Any time a new spate of computer vulnerabilities is featured on the evening TV news, it's a sure sign that the Black Hat conference in Las Vegas is just around the corner. Indeed, numerous researchers seem to regularly hoard evidence of new exploits, plus cybercrime and cyber-espionage analysis, to debut during the first week of August.
Here are some of the must-attend briefings for this year's Black Hat conference, to be held Aug. 5-6.
Remotely Hacking Cars
Past Black Hat conferences have featured research about hacking all manner of real-world devices, ranging from ATMs, to key-card hotel room locks, to insulin pumps. But this may be the first time that a Black Hat briefing has led to a major automobile recall. A preview of the briefing in question - "Remote Exploitation Of An Unaltered Passenger Vehicle," from Charlie Miller, a Twitter security engineer, and Chris Valasek, IOActive's director of vehicle security research, was recently featured in a Wired report, which detailed how vulnerabilities in a Jeep Cherokee's on-board computer and entertainment system could be exploited to disable the car's acceleration and braking capabilities, amongst other features.
The flaws, which have yet to be publicly detailed in full, have led to Fiat Chrysler Automobiles issuing a voluntary recall about 1.4 million vehicles in the United States, so they can be upgraded with emergency security patches.
The automaker has already patched some vehicles via over-the-air updates, Bloomberg reports. And the U.S. National Highway Traffic Safety Administration has also launched a "recall query" to take a close look at the automaker's security and patching practices.
"Hacking A Linux-Powered Rifle"
Imagine if someone created an Internet-connected rifle; what could possibly go wrong? In fact, the Internet of Things took a turn for the unusual with the introduction by Austin-based TrackingPoint of "a tightly integrated system coupling a rifle, an ARM-powered scope running a modified version of Linux, and a linked trigger mechanism," say the husband-wife security research team of Runa A. Sandvik and Michael Auger.
To date, reportedly only about 1,000 of the rifles have been sold, with two of them being purchased by the couple, who took one apart and discovered how they could remotely hack their remaining long-range tactical rifle to change its target, although thankfully not make it fire, Wired reports. TrackingPoint has promised to issue a fix.
Security researcher Joshua Drake will detail the serious Stagefright vulnerability that he discovered, which affects an estimated 95 percent of all Android devices, and which can be exploited automatically - with no user intervention - in about half of those devices. Drake plans to share proof-of-concept code, which means that widespread, in-the-wild attacks - which he already believes are occurring - may soon become a reality (see Android Stagefright: Exit Stage Left)
Owning All the Androids
To be fair, even if Drake didn't find Stagefright, Android didn't stand a chance. At least not against Wen Xu, an undergraduate computer science major at China's Shanghai Jiao Tong University. He's already an intern at elite mobile security research group Keen Team - a.k.a. K33N Team. And he lists his hobbies as including "Linux(Android) kernel bug finding and Android root exploitation." In the most recent pwn2own competition, he helped Keen Team win the Adobe Reader exploit category.
With those credentials, perhaps it's no surprise that he's arriving in Vegas to deliver Keen Team's research into a use-after-free bug in the Linux kernel, which they report can be used to "root most Android devices" running version 4.3 of the OS or newer, "even for the 64-bit ones," and which evades Android's built-in kernel security features.
In the wake of the Stagefright flaw, the presentation is another reminder that too much of the Android ecosystem has unpatched flaws. But it also shows how fuzzing - hitting software or devices with unexpected inputs - continues to turn up new flaws, and should serve as a warning that unlike Keen Team, not all researchers publicly share details of the flaws they discover.
Every year, Black Hat bestows Pwnie Awards - featuring spray-painted My Little Ponies - for the year's best research, baddest bug and "most epic fail," among other accolades. Highlight of this year's nominations include Shellshock and Venom competing with the iOS CoreText DoS for the year's "most overhyped bug." On the song front, meanwhile, "Integer Overflow" by NYAN - for Not Your Average Nerd - sounds like a top contender.
But the most interesting award will again likely be the "Pwnie for Epic 0wnage." Nominees include Kaspersky Lab, for Duqu 2.0; Hacking Team; the U.S. Office of Personnel Management; Samsung for the Samsung Swiftkey keyboard bug; as well as "The World." Credit for the latter hack, as well as suspected credit for the OPM and Hacking Team hacks, goes to China, the Pwnie awards team notes.
The Pwnies also ask us to shed a tear for overworked Chinese hackers. "After being blamed for being behind a cyberattack every time that some elderly computer user can't print out an e-mail, China now has to actually hack everything everywhere just in order to live up to everyone's expectations of them. They are the real victim here."
But Wait, There's More
Other sessions at this year's event include:
- Straight talk on threat and information sharing;
- More details on the baddies behind Gameover Zeus;
- How to "own and clone" contactless payment devices;
- Advice on how to secure enterprises against attackers hacking Windows Server Update Services to distribute malware;
- Proof-of-concept Mac malware that bypasses every Mac OS X defense;
- How Border Gateway Protocol can be hijacked to defeat HTTPS, as well as a new BGP-attack warning system called BGP Stream;
- Analysis of the quality and overlap of different threat intelligence feeds;
- Real-life stories from inside the "threat analyst sweatshop."
That's my shortlist of interesting-looking sessions for this summer's Black Hat in Las Vegas. What's on your must-see list?