This year’s Black Hat USA security conference was held August 1-6, 2020, without the noise and commotion of the crowded conference hall in Las Vegas, Nev. The training sessions, briefings, and business sessions were all virtual.
But despite the empty hall and the remote, small screens, there were the usual detailed analyses of recent security disasters, new avenues for exploitation, Fright Night replays of the worst responses to an attack, and even an episode of the perils of being a security professional.
HACKING A MERCEDES E-SERIES
There were 19 bugs built into the new Mercedes-Benz E-Series that researchers reported on at the conference’s learning sessions. The flaws have been addressed and fixed by Mercedes, but the cars were released and on the road when the Sky-Go security research team’s car hacking unit began opening up the internet connections of the infotainment system and dumping the car’s software onto their computers.
The team successfully opened the telematics control unit (TCU) and used its file system to get access to a root shell, which allowed them to do things like remotely open the car doors. To check their findings, the team purchased one of the cars and began testing their findings. With access to passwords and permission certificates, they expanded their control. They worked on the car’s system for more than a year assembling an attack chain that gave them remote control of the vehicle.
On August 21, 2019, the group reported the vulnerabilities they found to Mercedes-Benz, and the initial fix was sent out on August 26. The company’s reaction to Sky-Go’s work was expressed at the session by Guy Harpak, head of Product Security for Mercedes-Benz R&D. He said, “We have an example here [that] a strong research community working with a strong industry can bring better security.”
One of the ways that authorities and bad operators can monitor your calls and texts is by tricking your mobile device to send your traffic to a phony cell tower. The bad guys can use a small low-power cellular base station like the Femtocells used by small businesses, and law-enforcement agencies use IMSI-catchers (international mobile subscriber identity–catcher) to eavesdrop. Normally, you aren’t aware of this tapping, but now there’s a way to detect the fake base stations.
Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, an international digital rights group based in San Francisco, Calif., reported on their new “Crocodile Hunter” that can sniff out the simulated cell towers. The device is made of a Raspberry Pi do-it-yourself miniature computer and radio equipment that costs about $500. The device collects information about the cell towers in your vicinity and matches the towers against an open-source database of those operating in your area. If it sees a suspicious station, it marks it with a skull on the map.
Not all identified towers are a threat, so closer inspection might be needed. The Hunter can’t legally communicate with the tower so a drive over to the location might be helpful. If it’s in a corporate building, that might be OK, but in a basement or parked van, maybe not.
You can usually count on one or more exotic new surveillance devices or software hacks at any Black Hat convention, and this year Ben Nassi, a doctoral candidate at Ben-Gurion University of the Negev in Israel brought his new listening device. It wouldn’t be difficult to place almost anywhere because it’s a common, unaltered hanging light bulb.
It enables you to listen in to what’s going on in the room because of a simple property of sound waves. As the waves pass through the air and hit an object, the object will vibrate. Nassi explains, “By analyzing how the object responds to sound, the vibrations, with the proper sensor, can be recovered.” He and his team created an experiment to demonstrate how their Lamphone would work.
The listening device is a 12W bulb that Nassi’s team placed inside an office. Twenty-five meters distant, they set up a telescope that had an electro-optical sensor mounted on it. This would capture and translate the slight changes in the light from the bulb to a computer. Inside the office, the researchers played two songs and a speech. The computer recovered the sounds, and the team cleaned up the signals with filters and a special equalizer. The sounds were muddy, but the songs, Coldplay’s “Clocks” and The Beatles “Let It Be,” were able to be identified by the Shazam app which finds and names any song from just short samples, and the speech was intelligible.
PERILS OF THE PROFESSION
Among the reasons for hackers’ sometimes switching sides are the risks inherent in hacking in the wild. One of the most well-known of these converts, from black-hat to white-hat hacker, was Kevin Mitnick who served five years in federal prison before his crossing over. Mitnick now runs Mitnick Security Consulting, and he is also the CHO (chief hacking officer) and part owner of the security training company KnowBe4, one of the corporate sponsors of the Black Hat USA Conference.
One of the stories reported at the conference was a through-the-looking-glass reversal of this dynamic involving two security officers ending up in jail for what they were hired to do. Justin Wynn and Gary DeMercurio are professional penetration testers and are paid to test the security of buildings and facilities. They work for Coalfire Labs, the largest company doing this kind of security testing. Their job is to breach entrances and computer systems within.
Hired by the state of Iowa to conduct a penetration test on several court houses, they carried papers authorizing their work. They had just finished at one courthouse and were in the second when they were arrested. The sheriff didn’t care about the authorization by the state because, as he fumed at the two, “This is not state property, this is county property.” They were arrested and charged with trespassing and felony burglary.
Caught in the middle between county, state, and their employer Coalfire, the two ended up fighting the felony charges for months. John Strand, another penetration tester summed up the Coalfire standoff for Wired magazine this way: “It just became a perfect storm. The nerve this hit in the community is this: The law can be on your side. The contract can be on your side. But if the politics are not on your side, you can be played as a pawn.”
After five months of legal battles, the two were told they would have their felony charges dismissed. Because that would show up on any background check in the future, the testers are not sure now about ever gaining security clearances again, and their case stands as a warning for others performing the same kind of security investigations, some of whom have already vowed not to do this kind of testing again.
BLACK HAT INTERNATIONAL
The other Black Hat Conferences scheduled for this year will also be virtual. Black Hat Asia will take place September 29-October 2, and Black Hat Europe is scheduled for November 9-12. For those interested, the Black Hat USA Conference, just concluded, will have a number of its sessions and keynotes uploaded on the Black Hat YouTube channel. They aren’t up yet, but you can still look over the sessions from the 2019 Conferences.