Cao Yue, a Ph.D. student from University of California, Riverside, delivered a stunning show at the GeekPwn 2016 Macau Contest on May 12 attended by top-caliber white hat hackers worldwide. Cao succeeded in remotely hijacking TCP connections at his random choice.
In the 1990s when the Internet was just kicked off and developed, Kevin David Mitnick rose to global fame after he performed “Session Hijacking”, based on then vulnerable TCP (Transmission Control Protocol).
Now, as TCP has been fairly developed and fortified after so many years’ improvement, Cao could still find its vulnerability, which is of great importance to driving the industry toward beefing up cyber-security.
Cao Yue displayed his magic attack technique at GeekPwn Macau contest sponsored by the charismatic white hat hacker team KEEN. Provided that he gets to know a user’s IP address anywhere in the world, Cao was able to hijack the user’s communications remotely. In the onsite testing demo, the targeted user’s computer screen, following an attack, popped up with a false log-on page. After the user inserted his/her account name and password, amazingly the whole thing reappeared on “attacker” Cao’s computer.
The demo means that most Android or Linux system in the world could be possibly attacked with communications being hijacked, anytime, anywhere in the world. Unlike Trojans, phishing and other cheating software, Cao’s attack technique could be so easy to succeed, with the victim doing nothing wrong.
TCP (Transmission Control Protocol) and IP (Internet Protocol) are communications protocols used to connect hosts on the Internet. TCP is a standard that defines how to establish and maintain a network conversation via which application programs can exchange data. TCP works with IP, which defines how computers send packets of data to each other. Together, TCP and IP are the basic rules defining the Internet.
TCP and IP are two-layer programs. The higher layer, TCP, manages the assembling of a message or file into packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. The lower layer, IP, handles the address part of each packet so that it gets to the right destination. Each gateway computer on the network checks the address to see where to forward the message.
To successfully hijack a TCP communication or letting the targeted user believe a received TCP segment is valid, the attacker needs to know the TCP port number and sequence number. The unpredictibility of more than 4 billion sequence numbers and more than 60,000 port numbers constitutes the security cornerstone of TCP – as these ports and sequence numbers make up more than 280 trillion possibilities.
In actual network environment, TCP port number and sequence number are almost impossible to be brute-force attacked on account of limitations of broadband width and communication duration. Nevertheless, Cao showed the technique that he was able to detect and arrest TCP port and sequence numbers within 1-2 minutes.
Cao Yue said: “GeekPwn is a promising and rapidly growing platform. Giving into full play of our Geek spirit, it has enjoyed widespread prestige among Chinese in California and has attracted our team to the contest in Macau”.
According to Cao, his team consists of 5 members from University of California, Riverside, with Prof. Qian Zhiyun, a known TCP security expert, as their tutor. It took the team about six months to constantly improve the attack efficiency and success rates.
Cao said: “The vulnerability is caused by new TCP rules and the implementation of Linux system. I believe the rules will be upgraded and improved.”
Cao got in touch with cyber security when he was a freshman, joining University of California, Riverside’s Network Security Workshop. To improve programming algorithm and modeling thinking, he attended ACM programming contest and mathematical modeling contest. He started to research on information security and joined the university’s cyber security research task force when he was a junior. Now, his main research courses into TCP security and wireless networking security.
The three GeekPwn contests to date have come up with a slew of security findings and probes, insiders and analysts say. Technological innovations and breakthroughs via GeekPwn has made it a world-leading platform. The so-called “white hat hackers”, a term coined for ethical computer programmers, who hack in order to find weaknesses and vulnerabilities in systems, which will be submitted to manufacturers to improve cyber security.
Mr. Wang Qi, founder of GeekPwn and CEO of KEEN, said: “What Geekpwn is pursuing is to drive more technology wizards like Cao Yue to always challenge and solve the unknown. We will continue to encourage more talented Geeks worldwide to take part in Geekpwn contests, to constantly look into the vulnerabilities, and make our smart devices, and our future smart life, safer.”
About GeekPwn Macau Content
GeekPwn was organized by Shanghai-based Keen, the security research team and designed to focuses on helping worldwide leading software and hardware firms discover and fix security vulnerabilities. GeekPwn contests is now held twice a year. Macau contest is added this year on May 12th with more international style and same level of award as GeekPwn Carnival contest to improve smart device manufacturers’ security sense and ability globally. GeekPwn will give several annual best awards to extraordinary security geeks.
GeekPwn Macau focuses on six smart device categories: smartphone, smart transportation, wearable device, smart home, smart entertainment and mobile applications.
KEEN is the first Asian team to win prizes in the history of Pwn2Own. It has also won more Pwn2Own prizes than any other Asian teams. Up to now, hundreds of KEEN’s security outcomes have been applied to every Windows PC, every Apple device and every Android device.