BSides Edmonton 2023 Keynote: Alissa Knight

that's my presentation thanks for coming no just kidding can you imagine if I did that you just came for a bio um so I'm going to start out with a video it's an oldie but

[Music]

goody becoming Cy then we walk out of the Shadows quietly walk out of the [Music] dark what did you do tra it was never supposed to be that many banks the authentication and authorization vulnerabilities in the apas were only in a handful of them the problem is they outsourced the development and the company reused that same code across 300 other Banks what was I supposed to do okay so we call everyone and explain what happened what do you think I'm doing on October 26th money 2020 invited me as their keynote speaker I'll tell the world on stage how I hacked these Banks their apis it's time so this was a video that played at money 2020 that I created um where I

hacked 55 banks in less than a week and um the original Target list of banks was only supposed to be 55 and it turned out that one of the banks outsourced the C their development for their apis to a company that develops apis in mobile apps for banks and it turned out that they rinsed and reused that same vulnerable code across all 300 of their clients so the 55 Bank Target list ended up becoming 355 banks that I hacked in less than S 7 days so um what I'm going to be talking about in today's keynote is the Last 5 Years of API hacking uh that I'm calling princess of Thieves um I I think did a pretty good

uh bio for me so there's really not much to say here uh other than you know yeah I started hacking when I was 13 I was arrested for hacking into a government Network at 17 and then the charges were dropped because the da didn't want to touch the charges because they interrogated me without my parents there so I got off on a technicality um so my guardian angel was with me that day um and then I went to go work for the US intelligence community and cyber warfare supporting counterinsurgency operations in Afghanistan and Iraq uh trained in CQC CQB first woman to go through private Seer training and uh trained sniper uh and traded in my keyboard for an

M4 uh I then went on to start and sell two cyber security companies uh I'm a published author for those of you who are interested my book is available on Amazon I walk you through actually hacking connected cars which I'm going to talk about today where I was able to take remote control of any law enforcement vehicle on the road as long as you knew the VIN number so I'll talk about that today I'm also a Hollywood director uh and movie producer uh and uh my wife Mel is here with me she's my um executive producer as well so we've uh actually produce seven TV series now uh we're in the process of uh starting a

new uh feature film uh and all of our stuff is cyber genre entertainment we actually own a coffee company as well so yeah that's weird um for those of you are interested you can buy our coffee on Amazon as well uh we own multiple companies including an events company where we put on annual cyber security conferences uh night Studios which is our Hollywood production company our Publishing Company as well as our coffee company coffee company and we started a venture capital fund to invest in cyber security startups uh what I'm going to talk about today is pretty much all of the researches that you guys can guys and girls can all go and download uh

today these are all of the papers with the evidence and the screenshots of what I'm going to talk about so because of the some of the uh findings like hacking 55 banks in less than a week or hacking millions of patient records uh is s sounds so crazy and unbelievable uh I've included screenshots in today's presentation all those screenshots are in those papers you can all download them for free uh I think some of the vendors do gate it so you might have to provide an email address use a fake one whatever but um you can go download them for free um so here's the interesting little tidbit that I found out about and wasn't told uh two congressmen actually

held that report uh playing with fire um up on Capitol Hill as a reason for why things need to change in healthcare cyber security um I that actually affected public policy so when it was released the office of Inspector General for Health and Human Services contacted me because I was able to hack fire apis uh which gave me access to millions of patient records on millions of Americans um so I'm going to talk about that today uh and if any of you are interested in getting more details I would just refer to the white paper so this is my timeline of hacking apis so over the last 5 years I first started out with hacking Banks wanted to figure

out if I could rob banks for my living room for my with my pajamas on and then uh moved on to mobile Health apis uh during the pandemic there was a huge influx of um uh M Health apps where you could visit your doctor and talk to your doctor through your mobile phone um that sparked Intrigue for me as a hacker um knowing that all of our patient data is out there on these apis and I wanted to know how well they were being secured uh then I moved on to hacking law enforcement Vehicles so this was interesting um so I I can't get into too many details on this but basically a senior official with the intelligence

