Las Vegas – On the last day of July and the first day of August, a Roman empire-themed hotel and casino in the the Mojave Desert played host to what the Director of the National Security Agency, General Keith Alexander, rosily characterised as the highest concentration of technical talent on the planet. At least two members of the crowd answered the general’s un-subtle pandering during a tense keynote Wednesday morning by mocking him and calling him a liar – not because that particular statement was false, but because he oversees an agency that may or may not indiscriminately monitor the communications data of American citizens. For what it’s worth, the NSA director seemed to claim that his agency possesses the capacity but not the authority to carry out such blanket data collection. In the past, high level officials have denied this outright to American people and congress, who, ironically enough, gave the NSA this authority willingly and repeatedly.
There are two conflicting realities at the Black Hat security conference: on the one hand, the event is thoroughly and unapologetically corporate. It’s packed with the most brilliant, highly paid, and well-respected computer scientists and IT security professionals in the world. The vast majority of briefings are enterprise-focused, though, lucky for us, there were a number of consumer talks this year as well.
On the other hand, this place is absolutely crawling with goons. If you have a computer or a smartphone or anything of any value whatsoever, during Black Hat, Las Vegas, Nevada – Caesar’s Palace in particular – is among the most hostile environments in the western world (these are the actual, albeit slightly hyperbolic, words of an email I received from the company that hosts the event). Wireless networks, ATMs, and really anyone you’ve never met before are not to be trusted. Part of the fun for the hacker-clientele in attendance at Black Hat is to humiliate and possibly steal from you as well. The press room is a maze of ethernet cords and the only safe place to get online. That we spend most of the day away from the safety of the press room Internet connections sitting offline in briefings at one of the most famous tech conferences in the world is very strange.
What’s stranger still is the odd dichotomy between the tinkerers with no formal education and the researchers with PhDs in mathematics. The line between cybercriminals and plain-clothed agents of the federal government is incredibly obscure – especially when you realize that both groups seek to learn about the very same attack techniques. Have no doubt though, nearly everyone here is a hacker and hacking is the only thing anyone is really talking about.
Sadly, Barnaby Jack died just a week before he was scheduled appear here in a briefing called “Implantable Medical Devices: Hacking Humans.” The brilliant security researcher was at the forefront of implantable medical device research (implantable medical devices are those, like insulin pumps and pacemakers, that are implanted in a patient’s body), a topic we intend to explore on Kaspersky Daily very soon. Many of these devices transmit signals and have the capacity to communicate wirelessly with devices outside the body. These are obviously and increasingly hackable, and the loss of Barnaby Jack is unfortunate. The beloved hacker from New Zealand famously hauled two ATMs into a presentation hall at Black Hat a few years back. Throughout the course of the talk, he sat on his laptop and compromised the ATMs in every way imaginable. He manipulated their display screens, made one of them think that the $20 bills encased within were $5 bills, and – of course – closed his briefing in style by forcing the other ATM to spew money out all over the stage.
There were three home-security related briefings at Black Hat this year. In what may have been the simplest and most straight-forward briefing at the entire event, researchers Drew Porter and Stephen Smith demonstrated how incredibly easy it is to circumvent home and office security systems. There are some 36 million vulnerable systems deployed in the U.S. and the ones they examined consisted of three primary components: door and window sensors, motion sensors, and a keypad. The keypad, they said, is the brains of the operation. The keypad arms and disarms the system and communicates to a third party when any of the sensors has been tripped.
Porter and Smith showed that they could trick circuit-based sensors with incredibly inexpensive items like magnets and strips of metal. Circuit-based sensors are those that create a circuit when the two sides of the sensor are touching (closed circuit: good). When that circuit is broken (open circuit: bad), perhaps by opening a door or window, the sensor sounds an alarm and communicates that there has been a breach to the keypad. The keypad then informs the third party that the alarm has sounded.
The motion sensor alarms could be spoofed nearly as easily. The researchers didn’t explain why and my understanding of the electromagnetic spectrum is somewhat limited, but for whatever reason, infrared lighting caused some trouble for the motion sensor alarms. When the researchers exposed the sensors to infrared lighting, which is conveniently created by lighting a common lighter, the sensors would not alarm. They were also able to trick the motion sensors in simpler ways. Just shielding themselves from the motion sensors with a large piece of cardboard or polystyrene was enough to trick the sensors into believing there was no movement.
Most alarmingly, the keypads are vulnerable as well. Basically, the key pad receives electrical signals from the sensors. If the sensors are triggered, they tell the keypad and the keypad tells whichever third party it is programmed to tell. Maybe the police, maybe your smartphone. The keypads communicate in three ways: by landline, mobile, and data transmission. It’s possible to jam or intercept traffic on all of them.
In another talk, Daniel Crowley, David Bryan, and Jennifer Savage discussed the risks we face when we connect our home appliances like space heaters or door locks or even toilets to our home networks. More specifically, Behrang Fouladi and Sahand Ghanoun demonstrated an attack targeting vulnerabilities in Z-Wave home automation systems. The Z-Wave protocol is growing in popularity and capable of controlling HVAC systems, door locks, lighting, and any number of other things in your home.
The biggest concern with much of the vulnerable home security system equipment is that it can’t be patched like a computer or a piece of software. When Microsoft learns of a bug, they build a patch, and ship it to you on patch tuesday. Most security systems lack the ability to auto-update their respective firmware, so, in order to fix a bug in a product, a technician would need to come to the system to service it, which is both expensive and troublesome. In most cases no one is bothering to fix these bugs, but rather leaving systems vulnerable. Moreover, if you connect your system to the Internet, you should make sure it has some protection from remote attacks and that the update process is is secure as well. Many vendors are simply not ready to play in this field – as you’ll see for yourself in the next paragraph.
