Black Hat brings together the best minds in security to terrify the pants off one another.
By Max Eddy
The Black Hat conference is a chance for researchers, hackers, and anyone close to the world of security to gather and learn from one another. It’s a week of sessions, training, and — inevitably — some poor decision making in the greater Las Vegas area.
In its 20th year, Black Hat 2017 began on a reflective note. Alex Stamos, the CSO of Facebook, looked back on his early days at the conference. For him, it was a place to be accepted, and to learn from the community. He challenged that same community to be more empathetic, and to prepare for the next generation of hackers by welcoming more diversity.
The Black Hat sessions have always been the place to see surprising, and sometimes horrifying, examples of security research. This year, we saw how to fool Apple Pay’s web interface and how to topple a hoverboard using ultrasound, and we learned how vulnerable wind farms could be to a cyber attack.
One session saw the return of a trio of Tesla Model S hackers, who showed off new attacks. Their research is sure to continue as vehicles become more connected. Also a big hacker target? Printers.
Another remarkable talk looked at attacking industrial infrastructure. With two successful attacks against the Ukrainian power grid last year, securing critical infrastructure like power plants and factories is a major issue. This time, we saw how bubbles — yes, regular bubbles — can be used as a malicious payload to destroy expensive, critical pumps.
Perhaps the most remarkable achievement of this year’s show was in the field of cryptoanalysis. Using sophisticated tehniques, a team was able to create the first SHA-1 hash collision. If you’re not sure what that means, read on because it’s very cool.
After 20 years, Black Hat is still the premier stage for hackers. But the future is uncertain. Nation-state cyber attacks have gone from being a rarity to a regular occurrence, and the stakes are bigger than ever. How we’ll deal with that still isn’t clear; perhaps Black Hat 2018 will have the answers. Until then, check out some of the more eye-catching moments from this year’s Black Hat below.
Ultrasonic Gun Attacks Drones, Hoverboards
Devices use sensors to understand the world around them, but some of these sensors are subject to tampering. One research team demonstrated how they could use ultrasound to cause drones to wobble, hoverboards to topple, and VR systems to spin uncontrollably. The attack is limited for now, the applications could be far reaching.
Are Bubbles the Future of Hacking?
Probably not, but Marina Krotofil demonstrated how attacking the valve system in a water pump could be used to create bubbles that reduced the water pump’s efficiency and, with time, cause physical damage resulting in the pump’s failure. With her presentation, Krotofil sought to demonstrate that insecure devices, like valves, could attack secure devices, like pumps, through novel means. After all, there’s no antivirus for bubbles.
Bug Bounties and Beer
Recent years have seen the expansion of bug bounty programs, where companies pay researchers, penetration testers, and hackers a cash bounty for reporting bugs. Researcher James Kettle told the crowd at his session how he assembled a method to test 50,000 websites simultaneously. He had some misadventures along the way, but earned over $30,000 in the process. He said his boss initially insisted on spending any money earned in the automated endeavor on beer, but in light of Kettle’s success, they opted to donate the majority to charity and spend only a little bit on beer.
Attacking Wind Farms
Researcher Jason Staggs led a comprehensive security assessment of wind farms, which led his team up several 300-foot spinning power plants. Not only was physical security weak (sometimes, just a padlock), but digital security was even weaker. His team developed several attacks that could hold wind farms ransom and even cause physical damage. Think Stuxnet, but for massive, whirling blades of death.
Pwnie Express On Guard
Last year, Pwnie Express brought its network-monitoring equipment and discovered a massive evil access point attack that was configured to imitate a network friendly to passing devices and invite them to connect. This year, Pwnie worked with Black Hat’s network security team, but didn’t detect anything as large as last year’s attack — at least, nothing that wasn’t part of a training exercise in a Black Hat session. This Pwn Pro sensor was one of several placed throughout the conference to monitor network activity.
Don’t Trust Your Printer
Network printers have long been viewed by researchers as prime targets. They’re ubiquitous, connected to the internet, and often lack basic security. But Jens Müller showed that it’s what inside that counts. By using the protocols used by nearly every printer to convert files into printed material, he was able to perform a number of attacks. He could extract previous print jobs, and even overlay text or images on documents. The attacks he outlined will exist until someone finally gets rid of these decades old protocols.
Hash functions are everywhere, but nearly invisible. They’re used to verify contracts, digitally sign software, and even secure passwords. A hash function, like SHA-1, converts files to a string of numbers and letters, and no two are supposed to be the same. But researcher Elie Bursztein and his team devised a way where two different files end up with the same hash. This is called a collision, and it means SHA-1 is as dead as a door nail.
Hacking a Tesla (Again)
In 2016, a trio of researchers showed how they were able to take control of a Tesla Model S. This year, the researchers from Tencent KeenLab returned to walk through their attack step by step. But it wasn’t all recap: they also examined Tesla’s mitigation of their initial attack and presented their new attacks; the team showed off a pair of cars flashing its lights and opening its doors in time to music.
Hacking Apple Pay on the Web
When it first launched, I wrote extensively about Apple Pay, praising its tokenization of credit card data and how Apple wasn’t able to track your purchases. But Timur Yunusov wasn’t convinced. He discovered it was possible to snag credentials and perform a replay attack using Apple Pay on the web. Better keep an eye on those credit card bills.
Controlling Industrial Robots From Afar
A trio of researchers, representing a team from Politecnico di Milano and Trend Micro, presented their findings on the security of robots. Not your friendly Roombas, but the hardworking and powerful industrial robots found in factories. They found several critical weaknesses that could allow an attacker to seize control of a robot, introduce defects into manufacturing processes, and even potentially harm human operators. More troubling is the discovery that there are many thousands of industrial robots connected to the internet.
Black Hat is done for another year, but with digital security more visible and valuable than ever, the coming year is sure to have some interesting surprises.
Originally published at www.pcmag.com.