LAS VEGAS – Black Hat and DEF CON 2019 may be wrapping up, but the dual conferences last week in Las Vegas left the security industry with a flurry of new security flaws, topics and announcements to discuss for the weeks to come.
Threatpost editors Tara Seals and Lindsey O’Donnell get together to discuss the highs and lows from the conference. The highlights include a widespread trend around increased collaboration between vendors and researchers, pinpointed during the keynote by Square’s Dino Dai Zovi. Other includes:
- An improved public bug bounty program announced by Apple that increases product scope and rewards
- Microsoft offering $300,000 for working exploits
- New IoT flaws discovered – and in the process of being updated – in high-end hotels
In addition, Threatpost discusses why Black Hat came under scrutiny for a sponsored “Time AI” encryption session that many researchers criticized as a scam. From the highs to lows, listen to the full recap of the event below – and for direct download of the podcast, click here.
Below is a lightly-edited transcript of the podcast.
Lindsey O’Donnell: This is Lindsey O’Donnell and Tara Seals with Threatpost, on the Threatpost podcast. We’re just coming off the heels of Black Hat USA in Las Vegas last week, and it was a whirlwind of a show. Tara, how are you recovering so far?
Tara Seals: Hi, Lindsey. Thanks for having me. I’m recovering, it was a whirlwind. And even though it’s a two-day conference, it just feels like it’s much longer, bigger and crazier than what it looks like on paper.
LO: It’s certainly a lot that they pack in. And Tom, our editor-in-chief, is just coming off from DEF CON, too. So there’s definitely a lot of really cool coverage that he did there, too. Between the two conferences, we had some great speakers that we saw, some really interesting sessions, and new vulnerabilities and news from the show — starting right from the get-go with the opening keynote with Dino Dai Zovi, the mobile security lead at Square, who set the theme of the show with his discussion about security as it relates to communication and collaboration with other teams. So that was really cool.
TS: Yeah, definitely, I thought he was really engaging. And the way that he had structured it too was pretty interesting, because he started off talking about his very first Black Hat and how he just spent the whole time doing Capture the Flag exercises. And how where security fits into the corporate landscape and cultural landscape has changed over time, since that first DEF CON. His point was basically discussing security’s role in the workplace, and how, as everybody goes towards the cloud, and goes towards honing a DevOps, agile mindset for where software fits into the landscape, and enabling business processes, where security has to fit into that. Some of the challenges institutionally and culturally and being able to really do a good job with security over time. So I thought it was really interesting, it’s very different than previous Black Hat keynotes.
LO: It was interesting that he was talking a bit about, like you said, the transformation over the past more-than-a-decade. But it really shows you where the infosec space is right now, because his thought was that the security space has really made its mark at this point. And the voice of security awareness is out there with a lot of these companies, people realize that cybersecurity is important, but now the next challenge is really going to be focusing on how one communicates and hones their strategy around collaborating with various teams within companies. And that that is a big challenge for the security community right now.
TS: Yeah, definitely. And he touched on the fact that a lot of times security teams are small, and companies do have resource constraints in terms of getting the security expertise that they need, especially larger companies, where you might have a whole bunch of different divisions that they have to collaborate with. He also made a huge point about automation. And using software tools, like fuzzing and things like, that to scale your security efforts so you can do more with a small team. “Using the leverage of automation” was the terminology that he used. Recognizing that you can’t be everywhere at once, what can you automate? What can you give to your policies and your processes to take the weight off a little bit?
LO: Yeah, I was curious about how much automation would really be discussed at the conference. And I feel like it was talked about a fair amount. So I was really glad he brought that into the opening keynote, and set the tone there for that as well.
TS: Yeah, definitely. I mean, in my conversations with people and just at the sessions. I definitely felt that there were the typical Black Hat sessions around “how we discovered this new exploit vector,” or, “here are some vulnerabilities that we think are interesting,” or a lot of technical talks. But there was more discussion around organizational mindsets and from a business perspective, what to do with security.
LO: And then there was also a lot of discussion too around Apple, which they had some of the biggest news in my opinion from the show, which is that they were improving their bug-bounty program. But then even beyond that, there were also a bunch of vulnerabilities that were discovered in Apple products. But the bug-bounty program news was huge. They basically said that they would open their historically private program to all researchers starting in the fall. And then they were going to… up their rewards for different vulnerabilities found in devices, including a $1 million payout for a certain vulnerability that could be discovered. And then also added more devices to be in-scope for its program, like Mac devices, WatchOS and TVOS.
