Every year, many of the top security minds around the world meet up to share the latest information security (InfoSec) research, vulnerability discoveries, and hacking techniques at the Black Hat and DEF CON security conferences in Las Vegas. These researchers’ discoveries are often well ahead of cyber criminals, so these briefings can forecast the next generation of threat trends and attacks. Understanding these trends ahead of time helps you tailor and adapt your defenses to guard against future attacks.
Unfortunately, few outside the InfoSec industry have the opportunity to attend these conferences, and thus miss out on the education they provide. While I can’t share the full conference learnings in one short article, I can recap the top three overall themes from these two shows, and what you can learn from them.
First, let’s start with a quick history of these two security events. Both hacker conferences were founded by the same guy; Jeff Moss (who also goes by the hacker handle, Dark Tangent). Moss created DEF CON in 1993, and Black Hat in 1997. Both are among the oldest InfoSec conventions in the United States.
Moss created DEF CON primarily for the hacker and research community. Of the two, it probably most closely resembles your cliché expectation of a hacker conference. Though its attendees aren’t often “black hats,” they do revel in breaking or hacking technical systems, and this conference focuses more on offense than defense. It’s also where the community goes to let their hair down, have fun, and socialize with like-minded individuals. Unlike business conferences, DEF CON has the atmosphere of a party, with lock-picking contests, cipher challenges and much more. You should also go in with your shields up, as attendees at DEF CON aren’t above hacking others, or doing technical pranks.
Unlike its name might suggest, Black Hat is the more business-oriented of the two conferences. Moss created it to educate CSOs and InfoSec security teams from large enterprises. Though the same speakers often attend both, the briefings at Black Hat are more professional and often focus on (or at least end with) defensive strategies. If you’ve attended any professional industry conference, you’d find Black Hat’s format familiar. That said, since these conferences span the same week, many go to both and they each provide distinct value.
So now that you know a bit about the shows, let’s talk about the top three themes from Black Hat and DEF CON 2017.
1. Pwning the Internet of Things (IoT)
IoT insecurity was the biggest theme from this year’s DEF CON and Black Hat conferences. Researchers at both shows gave many talks about IoT security problems, or about hardware and software hacking techniques related to IoT.
For instance, at Black Hat, a pair of Chinese researchers talked about EvilSploit – A Universal Hardware Hacking Toolkit. When IoT researchers analyze hardware, one of their first tasks is dumping the hardware’s flash or firmware. Often, IoT devices might have unpopulated pads on its PCB offering UART or JTAG interfaces, which are used for debugging or the initial flashing. Hardware hackers often spend a lot of time manually figuring out unlabeled interfaces to learn their pinout and communication protocols. The EvilSploit researchers demonstrated a device and software that could automatically enumerate the pins of a device it connected to, making initial hardware reconnaissance of IoT targets much easier.
Another Black Hat talk, (In)Security in Building Automation, highlighted the architecture and industry-specific protocols used by smart buildings, and explored how attackers might hack these systems. To summarize, once you understand these protocols and have access to the network, attacking building automation systems is relatively trivial. In fact, using public scanning tools like Shodan, the speaker found many building automation systems exposed to the Internet.
DEF CON also had tons of IoT talks, including a few where researchers dumped details about tens of vulnerabilities in a wide array of IoT devices.
In a talk called All Your Things Are Belong to Us, hackers from the Exploitee.rs dropped zero day vulnerabilities for over twenty different IoT devices, ranging from webcams to network attached storage (NAS) devices. In fact, their research uncovered well over 80 vulnerabilities in Western Digital’s MyCloud NAS devices alone. After rattling off all these vulnerabilities, the speakers also invited a popular tech rapper to the stage as they handed out free custom PCB’s to help others grab IoT firmware via an eMMC chip.
