The world moves fast, but much of the world of vulnerability research and exploitation has been stuck in stasis for the last few years. Much of the focus has been on memory-corruption vulnerabilities, application-level bugs and using Java and Flash to get around exploit mitigations and other protections. But that seems to be changing now, if the topics and depth of research at this week’s Black Hat conference are any evidence.
Take a look at the schedule for the conference and the thing that jumps out is that there isn’t a pile of talks discussing a new browser bug or tool for hiding malware in Windows 7 machines. Instead, what you see are talks focused on hacking wireless water meters, attacking the microprocessors on laptop batteries, exploiting the esoteric SiemensĀ PLCs, hacking car alarms and industrial control systems over the GSM network and crypto for pentesters.
Hacking for dummies, this ain’t.
Whether it’s a case of the exploit mitigations that Microsoft, Adobe and now Apple have added to their browsers and other applications to make life more difficult for attackers kicking in or researchers bumping up against a wall in terms of what they can do with these products, things are getting tougher.
Take the presentation by Charlie Miller, for example. Known for his work knocking holes in Apple’s iOS, Safari and Mac OS X, Miller this week will be talking about an attack he developed to hack the firmware on Mac laptop batteries. He did this by reverse-engineering updates Apple had sent out for the batteries in the past and then working out the default passwords that enabled him to get full access to the firmware and completely disable it. Or, there’s the possibility that he could launch an attack on the laptop from malware hiding on the battery. This is not for the faint of heart.
“I started out thinking I wanted to see if a bad guy could make your laptop blow up. But that didn’t happen,” he said. “There are all kinds of things engineers build into these batteries to make them safe, and this is just one of them. I don’t know if you could really melt the thing down.”
Or, if batteries aren’t your thing–and that’s certainly understandable–consider the talk that Don Bailey will give on Wednesday. Bailey recently found an old Zoombak GPS locator that he’d bought a few years ago and thrown in a drawer and forgotten about and decided to pull it apart and see how it worked. He quickly discovered that it had an easily hackable architecture that enabled him to send it commands via SMS to upload all of its GPS coordinates to a given IP address and essentially do whatever he wanted it to do. Oh, and it turns out that same architecture is present in piles of other devices, including car alarms, SCADA systems and utility-control systems.
“I knew this was in car alarms, so I went and bought one and within two hours of purchasing the device, we had it owned,” Bailey said. “Not only is the architecture ubiquitous, no one understands that the module is so weak in its inherent design that I can completely own not just that device, but all the devices attached to it. There are lots of places that security and integrity could have been introduced, but they’re not. And it’s mostly because of money.”
But, if you don’t dig hardware, you can go take in Moxie Marlinspike’s talk in which he will discuss the inherent problems in the SSL and certificate authority infrastructure. You’ve probably heard discussions about these issues before, but you probably haven’t been to one in which the speaker will release a browser plug-in that will replace the CA infrastructure on the client.
“This is my attempt at an authenticity replacement for SSL. I’ve been using it for the last few months, and it’s working well,” Marlinspike said. “It takes you off the CA system everywhere you go.”
These are not parlor tricks meant to wow a crowd of neophytes. They’re good indications that hacking is getting harder. And more interesting.