Black Hat 2013: What Have We Learned

The Black Hat conference is one of the best opportunities each year to see new and innovative research, commune with some of the smartest folks in the industry and generally get a sense of where things stand and where they’re going. This year’s conference was one of the larger in history, both in terms of number of attendees and volume of presentations, and there was a lot to see and hear. With 11 research tracks, keynotes and press conferences happening from morning till night, it was impossible to see it all, even for the most motivated and caffeinated person.

LAS VEGAS–The Black Hat conference is one of the best opportunities each year to see new and innovative research, commune with some of the smartest folks in the industry and generally get a sense of where things stand and where they’re going. This year’s conference was one of the larger in history, both in terms of number of attendees and volume of presentations, and there was a lot to see and hear. With 11 research tracks, keynotes and press conferences happening from morning till night, it was impossible to see it all, even for the most motivated and caffeinated person.

But, we saw a lot of great talks and spoke with plenty of interesting folks, so we tried to boil down the most compelling, important and interesting bits and pieces from the conference for easy digestion. A comprehensive list of all the cool stuff from Black Hat would be almost impossible, so think of this as a tapas menu of the best stuff from last week. Enjoy.

  • The web is thoroughly broken. That may sound like hyperbole, but it’s not. There were a number of presentations at Black Hat that demonstrated serious new attacks on the Web’s underlying infrastructure and few of them seem to have a simple solution. The BREACH attack, which expanded upon the CRIME TLS attack from last year, essentially gives an attacker the ability to read encrypted messages under certain conditions. That sort of defeats the security model of SSL, the protocol that protects the majority of sensitive Web traffic. There have been similar attacks in the past that had more restrictions, but this is perhaps the most practical and easy to implement. In the words of US-CERT: “We are currently unaware of a practical solution to this problem.” And that’s just one piece of it. The other half of the coin is the research done by Paul Stone, who found a new technique for using JavaScript-based timing attacks to force a victim’s browser to reveal the source code of any page he’s on, which could include user IDs and other sensitive data. The technique also enables him to reconstruct anything that’s in a given iframe on a targeted site. As one other Web security researcher said about this attack, “It’s crazy. There’s no real way to fix it.”
  • Your car is just a rolling PC waiting to be hacked. And in some cases, it’s already been hacked. Researchers Charlie Miller and Chris Valasek spent months working on a ways to attack the electronic control units (ECU) that are the brains of modern vehicles. What they found is methods to take over the ECUs and reprogram them to do essentially whatever they wanted. Miller and Valasek were able to disable the brakes, take over the steering and perform various other actions on their research vehicles, a Toyota Prius and Ford Escape. These likely aren’t the only vehicles vulnerable to these attacks; just the ones Miller and Valasek got their hands on. “Automobiles have been designed with safety in mind. However, you cannot have safety without security. If an attacker (or even a corrupted ECU) can send CAN packets, these might affect the safety of the vehicle,” they said in their paper, which they presented at DEF CON 21.
  • Hackers don’t like feds. This would seem to be self-evident, but in recent years the security community (or at least parts of it) have gradually warmed up to some of the federal agents, government investigators and other various members of the khaki-and-polo crowd. Feds have been easy to spot at both Black Hat and DEF CON for several years now, perhaps thanks in part to the influence of Jeff Moss, who founded both conferences, and works closely with the government now on various projects. But that era of detente ended quickly in the wake of the Edward Snowden revelations, so when Gen. Keith Alexander, the director of the NSA, delivered his opening keynote on July 31, it was in front of an initially polite crowd that soon turned restless and hostile. Alexander was determined to show that the collection programs the NSA runs are both legal and effective, but some of the attendees weren’t having it, and began heckling him. Alexander stood his ground and got through the speech, but it may be the last one we see at Black Hat from a top government official for a while.
  • Mobile security isn’t. Researchers have been banging away at the various mobile platforms for years now, and usually with quite a bit of success. Android has been the favorite target, but the other platforms are getting their share of attention now, as well. Ralf-Phillip Weinmann did a complete breakdown of the BlackBerry 10 security model and found that while there are some nice features, the OS isn’t as secure as it could be. He was unimpressed by the concept of work-personal partitioning as a security feature and said that an attacker would find it relatively easy to maintain persistence on a BlackBerry 10 device. Meanwhile. Karsten Nohl dug into the hardware side of things, and showed off his method for rooting SIM cards, the tiny computers inside mobile phones that serve as their brains and identifiers. He found a way to send commands to the SIM cards and get root access to them, something that gives him complete control of a targeted phone.

That may be a pretty bleak picture, but the good thing about Black Hat and other conferences like it is that vendors and manufacturers now pay close attention to the research presented there and use it to learn and do better the next time. Rather than threatening researchers with legal action–which used to be the norm–they are now sitting in the audience looking for ways to harden their products and work with the researchers to improve their security models. That’s progress.

Image courtesy of Black Hat USA 2013.

Suggested articles