in using this string that you see in the screenshot and