The annual Black Hat Cybersecurity conference in Las Vegas, which concluded yesterday, is like going to a circus with at least five rings, all performing simultaneously. You don’t know which one to watch, but you can tell from the mix of laughter, gasps of astonishment, and collective head shaking that something amazing is going on.
The list of technologies and products that have flawed or nonexistent security continues to grow at an absurd rate, fueled by our zeal to connect everything on the planet with everything else. Presentations at this year’s conference demonstrated successful hacks of cars, cellphones (all platforms), energy management systems, Google Glass, chip and pin cards, and even luxury hotels.
Yet, Black Hat gave this week’s gathering of security analysts, company representatives, and computer researchers a glimpse into a more sobering side of the cyberworld. As the stakes rise and the consequences of poor security become more serious, the loss of control will affect things that truly matter. As noted computer researcher Bruce Schneier put it in his presentation to attendees yesterday, “We (security professionals) are losing control of our IT infrastructure.”
Take airports and airplane security as an example. There was a great deal of media attention this week over a presentation by Billy Rios, Director of Vulnerability Research at Qualys. Rios, using his own time and money, found that at least three devices at TSA screening checkpoints had major security flaws that made them vulnerable to hacking. Even more significantly, these devices are linked over the Internet with all the other TSA checkpoints across the country. Cue the clowns.
Then there are the airplanes themselves. Ruben Santamarta, a security consultant with IOActive, presented research yesterday that showed how the hacking of in-flight entertainment systems on commercial flights could reach critical devices in airplane cockpits. Under close questioning at a press conference before his talk, Santamarta was careful to emphasize that his study was based purely on his analysis of openly available product documentation and that no live hacking of airplane systems had occurred. “We’re not crashing airplanes here,” Santamarta emphasized.
The past year has seen a significant increase in devices that learn your personal habits and control systems remotely using Internet connections guided by the user. One of the most popular examples of this, the Nest thermostat, is a smart home automation device that not only controls the temperature in your residence but also knows if you there at all.
A team of researchers from the University of Central Florida presented findings at Black Hat that showed how using the device’s USB port, they could completely take over the operation of a Nest product. They demonstrated this in a live hack, even replacing the Nest display with images of digital rain and a starfield. While no one has shown that the device could be hacked remotely, it still would not prevent someone from buying a few Nests, implanting malware, and then re-selling them on eBay to unsuspecting consumers. “What are we sacrificing for the sake of convenience?” said Daniel Buentello, one of the school’s researchers.
In the aftermath of the Target stores mega-breach, retailers throughout the U.S. are scrambling to issue chip-based credit cards to consumers. These cards (commonly known as EMV cards) are thought to be much more secure than those which rely solely on a magnetic stripe.
However, based on a presentation offered yesterday by Ross Anderson of Cambridge University, it appears that chip cards may be just as vulnerable to hacking as their less-advanced predecessor. According to Anderson, this is because the makers of the terminals which can read chip cards have not upgraded their technology to provide stronger security controls. As a result, card fraud in the United Kingdom is once again on the rise. “A real malware infestation in EMV could result in large scale attacks with the loss of many millions,” Anderson warned.
What’s distressing to many in the cybersecurity community in the aftermath of these and other presentations at Black Hat this week is the reaction by a number of the vendors who supply equipment and related technology. In the case of the airport security flaws, government vendors have either denied vulnerability or dismissed concerns by declaring that patches were already in place. The security researchers in Florida have designed and posted their own patch without any involvement from Nest. And only one bank in the UK has been able to successfully block the attacks on EMV cards. According to Anderson, the other banks responded by forcing his Cambridge students to remove their thesis on the security flaws from a website.
“We’re living in a world where companies will naturally underinvest in detection and protection,” Schneier told conference attendees. If this approach continues, there won’t be a tent big enough to hold the security circus that is now upon us.