committee contacted me um it turned out that the drug cartels were hacking into law enforcement vehicles to find out where they were being parked at night so they could kill the families of the law enforcement law enforcement officers and they wanted to figure out how they were doing it so I worked with law enforcement for about a year and I found out not only was it possible to do it without authentication or authorization but you could also remotely lock and unlock the doors and remotely start and stop the engines of any FBI NSA DOD uh cop whatever law enforcement vehicle you wanted as long as you knew the VIN and we all know how top secret VIN numbers

are this is going to be a really interesting presentation hopefully you had your C coffee um I'm also going to go into my data on how I hack cryptocurrency exchanges so pretty much everything in the world today is powered by apis it's the plumbing of pretty much everything uh I'll try and demystify all this tea for those of you who have no idea what an API is um I'm going to be explaining a lot of this in better detail so this is my favorite analogy for an API think of apis as kind of like the electrical socket in your house right right so it doesn't care what you plug into it it'll provide you electricity as

long as it can fit in those two little holes uh you can plug it in and the power company will provide you electricity this is pretty much how an API works it it really doesn't care what's at the other end that's requesting the data it's going to serve it to you some people have heard the uh sorry can can you get me some water thanks I swear I don't have Co I'm just going to dry dry dry throat okay so that's pretty much what an API is it it basically requests all of the uh provides you all the data that you're that you're requesting as an API client so I'm going to be talking about broken

object level authorization today or Bola for those of you who are familiar with this it used to be called idor or insecure direct object reference a lot of the vulnerabilities that I'm going to talk about today in hacking these Banks um I did uh blur out a lot of the vulnerabilities because they're still vulnerable um it's been 3 or four years now and some of the vendors have not fixed these vulnerabilities so anyway uh baa I love the analogy for this that I came up with so the way buo works is the analogy is if I were to pull my car up to a hotel to a valet right I come up right behind a

Ferrari and I'm in a Hyundai I'm like man I sure would like to take home that Ferrari uh I see that the valet gives the owner of that Ferrari the number 18 and then the valet gives me a ticket with for the with the number 17 thanks and then I take that 17 back and I use a Sharpie and I change that 7 to an eight that's basically an example of a bull of vulnerability is I'm authenticated I have a ticket and I bring it back to the valet and I drive home that Ferrari right that Ferrari doesn't belong to me but I'm I'm producing a ticket that's got the number 18 in it that's basically bull

vulnerability I'm authenticated I'm supposed to be there I'm allowed to be there I have a ticket but that's not my Ferrari all right that's what a bowl of vulnerability is in the terms of oath tokens I have a token I've been issued a token the API is like oh well Liss has been authenticated she's got a token so she's requesting data let's give it to her that's basically Ebola it's I'm authenticated but I'm not authorized all right let's talk about my killchain so I'm going to have references to tools that all of you can download it for free today that I use in hacking apis so first I do reconnaissance this is basically fuzzing in content Discovery you can use tools

like Kite Runner and wrestler those are my two favorite you can go download those from GitHub those are free vulnerability analysis the most common that I use are both or broken authentication and mass assignment yes there was an API that logged into and using my API client I found out that the API gave me all of the patient records in the database just by logging in um that's an example of maass assignment I'll show you that later um but OS BPI security top 10 I am a contributor to the new OS BPI security top 10 2023 that just came out so I contributed several vulnerabilities to that as well okay uh this is my process for for

hacking apis to me hacking is nothing more than sending stimulus to an application that the developer didn't expect to receive that's all hacking is okay so if given that definition believe it or not the first thing that I do when I'm hacking an API is I just use the app I get a spreadsheet out and I click every button in the app and I document the request and the response it gives me an idea of what the developer expected me to do with the with the app right if you think about it it's kind of like social engineering the API I'm trying to figure out how it works so for those of you who want to take notes and learn how do I

hack apis like Alysa night uh that would be it just use it like use it that's all you're really doing is trying to figure out how it works um once I figure out how it works I will then modify or manipulate those requests using an API client this is where I shut the the mobile app down or the web app down and I send my own API requests using a free client I like to use Postman um I use burp Suite as well Postman is a great API client there's free ones you you don't have to go out there and buy anything you don't have to go home and tweet Alyssa said I have to buy all this

