Another week of InfoSec in the desert is history. Black Hat USA started as the Black Hat Briefings in 1997 and has remained mostly corporate. It grew out of the hacker-friendly environment of DEF CON which started as a going away party for a friend of the founder, Jeff Moss, in 1993. Together, the two conferences represent the largest annual gathering of InfoSec experts in the world.
Black Hat Highlights and Predictions
On Wednesday, general themes for Black Hat were set forth early by Alex Stamos (CSO Facebook) in his keynote speech. He looked back at his own 20 years in InfoSec and talked about how the industry isn’t good at empathy. And, how some security experts still look down on people who don’t get it.
He also spoke about security nihilism. Stamos cited an example from his own company in which WhatsApp was faulted for an implementation of encryption. He said these were carefully considered choices that resulted in stronger security for millions worldwide. However, at the time, people claimed there was a backdoor, which cryptographers later said simply wasn’t true. He noted that some in the security community only know how to criticize and not make things better for everyone.
Internet of Things
IoT was also prominent this year. Among the array of interesting talks given Wednesday and Thursday, Billy Rios and Jonathan Butts presented on hacking automated car washes (which are mini-ICS systems). The duo presented a video with a car being attacked by an automated car wash machine under their control.
Another IoT talk focused on radiation monitors. Rubin Santamarta said since he couldn’t get access to nuclear power plants directly, he could get access to the radiation monitors. He pointed out that the incident at Three Mile Island in 1979 was made worse because of false readings from the radiation sensors. Flooding the sensors along the perimeter of the nuclear plant with fake data could lead to a nuclear mistake inside the plant.
Finally, Lucas Lundgren presented on MQTT, a little-known protocol that is now widely used in IoT. He said in one year it has grown in use from roughly 59,000 instances to over 87,000 instances, as of Black Hat. He showed examples of how he could read data from a Tesla car (Tesla does not formally support MQTT), a train station with departure information, a particle accelerator, and a gas and power system. His message was it’s not the protocol’s fault, it’s the people using it that need to secure the information with a username and password. And, ideally, perform certificate pinning on the device itself as well.
The Future of Fuzzing
There were no less than five talks about fuzzing, perhaps the most in any one year at the event. Most of these talks focused on a new area known as differential fuzzing, where two or more systems undergoing fuzzing are compared. There was also a presentation on fuzzing cryptographic systems.
Machine Learning and Artificial Intelligence
Other topics at Black Hat included machine learning and AI. It should be no surprise that machine learning can be used to defend against an attack and to cause an attack. In defense, a machine might learn the types of attacks a system faces and create rules that defend it. However, a bad actor might also use machine learning to find which avenues have been shut down and create new vectors for attack.
Similarly, AI can be used by the bad actors to skillfully and quickly create spear-phishing attacks by scanning social media on the web, a process that used to take humans several hours.