Peruse the briefings agenda for the Black Hat conference that's being held this week in Las Vegas and you'll get a peek at the cybersecurity challenges of the future. For example, experts will address the areas of authentication, mobility and the "Internet of Things," among many others.
One session on mobility will feature Matthew Solnik and Marc Blanchou, researchers at Accuvant Labs, a unit of IT security provider Accuvant. Their briefing is titled Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol.
We feel confident that these types of vulnerabilities won't become a real threat until the next five to 10 years.
The two researchers and their colleagues at Accuvant Labs last week told me about their research that shows how hidden controls found in more than 2 billion mobile devices could be exploited to allow hackers access to these devices. During their presentation, Solnik and Blanchou will release open source tools to help assess and protect organizations from the new threats. These tools will offer the ability to dynamically test proprietary system applications and simulate different aspects of a cellular environment.
What makes these systems vulnerable, in part, are the number of players involved in developing them. Red Bend Software, a mobile software management provider, created the initial program. But also contributing code to each device were baseband chip manufacturers, handset makers and carriers. "If you look at the average handset, there is no less than 15 separate companies that contribute code that makes the handset run," says Ryan Smith, Accuvant Labs chief scientist.
Akin to Heartbleed
Alex Wheeler, Accuvant Labs research director, compares the discovered vulnerabilities in the mobile devices to those posed by the Heartbleed bug, a vulnerability in the popular OpenSSL cryptographic software (see Heartbleed Update: Fixes Plateau). "It's a single software package, but implemented at many different areas," he says.
Asked how the vulnerabilities in the 2 billion mobile devices could be abused, Smith says he doubts they would be exploited anytime soon. "I think these vulnerabilities are five to 10 years out from actually [being] exploited and causing damage."
Historically, there's a long road between discovering a vulnerability and exploiting it, and Smith cites as an example phishing, which first surfaced in the mid-1990s but didn't flourish until the second decade of the 21st century.
"It takes a while for that information to become filtered; it takes a while for tools to get into place and those kinds of attacks become commoditized," Smith says. "Because of that, we feel confident that these types of [mobile-device] vulnerabilities won't become a real threat until the next five to 10 years."
Other Black Hat briefing sessions look at fast-evolving technologies and how they could have an impact on cybersecurity. Two sessions focus on hardware and their impact on authenticating users.
In one titled My Google Glass Sees Your Password, researchers Xinwen Fu and Qinggang Yue of the University of Massachusetts-Lowell and Zhen Ling of Southeast University in China introduce what they characterize as a novel computer vision-based attack that automatically discloses inputs such as passwords on touch-enabled devices.
The researchers say their spying cameras, including Google Glass, can take a video of a victim tapping on the touch screen and automatically recognize more than 90 percent of the tapped passcodes from 10 feet away, Viewing people tapping out their passcodes to figure them out isn't new. What's different, the researchers say, is that they target passcodes where no language model can be applied to correct estimated touched keys. They say they're interested in situations such as conferences where a Google Glass, webcam or smartphone can be used for a stealthy attack. As a countermeasure, they say they designed a context-aware, privacy-enhancing keyboard, which pops up as a randomized keyboard on Android systems for sensitive information such as inputting password and shows a conventional QWERTY keyboard for normal inputs.
Markus Jakobsson, a highly regarded IT security expert who is senior director at network computing provider Qualcomm, promises to introduce a new authentication paradigm that simplifies the process for users and provides a high-level of security. In a presentation he calls How to Wear Your Password, Jakobsson will demonstrate an identity manager in the guise of a smart bracelet.
This bracelet is equipped with a low-power processor, a Bluetooth LE transmitter, an accelerometer and a clasp that is constructed so that opening and closing it breaks and closes a circuit that allows an automatic detection of when the bracelet is put on and taken off. In the presentation, Jakobsson says he'll describe the physical design, including protecting the user who might be violently attacked, as well as the protocols associated with the device.
Governments as Malware Creators
Here's a sampling of other presentations of interest:
- Mikko Hypponen briefing titled Governments as Malware Authors: The Next Generation, in which he addresses how governments write malware. Hypponen, chief research officer of F-Secure, promises to identify the governments writing malware, where they got skills to do so and how much they budget for it. He'll also address whether hope exists to fight malware of this caliber.
- Penetration tester Stephen Breen's presentation, Mobile Device Mismanagement, focuses on vulnerabilities in mobile device management software. Breen has conducted a number of penetration tests on mobile device management products, and he says he has gained access to sensitive information. Some of the vulnerabilities seem to be systemic across a number of products, says Breen, who conducts penetration tests for NTT Com Security, an IT security consultancy.
- In A Survey of Remote Automotive Attack Surfaces, Twitter security engineer Charlie Miller and Christopher Valasek, security intelligence director at IOActive, a computer security services provider, explore the IT security of automotive networks of a number of carmakers. Among the questions they say they'll answer: What does the future of automotive security hold and how can we protect our vehicles from attack moving forward?
- The presenters of Smart Nest Thermostat: A Smart Spy in Your Home promise a demonstration that shows how the smart thermostat can be commandeered in 15 seconds. Researchers Yier Jin and Grant Hernandez of the University of Central Florida and Daniel Buentello of technology solutions provider Cimation say with Internet access, the Nest thermostat could become a beachhead for an external attacker.
Please look for my reports and interviews from Black Hat, starting Aug. 6.