stuff it's it's free you can go download it um I basically just document all the API requests I look for hardcoded uis and tokens there's a free tool that all of you can Go download today called mob SF or mobile security framework uh what it does is it allows you to actually drag and drop APK files even iOS apps into the UI and it will actually take that APK file or that package off of the Android device and it will deconstruct it and reverse it back to the original source code and you can actually see all the developers notes all the hardcoded usernames and passwords yes that is still a thing I swear to God it is still

2023 um and developers are still doing that a lot of the screenshots you'll see today believe it or not will contain hardcoded usernames and passwords in the apps um hardcoded API Secrets like keys and tokens um so that's definitely a process that I go through is making sure I actually look at the code because a lot of the times they don't even really need to look for these you know super 31337 Elite vulnerabilities I can just go into the app and find hardcoded secrets in there uh when I'm using a web API when I'm targeting a web API is a little bit of different process than using like mob SF and and um looking at the mobile app

because it's a web API right so the neat thing about burps we is it has a built-in Chromium browser where it'll actually Channel all of the requests and the responses through burps weight and uh I'm probably one of the laziest hackers you'll ever meet so if I can save time I will do that uh that's what I love about burp Suite is it you know you don't have to mess with proxies you don't have to change proxy configurations in your operating system you can just use chromium built into burp suite and it it shows you all the traffic now what I do once I capture those API requests and those responses what do I do I paste them into a

spreadsheet and then I've got all the requests and then I uh send them with my API client trying to do something that the developer didn't expect to receive uh you've heard the term man in the- Middle attack I don't like that term I like to call it woman in the middle attack uh a lot of the attacks that you'll see that I ran today uh are woman in the- Middle attacks um so it's basically where I'll sit there in the middle of the communication and um listen so I'll start the the mobile app I'll intercept the traffic using a tool like mum proxy or burp suite and I listen and I and I look at the requests and I for them on

but I manipulate them in transit now some of you are like Alyssa that's not possible it's encrypted it's TLS well if you send your own certificate to both sides of the conversation you can decrypt it so it really doesn't matter if it's TLS it doesn't matter if it's encrypted as long as you have the keys um you can decrypt that traffic and it helps me understand how the API Works yes I am a new bunto user um I a lot of you are probably like why don't you use Kelly that's so fast I I I like to build my own systems the thing about C don't I'm not hating on C I actually love off sec I'm keynoting at their

conference soon but I love c um but the here's the thing I like to build my own boxes because I want to install the libraries I want to know what versions of libraries on there all of you I'm sure a lot of you know what happens when you install two different versions of a library on Linux um I I just I want to know what's there I want to know that I'm the one who built it so I also will use an Android tablet now some of you are like Alysa how do you get those Android apps off that tablet there's a great tool in the Google Play store called APK extractor and it will

actually allow you to pull the Android app off of the Android device so what did I do I downloaded 55 mobile banking apps and and uh cryptocurrency exchange apps onto my Android and I extracted them and then I put them on my workstation for Fun and Profit um so that's all I did was APK extractor uh burp site Pro uh that's what I use you can use the free Community Edition uh I just bought it because I want to support Port swier uh Postman mum proxy and then Kite Runner okay you ready for the fun stuff the screenshots all right so this is a real screenshot of all of the keys and tokens of me trying to figure out how do you

squish over 8,000 hardcoded keys and tokens for mobile apps into a PowerPoint um I have no idea I'm still trying to figure that out um but you will see the keys and tokens here you'll see some usernames and passwords you'll see some Firebase fund stuff for those of you who are familiar with Google Firebase there's all kinds of fun goodies in there and here's more um this I know you guys and girls probably can't see um but basically this is what I do is I I just open up Excel and I copy and paste all of my findings into an Excel spreadsheet uh Keys tokens all of the requests so I can document that's the biggest uh recommendation I

can give all of you if any of you are pentesters is that Corey what's up man what's up boy that's my man thanks for coming um so uh yeah so I mean that's the best advice I can give any of you who are pentesters is document everything as you go right I'm 45 yeah this is purple hair dye this is all gray um I'm old my memory isn't like what it used to be um so I just document everything because I I can't remember what I did um it also lets me I'll even store screenshots in the sales like you know like oh wa we need to go buy this really expensive pen testing documentation app and not just