TS: So this is really interesting to me, because I kind of feel like they are way behind the curve. And Apple is not a company to be behind the curve on much. But on this, they are really late to the party in terms of having a bug-bounty program that’s open where they can crowdsource expertise. So did they say anything about that, or why there’s been a lag, or why they were reluctant to do this before?
LO: Researchers who I talked to after the fact said that they have been historically, notoriously closed with their program, and also in how they communicate with the security industry. And I feel like Apple has always had that kind of hands-on, “we can do this ourselves,” attitude, but researchers are saying now that they really are looking to external researchers to help. And I think we saw that earlier this year, if you remember the teenager who discovered the huge eavesdropping flaw in FaceTime, and Apple got a lot of flack for the fact that they took a while to respond to him, and it was a whole mess. So I think that they’re really starting to open their eyes to the benefits that bug-bounty programs and researchers in general can really bring to the company in terms of finding these glitches in their products.
And a lot of researchers also said, this is a huge step in Apple further firming its relationship with the security space. So I think that should be something to keep an eye on. Their bug-bounty program was, like you said, really behind: It was closed, it was invite only, the rewards were only as high as $200,000. And then they also had limited in-scope products.
And the fact that they didn’t have a program that addresses Mac has long been criticized by different researchers. I think last year, if you remember, Google bug-hunter Ian Beer criticized Apple at Black Hat 2018 for how it handles Mac security and iOS security, and was talking about how Apple really needs to step up in terms of how it interacts with researchers around the security bugs. So just the contrast between that session last year and this announcement this year, really goes to show that there are hopefully going to be steps taken by Apple to improve on this.
TS: For sure. And obviously these programs need to evolve with the times, which is a little bit of a segue way to another story that that you covered Lindsey. That was also huge about Microsoft’s opening up at $300,000 rewards for cloud exploits. That one was pretty interesting too, it definitely made a lot of a lot of waves at the conference.
LO: Yeah, I feel like bug-bounties in general and the relationship between vendors and researchers was a huge topic this year. It was Apple, it was Microsoft. And then this was something we didn’t cover, but Google also did something similar in terms of Google Cloud, offering their rewards there.
But yeah, so Microsoft, just for context, announced that it’s going to offer awards of up to $300,000 for researchers who could launch successful test exploits for the [Azure] platform. So it would be different from just a bug-bounty program, because that means that instead of just researching vulnerabilities, the company is going to offer cloud host testing environments called Azure Security labs, where researchers can essentially test live exploits because they’re isolated from the Azure production environments that customers are using. That’s going to be beneficial for researchers, that gives them a little more flexibility and ultimately allows Microsoft as well to benefit from that.
I really liked what I saw in terms of companies starting to not just focus on vulnerabilities and issues and glitches that were in products. This conference, there was also really a branching between different vendors and researchers. And I also noticed to a lot of sessions had vendors and researchers that were co-presenting sessions. So if researchers found a vulnerability in a product, this was the case with BMW, then BMW or the vendor that the vulnerability was within their products would come forward and be like, this is what happened, this is what we did to mitigate the situation in collaboration with the researchers. And this is what we’re doing moving forward to resolve future issues. And I really like that, I feel like it went along with that theme of collaboration that the conference had.
TS: Yeah, absolutely. That was very cool. And speaking of vulnerabilities, there were a few that were really interesting that we got to see sessions on, as well. The IoT stuff — there were some pretty good sessions on IoT. You did one about a hotel smart lock, I think.
LO: Yeah, I always like to learn more about IoT vulnerabilities so that one was really cool for me. These two German researchers/hackers presented about how they were able to hack into a popular IoT smart lock that was used by a high-end hotel in Europe, and essentially break into hotel rooms, and all kinds of other malicious activities that no one wants to happen. And so they didn’t reveal the lock or the hotel chain, because at this point, these locks are being actively used by the hotel. And they’re still in the process of disclosure and updates. They did give a walk-through of what they were able to do. Hotels are increasingly using these IoT locks in lieu of key cards; instead, guests can use their mobile phones for room access.
TS: That was my question. So it’s an app, basically, that goes on your phone – and then do you enter a code? Or do you wave it [in front of the lock]? Is it like a Bluetooth thing?