Researchers primarily from Bastille Networks also gave an IoT talk specifically about the routers and cabletop boxes you get from your ISP. During CableTap: Wirelessly Tapping into Your Home Network, these three hackers outlined tens of vulnerabilities in home networking equipment that customers might get from Comcast Xfinity. Some of these vulnerabilities, when combined, could allow remote attackers to gain complete control of key equipment in your home network.
That was just a smattering of the many IoT related talks from both shows. The IoT trends here are clear. First, many IoT devices still ship with very insecure settings and configurations. Second, researchers and criminals alike are targeting IoT, so you need to protect your networked gadgets.
Here are two simple IoT security tips:
- Segment your IoT network from both the internet and from critical servers. You have to firewall the management interfaces for IoT devices. Far too many of these devices can still be found on the open Internet, which was why attacks like Mirai were so successful. I also recommend you use your firewall to segment your IoT devices from your critical internal services. That way, if your IoT device is hijacked, your servers still could remain safe.
- Update firmware regularly. Even though IoT devices are hardware, they still run software. When researchers disclose the types of vulnerabilities they dropped during these conferences, manufacturers usually release firmware updates to fix them (for instance, Comcast has since patched some of the flaws disclosed at DEF CON). Make sure to update your hardware’s firmware as often as possible.
2. Machine Learning Goes to the Dark Side
If you’re in tech, you’ve probably heard a lot about machine learning (ML), deep learning and artificial intelligence. These technologies have been used for everything from categorizing cat pictures on the Internet, to helping create self-driving cars. More recently, the security industry has started adopting these technologies to improve malware and attack detection.
One of my 2017 security predictions was to expect attackers to start leveraging machine learning to improve their attacks. While we haven’t seen this in the wild yet, there were many talks at last week’s shows to support the use of machine learning for both attacks and defenses.
For instance, one Black Hat talk called Bot vs Bot: Evading Machine Learning Malware Detection, explored how adversaries could use ML to figure out what other ML-based malware detection mechanisms were “looking” for. They could then create malware that avoided those things and thus evade detection. Another talk, Wire Me Through Machine Learning, investigated how spammers might improve the success rate of their phishing campaigns by leveraging ML to improve their phishing emails.
At DEF CON, researchers shared how to weaponize machine learning (humanity is overrated anyway). They introduced a tool called DeepHack, an open source AI that hacks web applications. Meanwhile, ML was often an underlying subject in many other talks that weren’t directly about it. It’s clear researchers and attackers alike are leveraging ML & AI to speed up and improve their projects.
While I haven’t found proof of criminal attackers using it yet, machine learning is clearly a big subject in security, and many expect our adversaries to use it too. There’s no simple tip I can give you to defend against attacks and malware that are improved by ML, other than to leverage ML for defense as well.
3. Growing Geopolitical Hacks and Disinformation
Finally, there were many talks and events at both shows that explored the current state of nation-state or geopolitical hacking. These talks included research around governments stock-piling zero day flaws, nation-states attacking industrial control systems (ICS), and how sophisticated adversaries can weaponize propaganda to create more swaying fake news.
DEF CON even had a competition in their Voting Village where participants could try to exploit real voting machines. Within 90 minutes, participants found many flaws in these relatively insecure devices. Some of the flaws allowed attackers to replace the machines’ firmware and other exploits even worked wirelessly.
In short, government’s role in cyber warfare and espionage was definitely a theme at Black Hat and DEF CON, which is no surprise considering current geopolitical events. There is no easy fix for this.Are some government hacking operations okay, while others aren’t? Should government find and hide software vulnerabilities, or help fix them? Is voter manipulation or hacking a bad enough violation to declare war? I don’t think our government or society has answered these questions as a group yet, but they are all things we need to think about for the future. My only tip here is to make your voice heard in the debate by voting and talking part in the conversation.
I’ve only scratched the surface of all the useful information shared at Black Hat and DEF CON this year, but hopefully, this small glimpse will get you thinking about the security risks of the future. If you ever get a chance to attend these conferences, they are a great way to get an early peek of the attack trends coming our way, so you can get a head start on defense.