Excel this is a fun one so during Christmas a bank asked me to try and hack their apis I did and um I was able to change the PIN code of any Bank customer in the entire bank for their ATM debit pin card and transfer money in and account in and out of accounts using the apis and uh this is a screenshot of that where you can see I'm specifying the card number and I can specify any pin code I want the neat thing about this was is I didn't even need to be authenticated originally authenticated because I got my hands on on actual authentication uh credential but ended up commenting it out and just sending

the API request and the API was executing it so I you just you wouldn't believe it's 2023 and I can still communicate with apis without even authenticating and as long as you know the correct syntax of the API request that it's expecting a lot of these apis that you'll see today executed them several of them cryptocurrency exchanges one of which I'm sure you can use your imagination I won't mention the name of it doesn't exist anymore um I swear to God that wasn't me um so uh yeah why ran someone you can just take the Bitcoin yourself um so all right so so this is here's the fun thing um this is the first time I'm presenting

these particular slides so uh I I'm pretty sure they fixed a lot of these the last time I checked they were fixed except one or two of them but the automaker is Ford so this is the first time I'm talking about this research um this affected every Ford on the road so as long as you knew I I picked on law enforcement just because it was sexier and cool than just to say you know Ford uh but you know if you get arrested and you're in the back seat and you need me to unlock the car door because you want to jump out just give me a call and make me your first call um this affected every single law

enforcement V united in the United States um pretty much every law enforcement agency including the intelligence Community uses Ford um Ford is a big supplier of vehicles for fleets in law enforcement um so this affected Secret Service this affected um you know God when I presented these findings pretty much every three-letter agency was in the audience this is every single API request for controlling Fords through their apis um so what happened was I was able to add any car any Ford to my virtual garage um this is the API request to do that including being able to uh approve the request on behalf of the uh driver since I know Corey's here I'll pick on him so let's say I find out

that Corey's got a Ford um what I found out with their apis was that I could add Corey's Ford to my virtual garage in the in the Ford mobile app through the API and then I could approve it on behalf of Corey it was the weirdest thing I mean this I kid you not that I probably spent a year and a half just understanding all of the intricacies of the API um so I could send the requests on behalf of Corey and then I could also approve it on behalf of Corey obviously the security there is that Corey should be the one to approve it not me um but once I added once I added his car to my

virtual garage I could then start the engine stop the engine and this could be done anywhere and I have a video that I've made that I'm going to show you um but uh it's super cool so this is a screenshot of another bank oh I'm sorry is this this is sorry this is the cars so um yeah I found out I couldn't figure out how to unlock the doors you could use the put command in using this string that you see in the screenshot and I couldn't figure out how to unlock the doors and then I figured out that it was using the delete verb so if you change put to delete and delete the lock API

request it then unlocked the doors and this was anyin any Vin I actually I won't admit this outside of this room but on the in the United States we have these used car websites where they actually give you the VIN on the website so I went to the website and I grabbed one of the vins off of a used car from that lot of the used car lot and I plugged it into the API to see if it would work and it worked so it was any Ford um no matter where it was in the world uh as long as it was communicating with apis uh on Ford's back end this is another uh this was where

the really dangerous stuff came in um as long as you knew a VIN number you didn't even need to supply any authentication credentials so what happened was I found out how the cartels were finding out where these cars were being parked at night you could actually get GPS and previous trip data uh for that particular Vin from the apis to find out where the cars were parked uh where they'd been um all without authentication you could just send these API request and get this data from the Cars including identifying whether or not the car was a police vehicle in this particular screenshot uh you can see I remotely um and for those of you who

