Top 10 most worrying things we saw at Black Hat

The Black Hat USA conference has convened in Las Vegas for the last 16 years, attracting hackers, security consultants, and government agents from all over the world. The 2013 conference was last week, and included four days of training and two days of briefings; those of us in the media were invited to cover the briefings. This is not an event for the faint of heart, as many of the briefings reveal seriously alarming security vulnerabilities.

We're not just talking about malware that affects computers or smartphones. As one attendee's T-shirt proclaimed, Black Hat researchers "Hack all the Things." The briefings included presentations on hacking office security systems, supposedly-secure iPhones, security cameras, web-linked kids’ toys, "smart toilets," and more.

These briefings are anything but high-level. Most of the presentations lay out in precise detail exactly how the researchers managed to exploit the security weaknesses they found. That means those attending the talks go home knowing just how to perform the same exploit. Scared yet?

You might think it's irresponsible for Black Hat presenters to reveal such dangerous security flaws. What, do they want us all to find our smart toilets running backwards and our security cameras spinning in circles? Well, no. The purpose behind revealing security flaws in a company's product is to force that company to shape up and fix the problem.

In a very real sense, presenting this information publicly at Black Hat is an altruistic gesture. It's quite possible that the first discoverer of a security flaw could instead earn big bucks by quietly selling the information to the affected company. Facebook has paid over $1 million (£640,000) in "bug bounty" pay-outs to researchers. Microsoft recently launched a similar program; Google, Mozilla, and others have been doing it for years. Of course, foreign governments and organised cybercrime might pay even more...

When we go to Black Hat, we carefully peruse all of the abstracts in advance to ensure that we attend the most interesting and scary talks. Here are our top ten alarming revelations from the 2013 Black Hat conference.

10. The death of Barnaby Jack

Hacker extraordinaire and long-time Black Hat presenter Barnaby Jack wowed audiences in past years. One year he hacked into an ATM on stage and caused it to spit out all its cash. He also demonstrated a vulnerability in commonly-used insulin pumps that could subject them to external control. Jack was scheduled to demonstrate a similar hack for pacemakers during Black Hat. However, just days before Black Hat he suddenly died. No foul play was reported, but Jack was just 35-years-old. Unsettling!

9. Flame-throwing women

Security company Rapid7 is known for throwing lavish parties at security conferences. For the RSA Conference in San Francisco, they typically take over the immense Ruby Skye night club. For Black Hat, Rapid7's invited guests descended on The Palms. They milled around the massive pool, lounged in the cabanas, and danced to the beats at the Rain nightclub. Entertainment included a group of steel drummers, three supremely talented break dancers, and a pair of dancers who showed off their pyrotechnic skills. They tossed flaming torches and spun a hula hoop on fire while dancing. Fortunately everyone managed to avoid spontaneous human combustion. Okay, so this one isn’t security related, but it was pretty scary.

8. Even bigger DDoS attacks likely

The biggest ever Distributed Denial of Service (DDoS) attack took place earlier this year against antispam vigilante site Spamhaus. The attack was originally credited to a Dutch hacker, but apparently the true "mastermind" was a 15-year-old London boy, now in custody. The presentation included a very simple equation showing how with just a little effort the attack could have been ten or a hundred times as bad. All of the factors that went into the attack are still available to hackers, and can't be easily fixed. 30 terabyte per second DDoS attack, anyone?

7. NSA head promises truth

General Keith Alexander, head of the NSA, kicked off Black Hat with a keynote speech in which he promised nothing but the truth. "We need to hear your ideas," he said, "and you need to hear the facts." One heckler called the general a liar, and security confiscated an egg carton, but the audience was surprisingly accepting. I can't help but think we didn't get all the facts, though.

6. Don't trust email from friends

Phishing attacks spew spam to thousands or millions of people, hoping a few will be dumb enough to log into a fake bank site. Spear phishing is a more focused attack typically aimed at an individual with access to corporate assets. Scammers try to create an email that's apparently from a trusted source and that seems legitimate, so the victim will click on the poison link. New research shows that they can use your public tweets and other public posts to fine-tune such messages, mimicking your writing style. We used to warn against clicking links in messages from strangers; now you have to worry about links in messages apparently from friends.

5. Million browser botnet, cheap!

In order to launch a big Denial of Service attack, a botnet herder has to work hard getting malicious software installed on thousands of computers, right? Wrong. It turns out that by spending $50 (£30) or so on banner ads, researchers from White Hat Security managed to launch a DoS attack that successfully took down their test server. You may have been part of the test without even knowing it! The moment that ad showed up, your browser executed a snippet of Javascript, and the attack left no traces behind.

4. Femtocell hackers capture cell traffic

I knew this would be a good talk when I saw the warning signs outside the hall saying "Cellular Interception Demonstration in Progress". Femtocells are sold as signal boosters, but they can be misused. The presentation demonstrated a hack (in real-time) that let researchers capture all traffic passing through an affected smartphone, including voice, text messages, even images sent via text. The presenters offered one possible solution: Halt the manufacture of femtocells. They plan to release a tool that will put the phone into airplane mode rather than connect to any femtocell.

3. Master Key hides Android hacks

It's totally true that even newbie hackers can disassemble, Trojanise, and reassemble any Android app, but the modified app doesn't have the original developer's certification. Using a weakness they've dubbed "Master Key", a group from Georgia Tech demonstrated multiple ways to modify a program yet have Android still verify it as unchanged. In effect, Android verifies one program but runs another. Maybe you thought you could haunt those non-authorised Android app stores as long as you make sure the developer certificate is valid? You thought wrong.

2. Security cameras not so secure

You install security cameras in your office to improve security, but doing so might have the opposite effect. Modern cameras let an administrator log in from anywhere to view the video feed. They also offer easy access for hacking, with seriously lame security. One session showed precisely how to gain full administrator and root access to four different popular brands of camera. The session culminated with an impressive demo in which the presenter set up a security camera to protect a bottle of beer, then hacked the camera and "stole" the beer. Note that with this level of access the hacker could get into other areas of your local network; very alarming!

1. Pwned iPhone

Nobody denies that Android phones are vastly easier targets for malware than iOS devices, which is one of the reasons I carry an iPhone. My sense of security was totally shattered by a talk demonstrating a technique to totally pwn an iPhone using a modified charging station. Dubbed Mactans (the scientific name of the black widow spider) this attack gives hackers complete and total control of your phone even after it's removed from the charger. The jaw-dropping demo started by hacking the iPhone and turning it off. Then, with nobody touching it, the phone turned on, swiped across for access, entered the passcode, and made a phone call. The lesson is very clear: Don't plug your phone into a charger you don't own!

Image Credit: Black Hat Events