Nest, Tor and more: Hot talks, cool hacks at Black Hat USA 2014

With less than a month until Black Hat USA 2014, we've got a cheat sheet of hot talks lined up for the professional infosec industry's most contentious domestic conference.
Written by Violet Blue, Contributor
black hat 2014

With less than a month until Black Hat USA 2014 and some hot talks in the lineup that are already making headlines, we've put together a cheat sheet of hot talks lined up for the professional infosec industry's most contentious domestic conference.

Black Hat USA returns for its 17th year to Las Vegas, with four days of trainings and two packed days of talks from August 2-7. It will be the conference's first time in a new location, the Mandalay Bay Hotel and Casino.

Last year's Black Hat USA left some tough shoes to fill after a lively keynote by the NSA's General Keith Alexander.

It was also the last US Black Hat run by Trey Ford, who is so admired in infosec communities that some are cautiously calling it our first "post-Trey" Black Hat — even though Mr. Ford remains on the conference's review board.

Here's our cherry-picked shortlist of hot talks to see at Black Hat 2014.

Enterprise threats

Talk: Lifecycle of a Phone Fraudster: Exposing Fraud Activity from Reconnaissance to Takeover Using Graph Analysis and Acoustical Anomalies

Speakers: Vijay Balasubramaniyan Raj Bandyopadhyay and Telvis Calhoun

Overview: One of the places Enterprise is most vulnerable to attack is at the human endpoints — your employees. Enterprises are vulnerable to "human hacking," the effective social engineering of employees, contractors, and other trusted persons. In particular, financial institutions have seen a significant increase in account takeover attacks over the phone by sophisticated fraudsters socially engineering call center agents.

The customer information required is often obtained by gathering intelligence through reconnaissance, probing systems or humans. In this talk, the researchers will show how to detect both the account takeover calls using acoustical anomalies and the reconnaissance calls leading to it through graph analysis.

Using acoustical anomalies, the researchers claim they're able to detect over 80 percent of these calls with less than a 2 percent false positive rate, and that their graph analysis is able to see reconnaissance calls for 46 percent of these account takeovers 10 days before the actual takeover. These results are presented on a dataset of over hundreds of million calls.

In the process, they'll reveal the lifecycle of a phone fraudster as one works through both the call center agent and its technology to extract information about a customer and take over their account.

Interesting hacking

Talk: You Don't Have to be The NSA to Break TOR: Deanonymizing Users on a Budget

Speakers: Alexander Volynkin and Michael McCord

Overview: From the Daily Dot's already-quivering writeup Hackers promise to break Tor on a $3000 budget,

Two hackers are promising to show how they’re able to deanonymize Tor users with a measly $3,000 budget at Black Hat 2014, a major hacking conference in Las Vegas next month.

"In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity," the presenters, Alexander Volynkin and Michael McCord, explain.

With "a handful of powerful servers and a couple gigabit links" (...) thousands of Tor clients and hidden services can be revealed "within a couple of months," the pair says.

Talk: BadUSB – On Accessories That Turn Evil

Speakers: Karsten Nohl and Jakob Lell

Overview: USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe — until now. This talk introduces a new form of malware that operates from controller chips inside USB devices.

USB sticks, as an example, can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user. They will demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses.

Talk: Building Safe Systems at Scale: Lessons from Six Months at Yahoo!

Speaker: Alex Stamos

Overview: Alex will detail his first six months as the CISO of Yahoo; he'll review the impact of the government surveillance revelations on how Yahoo designs and builds hundreds of products for across dozens of markets.

The talk includes discussion of the challenges Yahoo faced in deploying several major security initiatives and useful lessons for both internet companies and the security industry from his experience.

Mobile threats

Talk: Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol

Speakers: Mathew Solnik and Marc Blanchou

Overview: Few people know that service providers have a hidden and pervasive level of control over your device. These hidden controls can be found in over 2 billion cellular devices worldwide. Someone with knowledge of these controls and the right techniques could potentially leverage them for cellular exploitation on a global scale.

Layer by layer, Mathew and Marc have reverse-engineered/deconstructed these hidden controls to learn how they work and will discuss and disclose how over-the-air code execution can be obtained on the major cellular platforms and networks (GSM/CDMA/LTE). Including but not limited to Android, iOS, Blackberry, and Embedded M2M devices.