LO: Yeah, so it’s Bluetooth Low Energy (BLE). It’s your on phone, and then you have the smart lock, and then you essentially put it up to the lock, and through Bluetooth Low Energy it’s able to unlock the door. By the way these hackers love breaking into locks and electronic locks. So this is kind of their passion, they had a couple of interesting previous research pieces that they’ve done for smart locks and just regular locks. But they…essentially found that they were able to first gain access to and analyze the Bluetooth Low Energy traffic used by the system. And from there, they were able to use wireless sniffing to discover what the credential packet was, and from there, they were able to figure out that they could launch a key-stealing attack on the IoT smart lock. And they could just easily break into any hotel room, or they could even, because this was also used by elevators and the fitness center in the hotel, they were able to stop elevators remotely or go into the fitness center (though I don’t know how [the fitness center] would be a malicious attack).
TS: Still, that’s kind of terrifying.
LO: Yeah, so I think the most interesting part of the talk too was that they were talking about some of the challenges in the disclosure process. And one of the biggest challenges — and this is something we’re seeing with a lot of IoT devices and vulnerabilities that people are finding in them in general — is that they need to not just work with the vendor, but there’s a bunch of different manufacturers and vendors that go into each IoT device. So they had to reach out to the software vendor, the app vendor. It was a whole process for them.
TS: Yeah. Which also fits back with our bug bounty and vendor collaboration conversation.
LO: Yeah, for sure. There was also at Black Hat, I’m just seeing now, there was a lot of controversy too about this “Time AI” sponsored session. Do you know what part of the conference that was? Was it towards the beginning?
TS: I’m not sure which day it was on, but I know that the controversy started breaking on Thursday. I don’t know if it was Wednesday afternoon, or if it was Thursday morning or whatnot. But yeah, this was a sponsored session, which of course, vendors pay to get time, and then they can use that time any way that they want. So it’s not vetted by the conference people for content.
The company was called Crown Sterling, which it’s not a company I’ve heard of. I don’t know what kind of reputation they have out there in the marketplace, but after this, probably not a very good one, because the the speaker got up there and started talking about a new type of encryption that he termed “Time AI.” And he didn’t give a lot of technical details, it was a little bit of mumbo-jumbo, talking about how his company has this mysterious, intriguing sort of quantum physics-based encryption algorithm that’s unbreakable. And trying to use that as a marketing differentiator.
And researchers cried BS on it, essentially. And he was also using some jargon when he was talking about it, like “infinite wave conjugations” and some other phases that he didn’t link back to any technical specifics. And so people started taking to Twitter and making fun of this, researchers were saying that it’s dangerous and that he’s basically committing fraud by saying that he’s got this type of encryption technique, that clearly cannot exist or does not exist, and if it does, he needs to prove it. Eventually, the conference organizers actually deleted him from their audio recordings and decided to cut off access to his talk completely, even the recorded version after the fact.
LO: Wow, that’s really something that is interesting. I’m curious about the approval process for talks, do they have to go through some sort of vetted approval board or something? I feel like this is something that probably Black Hat should have caught earlier for their part.
TS: Yeah, so most of the conference talks are vetted, for sure. They have a board of industry experts, and they have the call-for-papers process and everything’s curated. But with the sponsored sessions, that’s just basically advertorial, that’s just a different form of advertising. And so they buy the space and they can use that space for whatever they want. They could be…doing an infomercial. In this case, this company decided to showcase a so-called security technology. And they are defending their technology, they’re on Twitter talking about the fact that they feel that they’re perfectly legitimate, and here’s why and blah, blah, blah.
LO: I think it’s hard, especially when they’re talking about encryption and cryptography. I think this is hitting a hot spot for a lot of researchers, in terms of if it is some sort of scam or marketing or whatnot. So hopefully, Black Hat at least learned something from this for future shows. I don’t know if this has happened over in the past, but definitely something to be learned there.
TS: Well, yeah. If you’re trying to provide a platform [for legitimate educational content] and somebody gets up there making these crazy wild claims. I understand that it’s paid-for space, but maybe they could use some light oversight on it.
LO: Right, for sure. Well, it was definitely a crazy conference. And I feel like we wrote so much. But there’s still so much news that we need to continue to wrap up on this this week. So I gotta go write.
TS: Yeah, there’s a lot of stuff to do the Monday after Black Hat.
LO: For sure. Well, Tara, thanks for coming on and talking a bit about your experience with the show. And yes, for everyone else, be sure to keep up with Threatpost.com for the newest and latest Black Hat and DEF CON research that we will continue to wrap up on for this week.
TS: Thanks for having me, Lindsey.
LO: Great, thanks. Catch us next week on the Threatpost podcast.
For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.