Light Dark
August 16, 2019 By Jasmine Henry 5 min read
News

As Black Hat USA and DEF CON 2019 draw to a close, the security industry continues to buzz over events from the annual Las Vegas security week. Each year, nearly 20,000 security professionals, researchers and hackers convene on the Las Vegas strip for a week of cutting-edge security trainings, sessions and research. Black Hat and DEF CON sessions served up a shocking amount of internet of things (IoT) vulnerabilities and research on security best practices.

Whether you were on the ground on the Las Vegas strip or unable to attend, the biggest stories from these conferences can offer important security takeaways for the enterprise. Here are seven can’t-miss cybersecurity lessons from Vegas security week.

1. Cyberthreats in Your Mailroom

It’s true, the latest threat could be lurking in your mailroom. IBM X-Force Red explored how cybercriminals might exploit the era of next-day delivery by demonstrating a technique they named “warshipping.” Global Head of X-Force Red Charles Henderson explained how his team “investigated how cybercriminals might seek to exploit package deliveries to hack into corporate or personal home networks right from the office mailroom or from someone’s front door.”

Researchers spent less than $100 on off-the-shelf components to build a 3G, remote-enabled, single-board computer device that can be tucked into the bottom of packaging and delivered straight to a victim’s mailroom. When the device arrives, it can be remotely controlled to obtain a target’s wireless access, including hash data that can be remotely cracked.

Henderson advised businesses and individuals to “treat packages like they would a visitor” and consider using scanning devices for malicious tech-enabled devices in large corporate mailrooms.

2. Zero-Interaction Mobile Hacks

It’s now possible for cybercriminals to worm their way into a mobile device without actually interacting with the victim. In a presentation titled, “Look No Hands! The Remote, Interaction-Less Attack Surface of the iPhone,” security engineer Natalie Silvanovich demonstrated fully remote, zero-interaction methods to hack iOS through SMS, MMS, Visual Voicemail, iMessage and Apple Mail. In other words, vulnerabilities in iOS 12.3 or older allow hackers to take control of an iPhone without the victim interacting with a malicious text message. Mobile devices compromised through these interactionless methods provide no signs to a victim that the device was hacked.

These critical flaws highlight the importance of updating all Apple mobile devices to iOS 12.4 immediately, whether your device is corporate or private. For enterprise security professionals, the era of interactionless, remote hacks is a clear sign to take control of your corporate mobile fleet and gain the ability to deploy OS updates as soon as they’re available.

3. Spoofed Satellite Navigation

At Black Hat USA, Victor Murray demonstrated “Legal GNSS Spoofing and Its Effects on Self-Driving Vehicles,” — in other words, how global navigation system data can be spoofed to cause self-driving cars to stop, change directions or veer off the road. Murray spoofed global navigation data from the Global Navigation Satellite System (GNSS), revealing critical vulnerabilities in GPS navigation systems.

Murray explained in an interview that GNSS signals are low-power, and it’s not difficult to drown out GNSS broadcasts with fake data sets. GPS receivers lack built-in integrity mechanisms that can protect against such spoofing.

While this flashy hack may seem to have little impact on those who don’t own a self-driving car, Murray’s methods align with adversarial machine learning techniques. Cybercriminals can attempt to poison or flood legitimate data sets used for machine learning in the enterprise with fake data streams.

4. Vulnerabilities in Biometric Authentication

There was no shortage of biometric hack demonstrations during Vegas security week, including a presentation titled “Biometric Authentication Under Threat: Liveness Detection Hacking.” Researchers showed that it is possible to bypass authentication methods such as Face ID by simply putting a pair of eyeglasses modified with tape on the lenses over a victim’s face.

This hack is remarkably low-cost, but not exactly a widespread threat. To successfully use this tactic, a hacker would need to find a sleeping or unconscious victim and place the glasses without the victim noticing. While it’s likely not a meaningful risk to your enterprise, it’s a clear example of potential authentication vulnerabilities. If you don’t know weaknesses in your biometric systems, you could be at risk of spoofing.

5. Fake iPhone Cables

Source: iStock

The security researcher known as MG, or Mike Grover, demonstrated a look-alike lightning cable at DEF CON. The cable is a perfect doppelganger for an Apple device charger, but if plugged in, it can be used to hijack a smartphone or PC. The O.MG cable “looks like a legitimate cable, and works just like one. Not even your computer will notice a difference, ” MG told Motherboard.

However, hackers can hijack the cable and device at will from a remote location due to an operating system flaw that detects cable inputs as a human interface device (HID). MG’s prototype isn’t widely available, thankfully, but he believes cable hacks that enable cybercriminals to remotely launch malware could be an underexplored area of security.

6. Smart Hotel Hacks

Black Hat USA researchers demonstrated a vulnerability in a popular IoT smart lock that is used in high-end European hotels. Increasingly, hospitality chains are switching to mobile-enabled IoT locks instead of key cards, which allow guests to unlock their rooms via a smartphone app. These smart locks rely on communication via Bluetooth Low Energy (BLE), which is common for IoT devices. Researchers used wireless sniffing to identify the lock system’s credential packet and gained access to hotel rooms.

The researchers provided limited information on which hotel chains were still using the vulnerable locks, highlighting challenges white-hat researchers face in the disclosure process. When it comes to IoT device vulnerabilities, there’s a need for researchers to disclose issues to vendors, manufacturers and, in some cases, end users. Community and cooperation were major themes during Vegas security week, and it’s clear that protecting your organization against IoT threats could require stronger cooperation with researchers, vendors and third-party security experts.

7. Stingray Surveillance

5G has arrived, but it’s not perfect. Researchers demonstrated flaws in the new mobile 5G standard, which was designed to stop the use of surveillance devices known as stingrays. Stingray devices are used to intercept phone calls or track the movements of mobile devices by creating fake cell towers that are indistinguishable from actual cell towers. A critical vulnerability in 5G implementations by mobile carriers allows a device’s network connection to be downgraded to vulnerable 4G or 3G connections.

There’s an active effort to close this gap in 5G implementations, but the lesson is clear. There’s no such thing as a silver bullet in security, and new standards are rarely perfect.

Cybersecurity Lessons From Vegas Security Week

IoT vulnerabilities were among the most shocking stories from Black Hat USA and other events during Vegas security week. As we consider potential risks lurking in the mailroom or interaction-less mobile vulnerabilities, it’s clear that endpoint visibility is key to surviving the threat vector. Understanding what’s on your network is key to protecting against critical vulnerabilities in both IoT and mobile endpoints.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
Jasmine Henry

More from News
September 16, 2024

The rising threat of cyberattacks in the restaurant industry

2 min read - The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward. Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver's…

September 11, 2024

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

September 9, 2024

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature