Attacking Planes, Trains, and Automobiles at Black Hat

A recap of last week’s security news and research from the Black Hat hacker conference in Las Vegas, Nevada.

LAS VEGAS – Each year in early august the security and hacker community undertakes a pilgrimage from all corners of the world toward Las Vegas, Nevada for a security summer camp consisting of Black Hat and other conferences like DEF CON and B-Sides. Black Hat is predominately and historically a business security conference, however, it is increasingly turning in the direction of the consumer, playing host more and more to briefings on attacks targeting smart homes, critical infrastructure, mobile devices and other connected things.

Full disclosure: there was no briefing on train hacking.

Kasperky Lab researcher Roel Schouwenberg explored the idea of a post-PC Black Hat in a report on Securelist. Meanwhile, Threatpost’s Mike Mimoso noted a similar pattern in his own piece saying: “Firmware is the new hacker black, and everything from USB sticks, to home routers, to automobiles, is in play for exploits, data theft and privacy erosion.”

On the one hand, as a conference attendee, this is great news because it means fewer (or probably the same number of) briefings about bugs in obscure software platforms used primarily by enterprises and more talks about vulnerabilities in systems closer to our daily lives. On the other hand, Black Hat’s shifting focus is representative of an alarming trend: that security vulnerabilities are creeping ever-closer to our physical lives.

The Keynote


Image via Black Hat 2014 

This year’s keynote was delivered by a well-respected security luminary named Dan Geer. Unlike last year, when former NSA Director General Keith Alexander delivered the keynote, there were no armed guards, hecklers nor crowd members with cartons of eggs hidden in their backpacks. Instead, an intent crowd hung to every word of a nearly 60-minute essay in which Geer, the chief information security officer of In-Q-Tel (the CIA’s personal venture capital firm), laid down his compelling ten security commandments.

The highlights included that the U.S. should corner the vulnerability sales market by offering ten times the price of any bug for sale, then place the vulnerability information in a public repository, thus allowing companies to fix every single bug and “zero the inventory of cyberweapons;” that among security, freedom and convenience, we can pick only two at any given time; that religion and software are the only items for which product liability does not exist; and that ISPs may choose to charge what they want based on content, assuming responsibility for that content, or they must choose to support Net Neutrality, and enjoy common carrier protections.

“Choose wisely,” Geer said. “ISPs should get one or the other, not both.”

Hacking Humans, Hospitals

Circling back to security affecting our physical lives, as was discussed in a round-table on medical device security, some vulnerabilities are literally embedded into our bodies. Far more widespread and far more critical to a much larger number of people are the medical devices that live at the hospital, rather than inside a patient’s body.

It is only a matter of time before an in-the-wild attack emerges targeting one or more of these devices. The good news from this panel is that the devices themselves are incredibly safe. An automated, embedded insulin pump is far better at regulating and correcting insulin levels than a teenager with blood glucose meter and a month’s supply of insulin syringes.

The vulnerabilities exist in the way these devices communicate with one another and in many cases outside devices, whether those are under the control of patients or doctors. Let’s be very clear, the likelihood of an assassin using a lap top to deliver a fatal shock with an embedded pacemaker is laughably low. At the risk of sounding grim, there are countless, far easier ways to kill a man. The real risks here are more boring than the morning talk shows will have you believe.

“Firmware is the new hacker black, and everything from USB sticks, to home routers, to automobiles, is in play for exploits, data theft and privacy erosion.”

Who is responsible for producing patches for medical devices? Who is responsible for installing those patches? Who foots the bill? Unfortunately, the answers to these questions are a very blurry combination of the device manufacturers, the hospitals and the users themselves. And when we use the term medical device, we’re not just talking pacemakers and insulin pumps; we’re talking about MRI machines, echocardiograms, X-Ray machines, the tablet your doctor is holding, and even the computers (often Windows XP machines) that manage troves of sensitive medical data.

Therefore, the round-table discussion eventually decided that manipulations of medical records – accidental and otherwise – that could cause incorrect dosing or treatment are perhaps the most likely and dangerous risk we face in this brave new world of connected medical devices.

To close with some good news here, it’s a very positive sign that we are talking about these problems before the sky falls, which is unusual in the high tech sector.

Yahoo to Encrypt All Mail

Yahoo, who has caught flak here and elsewhere for failing to encrypt their webmail among other reasons, announced a series of security changes they will be making in the coming months and years. Chief among the changes is a move to encrypt all of their webmail from end-to-end. The move will put them on par with Google.

You can read more about the security changes Yahoo is implementing right here on the Kaspersky Daily or over on Threatpost.

Remote Car Hacking


I wish I was talking about a briefing in which a pair of researchers hacked into a remote car. Unfortunately, I am talking about a pair of researchers who are learning how to remotely hack into real cars, essentially turning them into two ton remote controlled cars.

We’ve been talking about car hacking for more than a year here at the Kaspersky Daily and we probably aren’t going to stop. The reason for that is because cars are only going to become more connected. At present, hacking a car is hard work. It requires a very specific knowledge of very specific protocols that are generally only used in cars.