Talk: Exploiting Unpatched iOS Vulnerabilities for Fun and Profit

Speakers: Yeongjin Jang, Tielei Wang, Byoungyon Lee and Billy Lau

Overview: The researchers will disclose their process for jailbreaking the latest version of iOS (version 7.1.1), running on any iOS device including the iPhone 5s as well as older iPads and iPods. They will discuss the steps in a walkthrough, and say they'll include a detailed disclosure of several new vulnerabilities and the exploit techniques that they've developed.

Payment system threats

Talk: Mission mPOSsible

Speakers: Nils and Jon Butler

Overview: Mobile Point-of-Sale (mPOS) systems are everywhere and allow your favorite merchants globally to use their favorite iDevice (and others) to complete transactions.

The problem is that Nils and Jon Butler have found a series of vulnerabilities that allow them to gain code execution on these devices through each input vector — simply put, they can hack some of the leading chip and pin payment solutions. They’ll be live demoing their attacks and showcasing a new malicious credit card.

Airport security

Talk: Pulling Back The Curtain on Airport Security: Can A Weapon Get Past TSA?

Speaker: Billy Rios

Overview: Airport securitycheckpoints see millions of people every day. How secure is this sophisticated technology? Billy Rios will be revealing vulnerabilities of these security systems as well as how the devices used to detect threats actually work.

Satellite vulnerabilities

Talk: SATCOM Terminals: Hacking by Air, Sea and Land

Speaker: Ruben Santamarta

Overview: Satellite Communications (SATCOM) play a vital role in the global telecommunications system. We live in a world where data is constantly flowing. It is clear that those who control communications traffic have a distinct advantage.

The ability to disrupt, inspect, modify, or re-route traffic provides an invaluable opportunity to carry out attacks. Ruben focused his research on Earth station terminals that encompass the equipment located both on the ground and on airplanes and ships (thus this segment includes air and sea).

He found that 100 percent of the devices could be abused. These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases, no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.

Home automation hacks

Talk: Smart Nest Thermostat: A Smart Spy in Your Home

Speakers: Yier Jin, Grant Hernandez and Daniel Buentello

Overview: The Nest Thermostat is a smart home automation device that aims to learn about your heating and cooling habits to help optimize your scheduling and power usage. Debuted in 2010, the smart NEST devices have been proved a huge success that Google spent $3.2B to acquire the whole company. 

Although OS level security checks are available and are claimed to be very effective in defeating various attacks, instead of attacking the higher level software, the researchers went straight for the hardware and applied OS-guided hardware attacks. As a result, their method bypasses the existing firmware signing and allows us to backdoor the Nest software in any way we choose.

This hack would allow remote attackers to essentially have a spy in the home with the ability to learn the schedule of users (when they're home and not), saved wifi passwords, etc.

Talk: Home Insecurity: No Alarms, False Alarms and SIGINT

Speaker: Logan Lamb

Overview: Logan will demonstrate a generalized approach for compromising three systems: ADT, the largest home security dealer in North America; Honeywell, one of the largest manufacturers of security devices; and Vivint, a top 5 security dealer.

He will suppress alarms, create false alarms, and collect artifacts that facilitate tracking the movements of individuals in their homes.

Talk: Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment

Speaker: Jesus Molina

Overview: Jesus takes a look at the gorgeous luxury hotel, The St. Regis ShenZhen, where every guest room has a remote control in the form of an iPad2. It controls everything from the lights to the temperature to the blinds and more.

Jesus found several fatal flaws that allow an attacker to control virtually every appliance in the hotel remotely (even from another country). The talk will discuss the full anatomy of the attack as well as the huge implications this has for large scale home automation applications as more and more hotels are offering this amenity.

Talk: Breaking the Security of Physical Devices

Speaker: Silvio Cesare

Quick Overview: In this talk, Silvio will look at a number of household or common devices and things, including a popular model car and physical security measures such as home alarm systems.

Among other things, Silvio built an Arduino and Raspberry Pi based device for less than $50 dollars that could be trained to capture and replay fixed codes (used in most alarm systems) to defeat the alarms.

He'll also show that by physically tampering with a home alarm system by connecting a device programmer, the eeprom data off the alarm's microcontroller can be read. This means that an attacker can read the secret passcode that disables or enables the alarm.

Auto vulnerabilities

Talk: A Survey of Remote Automotive Attack Surfaces

Speakers: Charlie Miller and Chris Valasek

Overview: Automotive security concerns have gone from the fringe to the mainstream with security researchers showcasing the susceptibility of the modern vehicle to local and remote attacks.

We know that a malicious attacker leveraging a remote vulnerability can do some pretty dangerous things such as turning the steering wheel or disabling the breaks. The issue is that research has only been presented on three to four particular vehicles.

Editorial standards