Hacking Like a Hollywood Hacker
A Maryland based vulnerability researcher named Craig Heffner presented a demonstration in which he hacked personal- and enterprise-grade surveillance cameras Hollywood-style. He claims that thousands of these cameras, deployed in homes, businesses, hotels, casinos, banks, and even prisons, military, and industrial facilities, are Internet accessible are vulnerable to the kinds of attacks you see in the movies. Heffner developed a proof-of-concept attack where he could remotely freeze and manipulate video on the devices.
Two talks in particular could have the effect of shattering all trust in the mobile ecosystem. One was the German researcher from Security Research Labs Karsten Nohl’s SIM card attack. The other was Jeff Forristal’s “One Root to Own Them All,” dedicated to the widespread so-called Android master key vulnerability, which I will be publishing a full report on for you shortly.
Basically, a SIM card is a very small but full-featured computer dedicated to secure storage and transmission of your data over a cellular network. Nohl realised that the SIM cards in perhaps as many as a billion smart phones are vulnerable because they communicate using the data encryption standard, commonly referred to as DES. DES used to be the cryptographic standard, once endorsed by the National Security Agency. As a researcher pointed out to me on a cab ride we shared to the airport, DES is highly favourable because it requires little memory and it works fast. Unfortunately it’s quite old and also easily cracked. So apparently these SIM cards are manufactured so the the network operators and service providers can communicate with them after they’ve been sold to the end-user. This communication is necessary for patching and billing and a number of other purposes as you can read in this excellent write-up. The communication between the SIM cards and the service providers are basically text messages that aren’t displayed on the phone but processed directly by the SIM card. Nearly every phone in the world, Nohl said, contains a SIM card with the capacity to send and receive these sorts of text messages without the user’s knowledge. In three years, Security Research Labs found just one phone that ignores these over-the-air (OTA) communications entirely.
In order to secure these communications, the messages are either encrypted, or protected by cryptographic signatures, or both. These measures made little difference to Nohl as he managed to crack the messages no matter what protection was used. The keys are largely based on the old DES algorithm. The OTA server belonging to the network providers and the SIM cards themselves use the same key – likely a decision made to conserve space on the SIM cards. If you figure out the key then you can trick the SIM card into thinking that you are the network provider. Nohl’s demonstration involved a lot of maths that I just won’t go into, but the important thing to know is that once he convinced these SIM cards that he was the provider’s OTA server, he could exploit this situation in multiple ways: send premium-rate text messages, control call forwarding, update SIM card firmware and posslibly steal other data from SIM card, e.g. secure keys of payment application bundeld on some SIM cards. The good news is that many operators have begun shipping more secure 3DES or AES-enabled SIM cards for a couple of years now, and in light of Nohl’s research, some of the big telcos quickly implemented various network-based fixes.
Hacking the Law
Marcia Hoffmann from the Electronic Frontier Foundation led a cautionary briefing about the legal pitfalls researchers face when they expose security vulnerabilities. Part of the reason the Internet remains so hard to secure is that well-intentioned hackers often find themselves in legal trouble for exposing vulnerable systems. Much of her talk centered around specific case-studies, but her overall message was a warning: vague language leads to selective enforcement, she said. What she meant is that many of the laws that the government uses to prosecute alleged offences online are wildly outdated, created at a time when the Internet and computers look nothing like what they look like today, and in need of serious repair.
Unsurprisingly, so-called Smart TVs, which look more and more like the common computer with every passing day, are just as vulnerable. Separate briefings presented by SeungJin ‘Beist’ Lee and Aaron Grattafiori and Josh Yavor demonstrated a vast array of potential attacks against these wildly expensive devices, which are selling in the tens of millions every year.
I was unable to sit in on either of these talks, but I did catch the pre-briefing press conference. According to Grattafiori and Yavor, they discovered a number of vulnerabilities in the underlying operating systems of these Internet-conected television sets. The duo claimed – and would demonstrate in their briefing – that an attacker could remotely hijack a number of applications on the platform to take control of the devices and steal account information stored within. Potential exploitations could give attackers the ability to commandeer control of built-in cameras and microphones to perform various surveillance-related activities in addition to using these systems as a stepping stone into the local networks on which they operate.
You have to wait for this one. Charlie Miller and Chris Valasek attended Black Hat, but they’ll be presenting their automobile hack at DEF CON – the more hardcore hacker conference – that starts the day Black Hat ends. I won’t be there, but I’ll definitely write all about their demonstration as soon as I can. In the meantime, watch Miller and Valasek giggle from the back seat as Forbes’ security reporter, Andy Greenberg, drives a car that the two have ripped apart and are actively hacking. You can also read more about car hacking in this Kaspersky Daily report.
Hacking the Internet
One of the more abstract, but still very alarming findings presented on Black Hat was a review of recent progress in computing and maths which might lead to breaking current encryption and certificate infrastructure of the whole Internet in two to five years. To avoid this, nearly every company making Internet-related products, be it browser, web server, security camera or various other things, will need to start upgrading software to use modern security algorithms now.
It’s easy to come away from Black Hat thinking that the Internet is already hopelessly broken, but the optimistic truth is that the vast majority of the inconceivably smart men and woman presenting and attending the event are working to fix the Internet and secure all the various things we connect to it. Listening to them talk is at once ego-destroying in that their brilliance diminishes our own sense of smartness, but it’s also inspiring in that they just might succeed in what so often seems impossible: creating an online environment that is safe, secure, and promotes personal privacy.