Black Hat: 10 can't-miss hacks and presentations

The 2011 Black Hat security conference is promising a smorgasbord of (in)security fun. From vulnerabilities in PLCs (programmable logic controllers) to the security design of Apple's iOS and potential hacker attacks on medical implant devices, the range of presentations this year could be the best ever.
Written by Ryan Naraine, Contributor on

LAS VEGAS -- The 2011 Black Hat security conference is promising a smorgasbord of (in)security fun. From vulnerabilities in PLCs (programmable logic controllers) to the security design of Apple's iOS and potential hacker attacks on medical implant devices, the range of presentations this year could be the best ever.

Here's my list of this year's can't-miss presentations:

1. Exploiting Siemens Simatic S7 PLCs

Dillon Beresford (right), a security researcher at NSS Labs, has already courted controversy with this topic.  The talk was originally scheduled for the TakeDownCon security conference in May but was withdrawn after some bigwigs (including the Department of Homeland Security) got nervous about the pre-patch disclosure ramifications.

At Black Hat, Beresford is promising to cover newly discovered Siemens Simatic S7-1200 PLC vulnerabilities and to demonstrate how an attacker could impersonate the Siemens Step 7 PLC communication protocol using some PROFINET-FU over ISO-TSAP and take control.

Beresford is a brand-name security researcher in the SCADA world.  Earlier this year, he developed an exploit for one of the most popular high performance production SCADA/HMI software applications in China which is widely used in power, water conservancy, coal mine, environmental protection, defense and aerospace.

Because security holes in Siemens' PLCs played a key role in the success of the mysterious Stuxnet worm, Beresfords's Black Hat disclosures is sure to raise eyebrows.

2. Hacking Google Chrome OS

Google + the cloud + web applications is a recipe for a fun security cocktail.

In the last few months, two members of the WhiteHat Security's Threat Research Center -- Matt Johansen and Kyle Osborn -- hacked away at Google's Cr-48 prototype laptops and discovered a slew of serious and fundamental security design flaws.

Now, they are sharing their findings with the Black Hat audience, promising to discuss security holes that could expose users to the following types of attacks:

  • Exposing of all user email, contacts, and saved documents.
  • Conduct high speed scans their intranet work and revealing active host IP addresses.
  • Spoofing messaging in their Google Voice account.
  • Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

Johansen and Osborn said Google was informed of the findings and has already fixed some vulnerabilities they plan to discuss many of the underlying Google Chrome OS weaknesses that remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot.

3. Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption

When Dino Dai Zovi speaks about Apple and security, you stop and listen.

Best known for his successful hijack of a MacBook at the CanSecWest hacker conference, Dai Zovi has now turned his attention to Apple's iOS, the smartphone platform that powers iPhones and iPads.

Dai Zovi performed a detailed audit of the security mechanisms and features of iOS 4 and will share his findings on things like Trusted Boot, Mandatory Code Signing, Code Signing Enforcement, Sandboxing, Device Encryption, Data Protection, and (as of iOS 4.3) Address Space Layout Randomization.

The security assessment focused on the concerns of an enterprise considering a deployment of iOS-based devices or allowing employees to store sensitive business data on their personal devices so we can expect to hear about the real-world implications of using iPhones and iPads in the enterprise.

Dai Zovi is promising to document the risks of a lost device or a remote iOS compromise through a malicious web page or e-mail and, based on the strengths and weaknesses identified, make concrete recommendations on what compensating measures an organization can and should take when deploying iOS-based devices for business use.

4. Exploiting the iOS Kernel

Stefan Esser is best known for his epic work around PHP security but if you've been following his Twitter stream lately, you'd notice the German researcher has taken a liking to Apple's iOS platform.

In this Black Hat session, Esser is promising a deep-dive discussion of kernel level exploitation of iPhones. It will include details on previously disclosed kernel vulnerabilities,  the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows.

Esser also plans to look closely at the kernel patches applied by iPhone jailbreaks to provide an understanding of how certain security features are deactivated.  He also plans to release a tool that allows the selectively de-activation some of certain kernel patches for more realistic exploit tests.

* Image via Sebastian Bergmann (Flickr CC 2.0)

5. Hacking Androids for Profit

The growing popularity of smart phones has generated a predictable surge in security research around mobile platforms and this year's Black Hat agenda contains quite a few good presentations.

This talk, by Riley Hassell and Shane Macaulay, puts Android under the microscope with a promise to reveal new threats to Android Apps and discuss known and unknown weaknesses in the Android OS and Android Market.

The researchers will discuss the inner working of Android apps and the risks any user faces when installing and using apps from the marketplace.

