It wouldn’t be Black Hat if the conference didn’t have demonstrations that show how some technologies can be improved. Last year, researchers hacked cars and phones. A number of topics from this year's conference had common themes that revolved around seeing what can be done with the Internet of Things (IoT), and new developments that would shape the industry as we move forward. The event was very directional in a sense, like it was pointing out that this is where we’re going with IoT because we built it this way, or that this is what can happen when industrial grade drones are made widely available. Still, knowing these insecurities can help develop the right defense.
IoT Hacks: Attack of the Drones, Lightbulb Worms, and Engine Problems
Through video demonstrations, Jeff Melrose showed how industrial-grade drones can be used to disrupt industrial systems. The demos showed the accuracy and capabilities of these drones despite the limitation in terms of control range and battery life. Melrose then gave a rundown of possible attack scenarios that involved the use of the drones to do surveillance on hard-to-reach facilities.
Colin O’ Flynn and Eyal Ronen presented insights on how smart lightbulbs operate in networks and how they can also be exploited. This was shown in another drone experiment. Using a hacked smart lightbulb, a modified wireless sensor,and a powerbank, the two were able to make a weaponized portable attack kit that could affect smart light bulbs within its proximity when they had the device while driving around. When they attached the device to a drone, they were able to make building lights flicker, even making them do an SOS signal. The experiment showed that the modified bulb acted like a worm with the way it affected the same bulbs utilizing the same network.
These two experiments suggest that we will soon encounter weaponized IoT devices that can be assembled with ease. And before our 2016 prediction on IoT failure turning lethal comes true, companies should be more aware of network and product insecurities.
Lastly, there was Charlie Miller and Chris Valasek, the duo that hacked a Jeep vehicle last year that led manufacturers to think more about security on connected cars. This time around, they announced their most recent experiment with a smart car; simulating an attack on a fast moving car. And they were successful. They were able to do this by targeting the car’s engine control unit (ECU) which only had default commands. By disabling the default commands, they were able to get full control of the car. This includes putting the steering function into diagnostic mode, engaging the parking brake, and steering the car itself.
A closer look at WPAD
Max Goncharov shared the results of his Trend Micro research badWPAD: The Last Menace of a Bad Protocol. WPAD is a protocol that allows computers to automatically discover web proxy configurations and is primarily used in networks where clients are only allowed to communicate to the outside world through a proxy. WPAD makes the life of admins easier as proxy settings are pushed out to everyone.
While it is used mostly by enterprises, it is also vulnerable to attacks. Having been around for almost 20 years, it was not designed to take on the security risks of today. But during the span of almost 20 years in existence, these vulnerabilities were not addressed. And the paper is the result of experiments to test WPAD’s inherent risks. The research paper includes the attacks made, details about the experiment, and recommended defense strategies to mitigate these attacks.
EMV Shortcomings, an iOS window to enterprise networks, and Cyber Insurance
Nir Valtman and Patrick Watson demonstrated how EMV can’t prevent cybercriminals from using man-in-the-middle (MITM) attacks to exploit this payment system. During this controlled simulation, they were able to steal track data, PIN, and card verification value or CVV from an EMV card. Despite the huge shift to EMV, the presentation showed that EMV is still exploitable. While it has good security features, this exercise shows that sufficiently motivated hackers can still find points of entry. Valtman and Watson advise merchants to use Transport Layer Security (TLS) and to install and only allow vendor approved whitelists to avoid any form of malicious injections. For customers using EMV cards, if a machine asks them to re-enter their PIN, cancel the transaction immediately and start over.
Vincent Tan focused on iOS security weaknesses through a series of successful attacks. By doing so, he was able to show the audience a view of the internal network of an enterprise. Systematically, he was able to break down layer upon layer of protection until he reached a level where he had access to a list of apps used by the enterprise, and a list of servers those apps connect to. Similar to the EMV case, this presentation showed that even devices with good protection capabilities can be exploited. This does also present room for improvement for these OS providers.
A new business proposition was raised by Jeremiah Grossman as he sold the idea of cyber-insurance. He points out that this is now necessary because of three industry problems: people are losing trust in security research and vendors, ransomware, and data breaches. The first conundrum asks why vendors don’t make guarantees. Security vendors fight cybercrime to win. Vendors admit that there is no silver bullet that can prevent all cyberattacks because that is the reality. Cyber insurance guarantees something concrete, but isn’t necessarily a win-win strategy either.
Grossman said that cyber insurance is the next logical step security companies should invest in rather than cybersecurity, and that small security firms are already doing so. However, this may lead to new problems while the old one still persists. Cyber-insurance fraud, anyone?
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).