Black Hat 2013: Rise of the (smart) machines
Forget Keith Alexander and PRISM, the rise of intelligent machines - and their security risks - was the big story at Black Hat this year.
There was a moment during last week’s Black Hat Briefings hacker conference – about when audience members started calling “bulls**t” (literally) on U.S. General Keith Alexander - where it was possible to trick yourself into thinking that we were back in the “good old days” of the late 1990s and early millennial period, where Black Hat and its sister conference, DEFCON, were counter-culture events for hackers of all stripes – black hats, white hats and everyone in between. But that moment was short lived. A couple sharp retorts aside, the Black Hat audience found much to agree with in Alexander’s argument that PRISM wasn’t so bad, after all, and that U.S. citizens just needed to trust that the big hand of government wasn’t reaching into their private lives. Eggs rumored to have been secreted into the Caesar’s Palace ballroom where Alexander spoke stayed holstered in their carton.
But don’t let all the light and heat over the NSA’s PRISM program fool you. The big story at this year’s annual Black Hat conference wasn’t General Alexander’s speech or the privacy and civil liberties questions it raised. Rather, it was the myriad of ways that intelligent machines – from televisions to automobiles to medical devices – are creating new privacy and security risks for consumers, companies and governments alike. A series of presentations at both Black Hat and its sister show, DEFCON, underscored what amounts to a slow-moving crisis that will become even harder to ignore in the months and years ahead.
That crisis: powerful, Internet enabled devices that are insecure and vulnerable to remote hackers has dire consequences. Intelligent devices that will soon fill the corners of our living rooms, kitchens, bedrooms and automobiles could expose us all to unwanted surveillance, the theft of personal and financial data or, worse, bodily harm. In just a couple examples: researchers from the firm ISEC Partners demonstrated vulnerabilities in Samsung’s Smart TV product that could give remote attackers the ability to activate and control an embedded webcam in the television and to make off with user credentials for the TV owner’s home wireless network, social networking accounts and more.
Even more ominous was research by Charlie Miller and Chris Valasek and presented at DEFCON, which demonstrated how tweaks to the software that controls a Ford Escape could be used to display the wrong speed on the dashboard, make the car attempt to park itself while travelling on a highway, or even stop the car from braking. “When you lose faith that a car will do what you tell it to do, it really changes your whole view of how the thing works.” Miller told Forbes in an exclusive interview. Indeed.
Miller wasn’t the only security expert with research showing how technology we all rely on is fast becoming susceptible to hacking. Renowned researcher Barnaby Jack was scheduled to present on vulnerabilities in implantable medical devices. Tragically, Jack was found dead in his apartment in San Francisco just days before the start of the Conference. He was 35.
Seasoned IT pros are apt to roll their eyes at warnings about obscure TV and defibrillator hacks, especially given the everyday reality of attacks on traditional computing devices like application servers and end-users systems. But the bigger truth is that the line separating a known target like a web application server and, say, an intelligent consumer device deployed in the home is becoming blurrier every day.
Speaking at Black Hat last week, researchers Aaron Grattafiori and Josh Yavor of ISEC Partners described Samsung Smart TVs as Linux-based web servers running Java applications from a Webkit based browser. The use of such common OS and application architectures makes devices like the Smart TV malleable, and removes barriers for application developers to write to the new platform. But it also makes those devices vulnerable to many of the attacks that security researchers have been documenting in components like Webkit, Java and Linux for the last decade. “Some of these things may seem far-fetched now, but five years from now when everything has an IPV6 address and is connected, it may be a different story,” Grattafiori told me in an interview.
Alas, much of the work of the last decade is at risk of being forgotten as consumers and businesses double down on the mobile revolution, plowing ahead in the development and adoption of “smart” devices without giving due attention to the security of the underlying code and, ultimately, the data that these devices will be storing. The need to fight and to beat back that worrying trend is among the most important lessons to come out of Black Hat and DEFCON this year. Let's hope that those in a position to make changes heed it.