The Darkest Tales From Black Hat


By: R. Scott Raynovich

Las Vegas -- The first thing you need to know is that pretty much everything is hackable, whether it's a pacemaker or an industrial control gateway controlling a dam. The second thing you need to know is they are out there trying to get into the device right now.

The Black Hat conference features security briefings and demonstrations of current threats. This year's Black Hat conference in Las Vegas was bigger than ever, bringing together more than 17,000 cybersecurity experts from around the world. The Black Hat format includes hacking demonstrations and research "briefings" designed to highlight security vulnerabilities and solutions.

There was a lot of interesting material, but here are the ones I found most striking:

Your insulin pump may be hacked. Billy Rios, founder of Whitescope, and Jonathan Butts, CEO of QED, presented research detailing how medical devices such as insulin pumps and pacemakers have radio vulnerabilities. They demonstrated a hack into an insulin pump using radio components purchased on eBay. Rios expressed frustration that they have presented detailed vulnerability information to many medical device manufacturers, but the industry has been slow to respond and in many cases companies have even declined help or are moving slowly to provide security patches to the devices.

When the grid goes down. In a briefing titled, "Breaking the IIoT: Hacking industrial Control Gateways," Thomas Roth, security researcher and founder of leveldown security, presented information on the vulnerabilities of industrial control gateways, which control everything from power grids to traffic lights. These devices are increasingly being targeted for attacks and driving fears that 2018 could feature a large attack on critical infrastructure. Roth showed that industrial control gateways from most vendors have significant security shortcomings and are not secure enough to be used in critical infrastructure.

There were other presentations showing threats to infrastructure. For example, security researcher Daniel Crowley from IBM X-Force Red and security researcher Jennifer Savage from Threatcare showed how Internet of Things (IoT) gateways controlling something such as a dam could be easily taken over. These devices have many vulnerabilities in smart-city implementations.

"Certainly exposing smart city technology to the internet, without any sort of restriction on who can connect to it, that I'd call a configuration mistake," Crowley told eWeek. "These things shouldn't be exposed to the entire world."

Goin' Cryptophishin'. Cisco’s Artisom Holub, senior security research analyst, and Austin McBride, threat analytics researcher at Cisco, presented a briefing detailing the sophistication of cryptocurrency phishing attacks in which criminals have placed ads on Google and directed people to very detailed replicas of cryptocurrency trading platforms such as Coinbase and Binance to collect login credentials so that they can steal or manipulate cryptocurrencies. They showed how cryptocurrency hackers can take over trading platforms to pump and dump large volumes of cryptocurrency for profit. Crypto phishing and cryptojacking operations are getting more sophisticated and likely to expand as popularity of cryptocurrencies grows, said McBride.

SATCOM security threat. IOActive's Ruben Santamarta has discovered and proven key vulnerabilities and satellite communications (SATCOM) and the aviation industry, including showing how a airline's WiFi system can be hacked during mid-flight to access passenger devices. Now he's concerned that SATCOM hacking techniques could be used to access military or maritime vessels to track military or commercial shipping operations. He believes that NATO military bases in conflict zones are vulnerable through the SATCOM infrastructure.

Overall, the Black Hat conference described a world of multiplying threats, with the defense scrambling to catch up. As devices multiple worldwide, it's only going to get trickier.

As Jeff Moss, founder of Black Hat, said in the keynote address, the "momentum is on offense."

The most worrying aspect of demonstrations at Black Hat is that the IoT industry appears to be plowing forward with little regard to cybersecurity threats. Of the billions of IoT devices being connected to the Internet, especially in the consumer realm, its apparent that profit and market share needs are taking a priority over safety needs.