Incongruity and the city of Las Vegas are not exactly strange bedfellows. The very idea of building a city in the middle of the desert where temperatures can soar up to 120 degrees Fahrenheit seems a bit odd. Throw in the idea that hotels fitting for such a place would look like English castles, a pyramid, a French bistro compelled with mini Eiffel Tower and Montgolfier balloon, a New York streetscape, mock Roman and Venetian splendour, an ersatz enclave of Brooklyn…well you get the idea.
Seeing hordes of black t-shirted and khaki-shorted security professionals troop backwards and forward through the slick, serene surroundings of mega hotel Mandalay Bay may also jar the eye but the idea of the city hosting Black Hat (and days later Def Con) doesn’t actually seem that strange at all in a way.
In fact what is today’s security industry all about? A high stakes game between the house and those will want to bring it down by fair means or foul for huge reward. Or just the satisfaction of breaking the bank. Yup, Black Hat certainly was at home in Sin City and provided much food for thought – one of which was disconnecting any automatic guidance systems that you may have in your car.
It was fair to say that given such an esteemed gathering of the US’s finest hacking minds there was there was a genuine fatalism that hacks were just going to happen, as much as you’d eventually lose a hand of cards. As a delegate – who shall be nameless on the basis of what goes on in Vegas, stays in Vegas – said ‘if it can be connected it can be hacked’.
Mobile Matters
Just before the show, in a survey of previous Black Hat USA attendees, almost three quarters of security pros said they think their organization will suffer a breach in the next 12 months and only just a quarter (27%) feel they’re able to deal with it. The majority of respondents regarded advanced targeted attacks (57%) as the number-one source of concern, yet only just over a quarter said that tackling such an eventuality was among their top three spending priorities.
One very likely vector will be through mobile. Not surprisingly one of the most well attended sessions was that given by Adrian Ludwig, head of Android Security at Google which is in the midst of pushing mass updates over the air (OTA) to its Nexus Android devices, to address the recently uncovered Stagefright. The vulnerability, or rather group of them going under that collective name, can allow remote takeover of an Android device by simply sending a certain kind of file —increasingly MP4 files and video files that auto-play when opening a website — which when played, attackers can bypass the disabling of auto-play videos in Chrome and gain complete control of the device.
In attempting to reassure the gathered mass that the threat of something that could be affecting anywhere from 50% to 90% of Android devices was somewhat overstated, Ludwig conceded that mitigation involved the single largest unified software update the world has ever seen and that the problem was not going away any time soon. “In general over the last 6 months, we see that around a half of one percent of Android devices have a potentially harmful application installed,” he said. “[And] we have no expectation in an ecosystem the size of Android that the number will ever be zero.”
Baby You Can Drive My Car
Another industry with a rather large ecosystem is automotive and Black Hat provided a rather graphic and rather scary example of what has become the vector de nos jours – car hacking. Chrysler was global news just before the show when it had to recall vehicles due to security concerns and in Vegas Kevin Mahaffey, co-founder of the security firm Lookout, and Marc Rogers, principal security researcher at CloudFlare, showed off a white-hat compromise of Tesla’s flagship Model S line.
The two uploaded a Trojan back-door that allowed them to remotely control functions, turn the car on and off remotely, hit the brakes if it was moving under 5 MPH, and shift it into neutral at higher speeds. It sure looked fun at the show but, as one (unnamed again) watching professional said “one day someone will drive one off a cliff”.
And there was more. Much more. Indeed much much more of a nefarious kind was to come at Def Con — the old adage never use an ATM where it is held range true by all accounts, but a neat coda was struck by a leading security firm’s CTO.
Sitting in the place which Old Blue Eyes himself described as ‘the only place where money really talks and it says goodbye’ the exec (yes, unnamed…) made some really valid points about credit card security and the inherent incongruity of a country such as the US, home to some of the world’s most used and most advanced security technology, still employing swish payment on readers. He mused as to when the country would adopt chip and pin technology: actually he didn’t have to travel that far to see that it had. Indeed he could have just popped his head next door to the Black Hat official store doing a roaring trade in branded goods supported by chip and pin card readers.
Were the store owners making a rather profound observation seemingly unheeded by the rest of the city (and country)? You wouldn’t bet against it…