Next -- SSL and authenticity, water meter vulnerabilities, hacking medical devices...

6. SSL And The Future Of Authenticity

Moxie Marlinspike has generated a reputation as privacy and anonymity advocate who goes beyond mere talk.  He has many free tools and utilities for both the Web and mobile systems and spends his time warning anyone who would listen about the dangers of web tracking software.

Widely considered a security research expert on protocols, cryptography, privacy, and anonymity, Marlinspike will focus on SSL (Secure Socket Layer) encryption at this year's Black Hat conference.

He is promising to provide an in-depth examination of the current problems with authenticity in SSL, discuss some of the recent high-profile SSL infrastructure attacks in detail, and cover some potential strategies for the future. Marlinspike's talk conclude with a software release that aims to definitively fix the disintegrating trust relationships at the core of this fundamental protocol.

As a side note, Marlinspike will be speaking at BSidesLV, providing "thoughts on LulzSec through the historical lens of Russian Nihilism and Motiveless Terrorism." That's another good one to put on the schedule. The BSidesLV talk has since been withdrawn. Bummer.

7. Vulnerabilities in Wireless Water Meter Networks

What if a hacker could tamper with your water meter to do dangerous things? It may sound far-fetched but, after Stuxnet, no one should doubt the ramifications of designer malware planted on critical systems.

This Black Hat talk is particularly interesting because the speaker, John McNabb of South Shore PC Services, spent 13 years managing a small water system and claims to have deep knowledge of how these things work.

McNabb says research into wireless water meters is crucial because they are a potential security hole in a critical infrastructure and can pose a wide range of problems.

In this talk, McNabb promises to present an overview of drinking water security, review reported water system security incidents and the state of drinking water security over the past year.  He will also provide a deep dive into the hardware, software, topology, and vulnerabilities of wireless water meter networks and how to sniff wireless water meter signals.

8. Battery Firmware Hacking

Clearly not satisfied with hacking into MacBooks and iPhones, Charlie Miller has his eyes on the chip that control your computer's battery.

Miller, a brand-name hacker who now works as Principal Research Consultant at Accuvant Labs, will use the Black Hat stage to discuss the embedded controller used in Lithium Ion and Lithium Polymer batteries.   In his research, he found that the controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers.

Miller explains:

"In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it. Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire."

As reported by Andy Greenberg at Forbes.com, Miller found that the batteries’ chips are shipped with default passwords, such that anyone who discovers that password and learns to control the chips’ firmware can potentially hijack them to do anything the hacker wants.

9. Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System

Theoretical research into the hacking of medical devices is nothing new but this talk by Jerome Radcliffe stands out because of the wide usage of the target -- insulin pumps to treat diabetes.

Radcliffe, who wears an insulin pump and continuous glucose monitor, said the devices can be considered a "Human SCADA system."

After attending a DefCon presentation on hardware hacking of proprietary systems and wireless communication methods, Radcliffe said he was inspired to hack into the devices to see if the communication methods could be reverse engineered or whether a device can be created to perform injection attacks.

"Manipulation of a diabetic's insulin, directly or indirectly, could result in significant health risks and even death," he explained.   In this talk, Radcliffe plans to explain his discoveries around the propriety protocols and the hardware interfacing.

10. Playing In The Adobe Reader X Sandbox

Adobe's addition of a sandbox called 'Protected Mode' into Reader X has put a significant roadblock for malicious hackers.  However, it has set up a perfect cat-and-mouse game where attackers are working overtime to bypass the mitigations.

In this talk by Paul Sabanal and Mark Yason from IBM ISS's X-Force Advanced Research Team, Black Hat attendees will get a deep technical explanation of the implementation details of the Adobe Reader Protected Mode sandbox and the the results of reversing efforts to understand the mechanisms and data structures that make up the sandbox.

The researchers also plan to discuss the limitations and weaknesses of the sandbox and offer possible avenues to achieve privilege escalation. "We will demonstrate how an attacker could leverage the limitations and weaknesses of the Adobe Reader Protected Mode sandbox to carry out information theft or corporate espionage. We will be demonstrating a proof-of-concept information stealing exploit payload bootstrapped by exploiting a publicly known Adobe Reader X vulnerability," the researchers explained.


Azure's capacity limitations are continuing. What can customers do?

Azure's capacity limitations are continuing. What can customers do?

This is the ultimate security key. Here's why you need one
Yubikey 5C NFC

This is the ultimate security key. Here's why you need one

Four more apps that infected thousands of Android devices with malware removed from Google Play store

Four more apps that infected thousands of Android devices with malware removed from Google Play store