However, soon cars will have their own proprietary operating systems, their own application marketplaces and applications, and eventually, it is possible they will have their own Web browsers. Operating systems, applications and browsers are three things that attackers know how to exploit.

Furthermore, like with medical devices, the problem of patching security vulnerabilities on automobile present serious problems. Would the customer have to bring the car into the dealer to get the update? If so, how many people bring their cars in for recalls? Or, will the manufacturers create some remote update mechanism? If that is the case, then what happens if an update breaks functionality or worse is somehow hijacked or spoofed by an attacker.

The good news is that Charlie Miller of Twitter and Chris Valasek of IOActive (illustrated above) have developed an antivirus like detection tool that can see if someone is attempting to manipulate the communications between the various sensors and computers built into automobiles and block malicious traffic.

BadUSB – Just Assume They’re All Bad


 Image via Black Hat 2o14

Karsten Nohl (pictures above) has developed an exploit that takes advantage of the fact that nearly every consumer or corporate computer in the world recognizes and accepts input from USB memory sticks. Nohl, chief scientist at Security Research Labs, calls the attack BadUSB, and he essentially overwrote the firmware built into these devices in order to let them quietly perform a laundry list of malicious acts, including but not limited to injecting malicious code onto machines and redirecting traffic.

“USB is designed to work like this; no one did anything wrong,” Nohl said. “And there’s no way to fix it. As long as we have USBs, we can have devices masquerading as other devices. It’s a structural security issue.”

Because the attack targets the universality of the USB model, it’s possible that billions of machines are potentially vulnerable to this attack. Nohl also worries that the ubiquitous nature of the bug and its potential exploits could erode trust and increase suspicion because, “There is no cleansing tool that removes the malicious firmware, or overwrites it. This makes infections easier, and makes it harder recovering from infections.”

Nohl first learned of the attack from the NSA’s now-infamous hacking-tool catalogue.

The Courteous CryptoLocker Crew

The working group that shut down the CryptoLocker ransomware showed up at Black Hat too. In their briefing they showed an email from a CryptoLocker victim to the gang perpetuating the scam. The victim, a single mother without the money required to pay the ransom pled with the malware writers to unlock her machine, which she needed for her job.

Stories like this and similar ones compelled the working group to come together and take CryptoLocker down. Interestingly, they said the crew responsible for CryptoLocker was completely true to their word. For months, we’ve said that you should never pay to have your machine unlocked because there is no guarantee it will ever happen. However, the CryptoLocker crew was honest in that regard.

At the end of their presentation, the working group explained that this incredibly devious and successful ransomware scam appeared to be merely a money-making venture for some other criminal conspiracy. Unfortunately, they would not elaborate.

Tracking Software Gone Awry

Kaspersky Lab researcher (and friend of the blog) Vitaly Kamluk and Cubica Labs co-founder and security researcher, Anibal Sacco, presented a series of updates on a security vulnerability in a near-ubiquitous piece of software that we’ve written about here before.

The software, developed by Absolute Software and known as Computrace, is a legitimate anti-theft product trusted by hardware companies and white-listed by most antivirus vendors. And why not? It’s legit software.

However, Computrace is also a bit of a mystery. For reasons that remain largely unknown, Computrace is turned on by default on millions of machines around the world. Absolute Software says this should not be the case, explaining that Computrace is designed to be turned on by the user or IT departments. Compounding that, once Computrace is enabled, it’s incredibly persistent, living through factory reboots and reinitiating itself at every system boot.

Furthermore, the product contains vulnerabilities – the company scoffs at that classification while agreeing to fix the issues at hand – that make it susceptible to man-in-the-middle attacks that could expose affected machines to complete takeovers.

Blame it on the Satellites

Researcher Reuben Santamarta of IOActive found that nearly all the devices involved in satellite communications (SATCOM) contain vulnerabilities including backdoors, hardcoded credentials, insecure protocols and/or weak encryption.

These vulnerabilities, Santamarta claims, could give unauthenticated and remote attackers the ability to to fully compromise the affected products.

SATCOM plays a critical role in the global telecommunications infrastructure. However, they claim their attacks could also impact ships, aircraft, military personnel, emergency services, media services, and industrial facilities like oil rigs, gas pipelines, water treatment plants and more.

In Brief

Carrier controls, which can be spoofed, give service providers, and potentially attackers as well, pervasive control of mobile and other devices. A critical Android bug could let an attacker impersonate nearly any trusted app. Mobile broadband modems or data cards are seen as easy targets for attackers.


Image via Black Hat 2014

Unfortunately there are so many great talks at Black Hat and only one me, who spends way too much time in the media room trying to figure out exactly what all these researchers are talking about (pictured above). If you’re interested in hearing more about Black Hat, Dennis Fisher and Mike Mimoso of Threatpost and I recapped day one and day two of the event in separate podcasts. Fisher and Mimoso also published a podcast recapping the entire event and looking briefly at DEF CON, which kicks off the day that Black Hat ends.

Outside of that which is published here and at Threatpost, there are some great reports from other outlets on the press section of the Black Hat website. The Black Hat hashtag (#blackhat) is likely to have some good coverage as well. You may also want to do some Google-research about home automation and home security attacks, too.