Jump to content

The Definition of Irony - Blackhat 2018 Attendee Info Leaked

rcmaehl

Sources:
Bleeping Computer
Original Pentest Post
 

TL;DR:

Blackhat 2018 badges had an NFC chip embedded that accessed an insecure API containing Addresses, Phone Numbers, and tons of other Personal Information on Attendees.

 

Media:
image

 

Quotes/Excerpts:

Quote

Full contact information of everyone attending the BlackHat security conference this year has been exposed in clear text...  name, email, company, and phone number. The BlackHat 2018 conference badge came embedded with a NFC. ...That stored the contact details... for vendors to scan for marketing purposes. A security expert... noticed that scanning his badge with an NFC chip reader he could see his real full name in clear text. However, his email address and other information were not available this way. The reader pointed the user to the BCard app. He found out that BCard created a custom URL...I simply guessed that those values corresponded to the eventID and badgeID... To my surprise, I was able to pull my attendee data completely unauthenticated. These details are sufficient to carry out a brute-force attack that collects the contact details of all BlackHat attendees. With an estimated 18,000 BlackHat attendees. The researcher was able to contact the BCard maker.... which was fixed in less than 24 hours by disabling the leaky API because it was a legacy system.

Quote

BlackHat is one of the world’s largest cybersecurity events which takes place ...in Las Vegas every summer. Those who have attended BlackHat may have noticed that their badge contains an NFC tag. ...So vendors can collect their marketing data. One thing I was not aware of initially was what data was actually contained. I was getting frustrated with my badge and lanyard making noise around my neck in training. Later I set my phone on top of it and saw a notification to read the NFC tag.  I downloaded a tag reader app, looked at the data stored on my tag. I had a few questions: how are vendors getting my email address?  I decided to revisit this. I used the tool Jadx to decompile the APK. You can see that a URL is constructed using a badgeID, and eventID value. Looking in the code below we can see how those values are constructed. I simply guessed that those values. To my surprise, I was able to pull my attendee data completely unauthenticated over this API. The rate at which we were able to brute force the API would mean that we could successfully collect all BlackHat 2018 registered attendees’ names, email addresses, company names, phone numbers, and addresses in only approximately 6 hours.

 

My Thoughts:

Just like you shouldn't be bringing any technology (including credit/gift cards), you want hacked. It appears you definitely shouldn't be using any technology provided by the event. All I can really say is:

 

Image result for ironic meme

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, mynameisjuan said:

Many places have that much info stored from you. Your info isnt as confidential as you think it it. 

I know but it's surprising seeing it laid out so clearly like that 

Irish in Vancouver, what's new?

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, ElfFriend said:

I can't wait for one of the talks at Blackhat 2018 to be be titled something along the lines of "So, we hacked Blackhat 2018 and leaked the attendee info"

 I don't think hacked information from a hacker conference is Ironic.  If it was a product launch dinner for event organization software that was supposed to be uncompromisable, then that would be ironic.

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

They probably planned this for a wee giggle

Link to comment
Share on other sites

Link to post
Share on other sites

Hmmm...I wonder what @The Blackhat has to say about this...

Sorry for the mess!  My laptop just went ROG!

"THE ROGUE":  ASUS ROG Zephyrus G15 GA503QR (2021)

  • Ryzen 9 5900HS
  • RTX 3070 Laptop GPU (80W)
  • 24GB DDR4-3200 (8+16)
  • 2TB SK Hynix NVMe (boot) + 2TB Crucial P2 NVMe (games)
  • 90Wh battery + 200W power brick
  • 15.6" 1440p 165Hz IPS Pantone display
  • Logitech G603 mouse + Logitech G733 headset

"Hex": Dell G7 7588 (2018)

  • i7-8750H
  • GTX 1060 Max-Q
  • 16GB DDR4-2666
  • 1TB SK Hynix NVMe (boot) + 2TB Crucial MX500 SATA (games)
  • 56Wh battery + 180W power brick
  • 15.6" 1080p 60Hz IPS display
  • Corsair Harpoon Wireless mouse + Corsair HS70 headset

