Black Hat USA bills itself as “the show that sets the benchmark for all other security conferences.” While most conferences tend to over-promote themselves, given the activity at this year’s show, that actually might be something of an understatement.
From the defense of government surveillance delivered by NSA Director General Keith Alexander to briefings on the coming “cryptopocalypse” and the risks associated with embedded devices and the Internet of Things, Black Hat reminds us that a little bit of paranoia is warranted in today’s connected world.
Here are my leading candidates for surprising, damaging ways criminal hackers are breaching our online security and validating our paranoia:
1. Cracking HTTPS – For years, we’ve been taught that the little “closed lock” icon and the “s” in “HTTPS” means we can rest assured that we’ve established a secure connection with a bank, hospital or any other website storing sensitive, personal information. At Black Hat, attendees were taught something else.
It turns out that SSL/TLS — the underlying protocols that actually secure the HTTP connection — are vulnerable to hacks that would let criminals steal account numbers, passwords and other information transmitted via HTTPS.
2. Spoofing cellular networks – For hackers, “spoofing” is the practice of substituting an alternate, malicious resource in lieu of a genuine resource. People think they’re responding to an email from their bank, for instance, but are really sending their account details to a criminal who spoofed the bank’s email address. Common in computer networks, spoofing is now making its way into cellular networks.
Black Hat attendees learned how to take a femtocell — the box mobile operators provide subscribers to boost their wireless signal at home or at work — and hack it to spoof a cell tower. Now, a mobile user within range can be tricked into connecting with the hacked femtocell instead of a genuine operator tower. The result? The hackers can listen in on everything — voice calls, text messages, browser and application traffic, etc. They can also remotely clone your mobile device, without physical access.
3. Compromising mobile devices – Mobile has been dominating the IT and business communities for quite a while, so it’s no surprise that it’s starting to dominate security as well. In particular, mobile apps are ripe for compromise. For instance, in the “How to Build a SpyPhone” briefing, you could have learned how to build a “Spy Phone” service that could be injected into an Android app, which could then be used to track the phone’s location, intercept phone calls and SMS messages, extract email and contact lists, and activate the camera and microphone without being detected.
Another briefing revealed how to infect iOS devices via “malicious charges.” Yes, a device charger was used to inject malware into a garden variety iPhone — within a minute of plugging it into the charger. No jailbreaking or user intervention required. Despite its reputation for the robust security of its i-devices, Apple managed to overlook this particular point of attack but has since set about to remediate the shortcoming.
4. Hacking cars – Meanwhile attendees at DEF CON can learn how to hack the electronic control unit of a car in the session “Adventures in Automotive Networks and Control Units.” The hacks in turn would let you remotely control a car’s engine, brakes, GPS, dashboard display and other electronically controlled systems, something that Forbes’ Andy Greenberg got to experience firsthand.
5. Targeting “things” – The Internet of Things is emerging as a preferred hacking target. In contrast to PCs, smartphones, tablets and other user-operated devices, the Internet of Things includes sensors and processors that rely on networks and the Internet to facilitate machine-to-machine (M2M) communications. Beyond the Internet-connected refrigerator, such sensors may be used in car functions mentioned above, in securing homes and businesses, monitoring manufacturing or industrial facilities and more. In addition to the communications networks, hackers are getting device-savvy and learning how to compromise the sensors themselves.
If you attended Black Hat or DEF CON, I’d like to hear your thoughts on the show. And if you have a different perspective on today’s most pressing hacker concerns, I’d like to hear that, too. Just leave your comments below.
And remember, just because you’re paranoid doesn’t mean they aren’t after you.
Raj Sabhlok is the president of Zoho Corp., which is the parent company of Zoho.com and ManageEngine. Follow him @rajsabhlok.