Black Hat 2015 and DefCon23 - Hacking the physical world from the digital world
by Sam Elliott •
The annual Black Hat and DefCon Vegas pilgrimages are now complete, with record breaking attendance for Black Hat. The event brought more than 11,000 of the most clever security professionals and researchers to Sin City. The numbers would likely be even higher if DefCon attendees were included, but given their cash only, no registration required format, one can only guess at how many people were there.
Rest assured that both events had strong representation from Red Team and Blue Team hackers from around the world to showcase their skills, ultimately contributing to the ability for The Internet to remain free. Coincidentally, that corresponded to the main topic of the keynote from hacker’s lawyer Jennifer Granick. She set the tone for Black Hat’s gathering of tinkerers and elite Haxz0rs by discussing a thoughtfully regulated but ultimately free Internet, in line with the original dream put forth by The Mentor in his Hacker’s Manifesto.
What struck me most about both Black Hat and Defcon was how physical they were. No, we didn’t see black hats and white hats hugging out their beefs, but we did see the continued ability of hackers to affect the physical world around us. This can be attributed to more and more devices being connected, quiet insecurely at times, to The Internet.
When you picture a hacker transgressing into the physical world, you might immediately imagine this being done through some Internet of Things connected Egg Crate running a poorly hardened version of Linux; but what I saw was a focus on systems that truly impact our daily lives. I was impressed with the number of talks that focused on “legacy-like” exploiting mainframe and vulnerabilities from decades past, or throwing the spotlight on Industrial Control Systems (ICS) and their inherent weakness when they are connected to The Internet. There were also hacks of stodgy old Programmable Logic Controllers (PLC) which can be turned against our steel works to overheat and break a multi-million dollar smelter or make a centrifuge run too fast and setback a nuclear program.
Another team of clever hackers thought it was their duty to highlight the dangers of mixing firearms and remote connectivity. Their view being that while it is amazing that an iOS app powered smart scope mounted on a high powered rifle can make you a marksman to rival Annie Oakley, maybe that isn’t worth it if a hacker within range of your Wi-Fi can turn you into something much more sinister. After that talk, I think I overheard someone wondering aloud what kind of legislative reaction we will see the first time an IoT toaster is used to intentionally do a person bodily harm.
Out of all the talks, I am sure the record (lame DefCon badge joke) will show that the best talk was delivered by the hacking community's media darlings Charlie Miler and Chris Valasek. Likely no primer needed, but these are the guys--or bros as they refer to themselves—who hacked a Jeep and put a reporter from Wired in a ditch from their couch. Not to imply they were not already Rock Stars due to prior year's efforts, but I must admit it was quite a sight to see an impromptu “please autography my Black Hat schedule” line start before their talk. It is also compelling that as a result of their hack Chrysler Fiat created a fix for the potentially 1.4M affected vehicles and Sprint put network protections in place that should prevent others from emulating the hack to someone’s detriment. As Chris and Charlie pointed out, their years-long effort of starts and stops to complete this hack was clearly worth it because some hackers did something that changed the physical world. Note to readers: I am still switching to a decidedly disconnected bicycle from now and until the foreseeable future.
For all the fun and whiz bang, there was still much practical knowledge to be gained. How to get back to business after a cyber-attack, common Active Directory attacks and mitigations, and probably most importantly a PSA from the two Jeep bros: “please stop saying unhackable, you’re going to look silly.” Both Black Hat 2015 and DefCon23 went a long way to justify that sentiment, and I look forward to seeing how the security community responds.
Sam Elliott, Director of Security Product Management at Bomgar