aren't aware hp200 response means success so this is me sending a door lock command to lock the veicle and then you can see the API responded with the 200 success unlocking the doors you can see I changed the verb to delete and then what is this oh this was so the way vins work is as long as you know one Vin you can just cycle through the entire fleet by incrementing it by one number so I had quite a lot of fun with Fleet uh for this Police Department um so basically I just kept cycling through all the Vin and getting all the data on each car including whether or not it was law enforcement and here's the video to

prove all of this is true so this is me when I had long hair I think the Mohawk's better um I'm I'm on the lot of the police station uh but I don't have to be there obviously I was there to coordinate with um the fleet commander to make that we were just messing with the cars I did not do that I swear um that was not me um so here I'm demonstrating to uh the police force that this was remotely possible so that was me with my laptop communicating with the API um you can't actually put it in gear you can only start and stop the engine but we did find out that even with without

the key you could remotely stop it so there's me unlocking the

doors and then this guy over there is realizing that he's got a lot of work ahead of him because of me so he's got an he's got alcohol in his hand trying to figure out um and then me locking it so obviously for law enforcement if you can remotely unlock a door that's that's not good um and this is me being stupid just kind of celebrating this um so that was that was uh the the law enforcement car research yay um okay so let's talk about the healthcare research so this was um the fire Healthcare apis uh research that I did um for those of you who aren't aware of what fire is fhir so in in the US if you

go to a hospital and you you break your foot let's say Cory broke his foot he goes to One hospital I'm going to it's going to go all day man it's going to go all day um and uh Corey decides that he's going to go to a checkup but he's going to go to a different hospital those two hospitals don't share patient data right um this isn't just a us thing this is a global thing right just healthc care companies don't share your data you have you ever been seeing have you ever seen a doctor and they said hey go have your records faed over here yeah have some even used fax machines still um so fire is supposed to fix that fast

Healthcare interoperability resources is supposed to address this this challenge where health care agencies payers and providers can actually share data it's a mandate a federal mandate in the US that all healthc care providers and paays have to make your patient data available via apis and you can trust the US government for security so I was like man this is fun I bet there's a lot of stuff to play with with fire so a lot of the um uh Advocates um for the fire research said that this wasn't possible that and I love it when people say something's unhackable um so this is a result of that research uh so what I'm going to do is I'm going to show you a lot of the

evidence that I collected in this research uh this is just probably can't see that very well uh but this is uh Postman where I'm actually downloading patient data from these apis now this one's funny um I had actually discovered that when logging into one of the apis just logging in the API decided it would be a good idea to provide me all of the patient records in the database so just logging in so what the developer did was he or she coded the mobile app to filter out just my patient data and sent everything else and I asked a developer why did you do this and the developer said because it's for forward compatibility so in the future if I need

to include any additional fields in the patient records I'm sending everything so I just need to filter that out in the app and I said that's not smart um he said well what how did you see all the records I sent over and I said I used Postman he's like oh you weren't using the app cuz the app's filtering out just your records I said I can use something other than the appy made and so this was probably the most comical thing here's a screenshot of one of the patients just to confirm uh or actually it was a doctor um so there were doctors in these records as well so you can see the the

individual's name on the right hand side in Postman and then here I actually Googled the doctor and found it was exactly the he live he was exactly at the same address that was in the database to prove the data was real um this is me accessing other patient records uh so this is a screenshot of all the patient data that I was able to grab from the system um the interesting thing here is this is Eola so for those of you who don't know what object IDs are so Ebola is is quite simply me logging in and then finding out that the API request called out hey get slpa patient id101 and so what I did was I went into

Postman I said well what happens if I change this to patient ID one2 one3 well it worked so because of a lack of Scopes uh and and other security I was able to view other records how am I on time am I way over oh two minutes all right here we go hardcoded ke and tokens no I'm just kidding okay um so this is a screenshot of all the hardcoded API keys and tokens in those mobile apps um this is a screenshot of actual pathology report so the neat thing about Postman is you can actually grab PDFs and then save it to your drive so this is a screenshot of an actual pathology report for a patient um

and uh after I saved it to my drive and then took a screenshot of it uh this is burp Suite more redacted patient data uh this is all of the news that uh the fire research actually uh was able to to um get exposure with so you can see Health and Human Services there there was a Forbes article written and what I learned from five years of hacking apis despite it being 2023 developers are still not authorizing authenticated API requests it is a systemic issue organizations are not maintaining asset cataloges of their apis guess what you can't protect what you don't know you have so find an API security solution that will give you an

