Simon Whitburn
Senior Vice President Cyber Security Services
Nominet attended Black Hat Europe which returned to London this December.
The show attracts expert professionals and cyber security vendors, giving talks and demonstrations aimed at everyone from expert hackers, through interested technical professionals, to the next generation of cyber whiz kids.
Here are seven stories from the show that stood out from the crowd.
1. Even disconnected devices might not be safe.
IBM X-force researchers demonstrated disabling electronic devices without being connected to them. Building on work with ultrasonics on voice-enabled IoT devices, the technique involves finding the resonant frequencies of electronic sensors, programmable logic controllers and other similar devices. These devices can then be prevented from working normally.
The researchers believe that this will allow malware to bypass hardware protection devices although it’s not believed to have happened in the real world yet.
2. Set your GPS to the centre of the earth
Talking about the challenges that digital transformation is bring to the major transport sectors, the National Computing Centre’s (NCC) Andy Davis, explained that GPS systems can be fooled into thinking they’re somewhere else – clearly a danger.
But what would cyber criminals gain by making them think they are at the centre of the earth, as Andy had done? The point is that cyber criminals will try things that developers and designers don’t expect them to do. That’s how they discover loopholes that can be exploited.
Doing unexpected things is all part of testing programmes that are as complete as possible; the only way to keep networks safe. The NCC provides help and consultancy for IoT-related testing.
3. Why cargo ships often come into ports with non-working nav systems
Andy went on to discuss the problems in merchant shipping, where many legacy Windows embedded systems are still in use. Shipping staff also make frequent use of USB sticks for updating charts and carrying information around, switching them from system to system.
It’s therefore no surprise to IT and security professionals, but still somewhat disconcerting, to find out that cargo ships often come into ports with their navigation systems completely disabled by malware.
4. Be careful with that washing machine
At a round table discussion on building defences for the internet of things (IoT), IBM X-Force Red researcher Ivan Reedman explained why his wife would no longer allow him to touch their new ‘intelligent’ washing machine. He took it apart to find out what was in it and while making changes, managed to affect a change in the plumbing that caused the boiler to switch off.
Obviously no data or information was affected but it clearly demonstrates that you can’t only test devices in isolation, they must be tested in their target environments too.
5. No charge for Android phones
Another unexpected use of everyday items involved a hack to steal data from an Android phone through a compromised power bank. Riccardo Spolaor, an Oxford University researcher, demonstrated the attack, dubbed “PowerSnitch”.
As the technique requires a malicious app to be downloaded to the phone, it’s used for specific, targeted attacks. The app converts data on the phone into spikes of power which are received and decoded back into data.
It’s slow, but crucially it bypasses the inbuilt Android protection that isolates the data pin on the USB port when it’s in ‘charge only’ mode.
6. The Thermanator – novel password and pin hack
Researchers from the University of California’s Irvine research university (UCI Irvine) presented work they’ve been doing to prove that pins and passwords can be determined if access to the keyboard or keypad can be gained within a minute.
Human’s leave a heat ‘fingerprint’ on devices they use for up to an hour. The researchers developed the Thermanator – a framework for harvesting passwords from thermal emanations. The method obviously relies on being in close proximity but it has been successful from several feet away, making what the researchers call a “coffee-break attack” a real possibility.
7. Penetration testing is now well established
Finally, a sign firmly in the ‘good to see’ category was the increased number of penetration testing companies attending the show. Known in the industry as ‘pen testing’, these authorised attacks on systems and devices uncover unknown flaws that can be exploited.
This is a good sign that vendors and end-users are realising that cyber security is about protecting their businesses, not just their technology and data.
Find out how Nominet can help you protect your organisation from all sorts of cyber attacks.
