Conference notes: Blackhat Europe 2017
I had the opportunity to attend Blackhat Europe 2017 in London last week. What follows are some of my notes and observations.
Nota bene: this is all very subjective and not necessarily complete. You have been warned :-)
tl;dr
- many important breaches were known for months already e.g. the Intel ME breach or the WPA2 Key Reinstallation Attack. However, the researchers presented the details in their talks and published papers and/or code immediately afterwards.
- most vulnerabilities are introduced by complexity and the need for backward compatibility
- attackers cause the most damage when they remain undetected after the compromise and can perform reconnaissance for months and years(!) - intrusion detection and incident response is key
Day 1
Attacking nextgen roaming networks
Diameter, the successor to SS7, used in 4G/LTE mobile networks has all the same vulnerabilities and a new/unproven code base likely to contain additional bugs.
Take-away: telecom protocols tend to be super complex and have a huge attack surface.
In case you haven't heard of the SS7 attacks:
- Real-World SS7 Attack — Hackers Are Stealing Money From Bank Accounts
- SS7 hack explained: what can you do about it?
Blueborne - a new class of airborne attacks that can remotely compromise any linux/iot device
First things first: turn off BlueTooth and leave it that way!
Bluetooth, again, is an old-school telecoms protocol, thus very complex and "sporting" a huge attack surface (the spec is 2822 pages long!)
Bluetooth stacks are big code bases that have received too little review and scrutiny due to lack of economic incentives. In hindsight, it is not surprising that almost all implementations are full of (security) bugs.
The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today.
More info
Nation-state moneymule's hunting season – apt attacks targeting financial institutions
It’s scary, banks are getting compromised all the time. Nation state actors used to be primarily after confidential information. However, analysis of attacks on South Korean banks (and bitcoin exchanges!) shows that these actors (North Korea in particular) are also getting into large-scale theft and bank robbery.
Attackers compromise financial organizations and then perform reconnaissance for months and years(!) before striking. Detecting intrusion / compromise and subsequent incident response is crucial to limiting damage.
How to hack a turned-off computer, or running unsigned code in intel management engine
I never imagined intel would be this stupid / irresponsible; maybe there’s more behind this? Time for tinfoil hats?
- Intel’s ME can be hijacked
- full control of a machine, underneath and out of sight of whatever OS
- More coverage:
Day 2
Security through distrusting
In summary: everything humans produce is imperfect, don’t trust anything.
- Qubes OS runs on top of the XEN hypervisor
- Every process runs in a separate VM
- VMs are run in different contexts (e.g. work, personal etc.) and can be "single use" VMs e.g. for the browsing of untrusted web sites
- Unless XEN is broken, the compromise in a particular VM / context is contained and does not infect the entire system
- more detail: Rutkowska: Trust Makes Us Vulnerable
Exfiltrating reconnaissance data from air-gapped ics/scada networks
It is a miracle we don’t have major industrial control hazards / incidents on a daily basis
Major attack vectors:
- malicious USB
- infected external engineering laptop (used for maintenance)
- infected vendor updates
The researchers showed how to inject specially-crafted ladder logic code into Programmable Logic Controllers (PLCs). The hack generates encoded radio signals that can then be received by ordinary AM radios in order to exfiltrate sensitive data from air-gapped networks.
Disclaimer: I am just a bot trying to be helpful.