"Mishiimin": Apple iMac 5K 27" (2017)

  • i7-7700K
  • Radeon Pro 580 8GB (basically a desktop R9 390)
  • 16GB DDR4-2400
  • 2TB SSHD
  • 400W power supply (I think?)
  • 27" 5K 75Hz Retina display
  • Logitech G213 keyboard + Logitech G203 Prodigy mouse

Other tech: Apple iPhone 14 Pro Max 256GB in White, Sennheiser PXC 550-II, Razer Hammerhead earbuds, JBL Tune Flex earbuds, OontZ Angle 3 Ultra, Raspberry Pi 400, Logitech M510 mouse, Redragon S113 keyboard & mouse, Cherry MX Silent Red keyboard, Cooler Master Devastator II keyboard (not in use), Sennheiser HD4.40BT (not in use)

Retired tech: Apple iPhone XR 256GB in Product(RED), Apple iPhone SE 64GB in Space Grey (2016), iPod Nano 7th Gen in Product(RED), Logitech G533 headset, Logitech G930 headset, Apple AirPods Gen 2 and Gen 3

Trash bin (do not buy): Logitech G935 headset, Logitech G933 headset, Cooler Master Devastator II mouse, Razer Atheris mouse, Chinese off-brand earbuds, anything made by Skullcandy

Link to comment
Share on other sites

Link to post
Share on other sites

they do something like this every year. at one point they had a wall of shame, which showcased photos and information of people attending who were stupid enough to connect to the conversion's "free wifi"

🌲🌲🌲

 

 

 

◒ ◒ 

Link to comment
Share on other sites

Link to post
Share on other sites

@Techstorm970 all I can say is I’m glad I opted not to attend this year xD 

Black Lightning
Intel Core i5-3570K @ 4.7 ghz

Asrock Z77 Extreme4-M
2x8 GB 1600 MHz Crucial Ballistix Sport
MSI R9 290X Lightning
Corsair Crystal 280X Black RGB
240 GB Revodrive 3, 64 GB Sandisk SSD

EVGA Supernova 1200 P2
Noctua NH-C14S

Link to comment
Share on other sites

Link to post
Share on other sites

People who go there give real credentials?

System specs:

4790k

GTX 1050

16GB DDR3

Samsung evo SSD

a few HDD's

Link to comment
Share on other sites

Link to post
Share on other sites

On 8/22/2018 at 7:43 AM, rcmaehl said:

My Thoughts:

Just like you shouldn't be bringing any technology (including credit/gift cards), you want hacked. It appears you definitely shouldn't be using any technology provided by the event. All I can really say is:

 

Image result for ironic meme

I think you don't understand irony. Going to a convention about finding exploits that expose data and someone there finding an exploit that exposes data is, literally, the exact opposite of irony.

 

The definition of irony is "a state of affairs or an event that seems deliberately contrary to what one expects and is often amusing as a result."

 

You calling this irony despite it's aptness is "The Definition of Irony".

Link to comment
Share on other sites

Link to post
Share on other sites

@combine1237 yeah, they can heat up a small room pretty damn fast, so moved it out into the open area of the house next to an ac unit. We now have a pc in our dining room which is open to the living room and kitchen, but hey, we also have a whole house heater when winter comes around.

Black Lightning
Intel Core i5-3570K @ 4.7 ghz

Asrock Z77 Extreme4-M
2x8 GB 1600 MHz Crucial Ballistix Sport
MSI R9 290X Lightning
Corsair Crystal 280X Black RGB
240 GB Revodrive 3, 64 GB Sandisk SSD

EVGA Supernova 1200 P2
Noctua NH-C14S

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, Sniperfox47 said:

I think you don't understand irony. Going to a convention about finding exploits that expose data and someone there finding an exploit that exposes data is, literally, the exact opposite of irony.

 

The definition of irony is "a state of affairs or an event that seems deliberately contrary to what one expects and is often amusing as a result."

 

You calling this irony despite it's aptness is "The Definition of Irony".

It's ironic because a convention revolving around cybersecurity had poor cybersecurity. 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×