Black Hat/DEF CON 2015: Understanding the Hands-on Imperative

This year’s Black Hat and DEF CON gave us a good glimpse of the future: what we can expect, what we need to fear, and most especially what we need to do.

The Dream of Internet Freedom

Jennifer Granick’s keynote speech during the first day of Black Hat 2015 captured the theme of this year’s conference. Granick is the Director of Civil Liberties at the Stanford Center for Internet and Society and is known for representing Kevin Poulsen and Aaron Swartz before US criminal courts. In her speech, entitled The Lifecycle of a Revolution, she spoke of the dream of Internet freedom: the freedom to exist without judgment (be it based on age, race, class, or gender), the freedom to communicate with anyone, anywhere, the freedom to access information, and the hands-on imperative – the freedom to explore and understand the technologies around us.

She talked about how that dream does not seem to fit into the Internet today and how we will most likely see the end of that dream if we don’t act now. We’re now seeing a centralized, regulated Internet – one that is controlled based on decisions of those in power. This shouldn’t be the case; it goes against the values that started the Internet years ago. Globalization through the Internet should not be regulated by those with local concerns.

Figure 1. The way to achieve Internet Freedom, from Jennifer Garnick’s Black Hat keynote speech

This point was also driven home by CloudFlare CEO Matthew Prince in his talk The Battle for Free Speech on the Internet. He discussed how he’d repeatedly encountered instances whereas governments and companies tried to define what is good and bad, based on their own needs. As the CEO of a company that provided services to deal with denial-of-service attacks, his talk highlighted the need for a more objective sense of control around the policies that decide which content ends up online.

The State of Android (In)security

The dismal state of Android security was in the spotlight in many different ways throughout both Black Hat and DEF CON. Adrian Ludwig’s talk on the Android Security State of the Union discussed the various security strategies and solutions that Google has put in place to secure the OS. As expected, however, there were more talks about threats than solutions.

Joshua Drake presented how he was able to find Stagefright. The vulnerability in Android had made the news prior to Black Hat, primarily because it can be used to install malware on an Android device through a multimedia message. Trend Micro researchers, who also independently discovered the vulnerability, reported that Stagefright can also be exploited through an app, or a specially crafted URL. Wen Xu’s talk on universal rooting in Android tackled how their team was able to use a kernel UAF (User-After-Free) vulnerability in Linux to root most Android devices. This was particularly interesting as Xu shared how they are able to root even 64-bit Android devices – something that hasn’t been done before.

Another talk that discussed Android threats was Certifi-gate. The research by Ohad Bobrov and Avi Bashan focused on how the customization done on the Android platform by different vendors lead to vulnerabilities that leave millions of users at risk. These findings add to the recent string of vulnerabilities being reported affecting Android users, making the issue of fragmentation more relevant now. As more vulnerabilities are being found, it is much more critical for Google and the device manufacturers to be able to roll out updates as soon as possible. (In fact, during the week of Black Hat/DEF CON, it was announced that Google, Samsung, and LG would all start pushing regular monthly security updates.)

Car Hacking and Beyond

As Charlie Miller and Chris Valasek put it, saying that anything is unhackable will just make one look ridiculous, and this was proven in various ways throughout the week.

Car hacking was one of the main themes in both Black Hat and DEF CON, with the latter even introducing a new Car Hacking Village to allow people to explore vehicle electronic systems. The Remote Exploitation of an Unaltered Passenger Vehicle talk by Miller and Valasek was well attended at both conferences. Their presentation went into detail on how they were able to achieve such control, from studying vulnerabilities in the car’s system, to leveraging mobile networks to achieve remote access. Samy Kamkar’s presentation delved more into other stages involved in stealing cars, such as hacking garage door openers to achieve physical access.

Another key highlight was Marc Rogers’s and Kevin Mahaffey’s talk on hacking a Tesla Model S. Calling the Tesla “the most connected car in the world”, the researchers shared how they were able to achieve control of the vehicle, primarily through tinkering with the vehicle’s hardware. Rogers and Mahaffey also noted how difficult it was for them to successfully achieve this, highlighting the strategies taken by Tesla in to keep the Model S secure. (A surprise attendee at the talk: Tesla’s CTO JB Straubel, who thanked the pair for their efforts.)

Cars weren’t the only ones that were hacked during the week. Runa A. Sandvik and Michael Auger presented how they were able to hack a Linux-powered TrackingPoint TP750 sniper rifle. Although their research indicated that remotely pulling the trigger through the system is not possible, changing the information returned to the scope was. Our own GasPot research showed that fuel tanks are being attacked as well.

Conclusion

Overall, both Black Hat and DEF CON showed good examples of how researchers exercise the hands-on imperative – the right to explore, disassemble, analyze, and understand the technologies around us. Done for the sake of security, such research will help us secure the different platforms that are increasingly being used in our everyday lives.