Dan Borgogno, a cybersecurity researcher, attempted to breach the card’s computer system UP this Friday during his talk at Ekoparty, during the third day of the hackers conference. In his presentation, he showed how with a Flipper Zero, a small device designed to test the security of networks and devices, it is possible to travel for free although the return that can be obtained is very low: it is difficult to do and the card is blocked when it detects the attack.
Borgogno presented in his talk a review of the state of the system’s security over the last five years: “In my first investigations I had managed to make fraudulent trips, but now the panorama has changed and there are more devices to hack, such as the Flipper Zero, Chameleon Pro and Proxmark 3,” he explained to Clarion the security engineer at Latu Seguros.
A Flipper Zero is a pocket-sized multifunction device that allows you to interact with access systems and connections. During this year it became very popular and viral on social networks for cloning cards with NFC or RFID (such as credit or hotel room cards), opening access doors, intercepting WiFi signals, stealing passwords, Borgogno reported his investigations to the SUBE security team, who was in the auditorium during the talk.
“The idea of the talk was to show how with a device like a Flipper you can alter all the sectors of the card, to be able to emulate it 100%, and with these devices generate a data dump to tell how you can take a trip without the card in your hand, and even restore balance, to reuse a trip”he explained. That is, traveling without paying.
However, SUBE’s security system is robust: “Although it can be altered, expensive devices are needed, the process is tedious, the learning curve that you have to generate is very large and also It is an attack with a low benefitbecause at the end of the day the groups synchronize with a database and inconsistencies can be detected and they cancel it,” he explained to this medium after the talk. This means that the attack is possible, but of low criticality.
At the conference, Borgogno also tried to violate the digital SUBE. “Broadly speaking, the digital SUBE behaves in a different way: it no longer emulates being a card (like the Flipper), but rather it has a communication of a token – a single-use data structure – that allows us to make one or more trips and then the balance is discounted,” he explained.
“Against this protocol an attack called relaywhich is very difficult to carry out, but it can be done: you need to do a very complicated triangulation with the passengers who are waiting to board and, again, the return is very low,” he added.
The Flipper Zero was also going around Ekoparty: it is already a tradition that they appear notifications on attendees’ cell phones. It is usually part of some type of investigation or simply to annoy.
During the first day, a screen exposed those who used these devices: “This year we have a Wall of Flippers to detect and identify Flipper Zeros that were being used by hackers visiting Ekoparty, given that last year their use proliferated to send spam to phones. Now we project the names of those who sent these notifications and what attacks they were carrying out, both to expose them as to raise awareness”said hacker Gabriel Tarsia.
“Bitflips”: the closing talk of Ekoparty
The anniversary edition of Ekoparty closed with another renowned hacker in the cybersecurity niche: Fredrik Alexandersson, known as “SINGLE” by his nickname (he is from Stockholm), who spoke about “bitflips”. He is an ethical hacker who also, through YouTube videos and social networks, raises awareness about cybersecurity and attacks.
“Computers and electronic devices operate using zeros and ones, the famous binary system. When any of those ones or zeros change accidentally, let’s say a 1 that has to be a 1 changes to 0, that is called in the jargon a bitflip”explained the hacker, who gave the presentation with his colleague Joona Hoikkala.
The beginning of the talk was marked by a small technical problem in the 265 slides that the researchers had prepared, which were not a problem for STÖK, which operates as a stand up comedian on stage.
After the talk, the hacker spoke with Clarion to expand on how bitflips work: “When do they happen? When there is very small changes unintentional damage to a computer’s memory, generally due to electrical interference, excessive heat, or hardware wear. These small disruptions cause a single bit to “flip” [flip, en inglés] and this can lead to unexpected behavior.” This is technically called bittsquatting.
In the examples in his presentation, STÖK mentioned that this can lead, for example, to a domain like Google.com leading to “Coogle.com”. And this was precisely what he explained in his talk during the third day of Ekoparty.
“Using this technique, we register several domains from well-known sites that, for one bitflip, They looked almost identical to the originals. We then monitored the traffic of these sites and, when a device visited our web page, which was not the original one they wanted to access, we were able to detect how users shared personal information such as passwords, emails, meetings, clearly without realizing it,” he continued.
Of course, all this within the framework of what is known as “ethical hacking”: “Our goal was to observe and understand these interactions. When we detected that the user was sharing personal information, we notified them so they were aware that I had arrived at the wrong place. This allowed us to see how easy it can be to fall into a deception of this type, simply with a glitch [falla o error técnico]”. This, according to Stök, helps to better understand the risks taken online.
Ultimately, the bitflips They are not caused by a specific person or organization, but are “a natural byproduct of modern technology,” in STÖK’s words. “These small errors happen due to factors such as electrical interference, heat, or simply use, something that is not tied to the user’s involvement,” he added.
“With permanent connectivity and the constant flow of data that we produce every day, bitflips They are much more common today than a few years ago and can affect a large number of apps and devices,” he continued.
“Developers can help mitigate these risks by adding security measures to ensure data is sent to the correct servers, to reduce potential phishing. “Some cutting-edge technologies use special memory (ECC) to ‘catch’ and correct them, but the devices we use every day do not have this protection, so they can continue to occur undetected,” he added.
“Los bitflips “They are, after all, a technical challenge of the increasingly connected world,” the hacker concluded.
Ekojobs: how many hackers are missing in the market
As last year, Ekojobs, the space for job interviews and labor market surveys, was present at the 2024 edition of Ekoparty.
“We had a record with more than 700 interviews During the conference, we gave a talk about how to make a job transition to cybersecurity and we worked on tools for work stress and prevention of burnout in an industry as demanding as cybersecurity,” said Daniela Valor, director of Ekojobs.
On the other hand, they also released an estimate that is made annually on the number of jobs that are estimated to be missing in the world of cybersecurity.
“It is estimated that the global total of missing professionals in cybersecurity is 4,763,963 jobs to be filled, with an increase of 19.1% compared to 2023. This number is what is considered necessary to cover so that organizations have the appropriate level of security,” Valor said.
Ekoparty closed, like every year, with an awards ceremony and review of the 20th anniversary edition.