Las Vegas was once again the center of the information-security universe last week with the convergence of the Black Hat Briefings and DEF CON conferences, which brought together some of the world’s top security experts. Lots of significant news came out of the events, so let's get to it:
Going into the week, the research of IOActive’s Chris Valasek and Twitter’s Charlie Miller garnered many of the headlines after both now famously uncovered the security vulnerabilities of a slew of Fiat Chrysler vehicles, vulnerabilities that prompted an unprecedented recall of 1.4 million vehicles.
Valasek highlighted what any company indulging in Internet-of-Things (IoT) technology should have ingrained in their ethos: “Please just stop saying whatever you have and whatever thing you make is unhackable, because you’re going to look silly,” he said.
To further demonstrate, Valasek and Miller showed at least 1,000 attendees how they hacked a Jeep and shut down its brakes.
In fact, the connected car was a major theme during the week. DEF CON even featured a “Car Hacking Village.” The work of Lookout Cofounder Kevin Mahaffey and CloudFlare’s Marc Rogers exposed vulnerabilities in the Tesla Model S—a car many had believed to have the strongest software and hardware. As NPR reports, what may have been even more surprising than the hack was Tesla’s response. Unlike the patch for the Jeep hack, which required a physical update using a USB stick, Tesla—like most computer-operating systems—can patch a vulnerability via online download.
“This is something that seemed completely natural, in the DNA of how you build a connected product,” said Tesla Cofounder and Chief Technology Officer JB Staubel. “This is not a new concept in any way, shape or form.”
More generally, in the past week researches have shown how IoT devices pose massive security vulnerabilities across the board. Like the "Connected Car Village," DEF CON also featured an "IoT Village," displaying everyday devices, including household objects and medical devices, that are all hackable.
Red Balloon Security's Ang Cui demonstrated how radio signals and soundwaves can be used to steal data from inexpensive network equipment, printers and IoT devices. The whimsically named Funtenna would be difficult to detect in networks because the data would be transmitted via soundwaves and would not appear on any network traffic logs.
Plus, Digital Citizens Alliance (DCA) showed, once again, how susceptible computer webcams are to hijacking. In their report, DCA members said they found thousands of video clips of stolen webcam footage on YouTube. Adversaries use what is called remote access Trojans, or “Rats,” to remotely access a user’s webcam, steal footage and then upload it to YouTube to generate revenue, sometimes generating thousands of dollars per month.
Hackers also outlined how they could steal a user’s fingerprint via the fingerprint sensor on a phone without being noticed. Researchers from FireEye demonstrated how they could access the fingerprints from Android phones, and, in one specific attack, they outlined how they could “remotely harvest fingerprints on a large scale.”
Google Android’s top security chief Adrian Ludwig addressed the Black Hat USA Conference and discussed how Google is pushing out its largest ever Android software update to protect against the so-called “Stagefright” vulnerability that potentially impacts as many as 950 million Android phones. “This is the single largest mobile software update the world has ever seen,” he said. Ludwig also gave credit to Joshua Drake, the researcher who disclosed the vulnerability, and who sat in the front row for Ludwig’s speech.
Security research liability was also a big topic during the week. Many researchers fear the Computer Fraud and Abuse Act, a law written in the 1980s, which potentially criminalizes genuine White Hat-style hacking. However, a top Department of Justice official told attendees at Black Hat, “We have a great deal of respect for the people in this room,” adding, “My goal today is to provide information you can use to better manage your risk when you do what you do.”
Center for Democracy & Technology Chief Technologist Joseph Lorenzo Hall said, “We’ve seen folks in the past prosecuted for very pedestrian types of violations and that colors the perception of how out of touch many infosec people see regulation and legislation in this space.”
Department of Homeland Security Deputy Secretary Alejandro Mayorkas said the government and the security community need to focus on building trust among one another to help face the tide of cyber attacks hitting businesses, the government and other critical infrastructure. “The best way to address the trust deficit is to build trust,” he said. “That’s probably not an oversight process. It’s probably an incremental process, but let’s take the steps we need to.”
Microsoft announced it is changing its Bug Bounty program in light of its new Windows 10 operating system. Notably, rewards for the Bounty for Defense doubled from $50,000 to $100,000. “Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty along would,” said Microsoft Security Architect Jason Shirk.
Imperva demonstrated several man-in-the-cloud attacks, prompting it to stress the importance for companies to switch from focusing on endpoint and perimeter security to data monitoring and data security. Imperva Chief Technology Officer Amichai Shulman said, “Although this is changing, it is not changing fast enough and not enough companies are investing in data monitoring and data security capabilities.”
Private security researcher Chris Kubecka discussed her experience recovering from a debilitating hack that shut down her organization. She said finding security talent is important, and reminded attendees, “Don’t look for the corporate image … If they have tattoo or a couple of piercings, it can work.”
The Federal Trade Commission made an appearance at Black Hat, too. Chief Technologist Ashkan Soltani and Commissioner Terrell McSweeney said they need more technologists to help with technology policy issues. “We have this 100-year-old authority … and we’re trying to modernize ourselves and stay on top of where consumers are and the things that affect them,” said McSweeny. “It’s why we’re here making a plug for your help.”
Finally, there are Black Hat's annual Pwnie Awards to celebrate the work of researchers who exposed the best security vulnerabilities. One annual category includes the Most Epic Fail, and this year, the not-sought-after honor went to the Office of Personnel Management (OPM) for the hacks that compromised the sensitive personal data of 25.7 million individuals. Coming in second was the Ashley Madison site for cheating spouses.
Considering all the demonstrated weaknesses in the IoT, don't be surprised to find a device-manufacturer of some kind taking home this award next year. In the meantime, let's just hope we don't suffer another OPM-type hack.
Top image courtesy of eWeek.
If you want to comment on this post, you need to login.