API catalog of everything that's out there and most importantly what kind of data it's serving there's still no context in security organizations are still using waffs to secure their apis a lot of the victim organizations that I hit thought they were secure because they were using wafts I believe some of you may key my car for saying this and disagree but I believe that thinking you're secure is a lot more dangerous than no security at all because you have this full sense of security so make sure you're using the right tool for the job uh many companies are transferring their risk uh the healthcare the bank that I had that outsourc their security um the

development of their apis uh which resulted in 300 other API hacks uh it turns out that um they were transferring their risk just please understand just because you're transferring your risk meaning that you're having an other company develop your API security if it gets hacked it's not their logo that's going to be in the news it's yours so forget the sock 2 type two compliance or ISO 2701 they must be secure if they're sock 2 uh pentest the stuff they give you um what to do uh know what's talking to your apis know how many and where your apis are facing know what kind of data your P are serving hack yourself don't hardcode sensitive data in your

apps that's a given authenticate and authorized test and retest and there's my contact info you survived my keynote thank you so much everyone if you scan the barcode thank you if you scan the barcode it will give you my cell phone number so if you want to stalk me you can uh those are my social media uh connections as well everyone have a blessed day thank

you uh if anybody wants to have a questions we have three more minutes cars sure yep so so my question is about the Ford cars right so you hack you were able to hack the car how was there internet connectivity with the Ford connect for Ford cars how did that happen and the second question is what happened to that company that was providing 300 Banks The Sur what happened to them afterwards good question so um so with Ford uh when you buy a Ford vehicle and for some reason even with law enforcement they were shipping it with the Ford modem on um with the connectivity so car makers are updating their cars and and applying

updates to your vehicle um over otaa over the air and what otaa does is it allows the car to basically communicate back and forth with the back and car makers apis and servers and so they use OTA to update the cars and that's on by default for two years when you buy a Ford after two years um the the it still maintains a a connection um but you have to pay for all the additional services like Wi-Fi in your car and stuff um with the bank that outsourced to the their development um I ended up on a phone call with the CEO and the developers of that bank and they had to fix the code

in all 300 Banks apis um the interesting thing is in the money 2020 keynote where I showed you the video uh those Banks were in the audience and and it it was a really uh difficult time challenging time for that company uh because they had to work to correct and secure so many apis after that happened when you're first poking around um in an app do you ever use any fuzzers or do you just do it all by hand at all great question yes I do use a lot of fuzzing um you know for me I I just really want to understand how the AP is going to respond to any stimulus whether I generate or with I use whether or not

I use a tool um so some of the tools I I mentioned are up there but yeah I fuzzing is a necessary critical First Step so yeah I would recommend that to all of you if you're going to get into API pen testing check out fuzzers know how to use fuzzers um because they're very powerful tools necessary in your tool set uh how responsive have you found automakers to their vehicles being like very very insecure so responsive they love me um I'm not allowed to go in certain Auto makers car dealerships anymore um no um the the the response um so so here's okay so I'm I I will say that one of the automakers which starts

with an f and ends with or um wanted me wanted me to give them all the details and how to fix it and they wanted me to do it for free I told them I wasn't going to do it for free that they would have to pay me a consulting fee um because I did that that stuff for law enforcement for free um to support our men and women in blue and uh asked them to just bring me on as a consultant to help them and they refused to do it because they didn't want to pay so um yeah the the respones hasn't been great um a lot of people think that they're impervious to being hacked because

they're not driving around in a Tesla uh that's not true any car made after 2001 is connected uh so the first connectivity was GM on are so a lot of cars are connect you're you're driving around in a in a computer network on Wheels even if you're not in a Tesla