Skip to content ↓ | Skip to navigation ↓

The excitement is building for Black Hat USA 2017. To help attendees get the most out of the event, I’ve assembled just a few of the presentations that will no doubt make this year’s conference a memorable one.

These talks range in topic from mobile network vulnerabilities to breaking electronic door locks to new solutions for monitoring the traffic on your home network.

Here are seven talks from Black Hat USA 2017 you don’t want to miss. (These presentations aren’t ranked. Instead I’ve arranged them chronologically in the order in which they’ll appear at this year’s conference.)

1. Adventures in Attacking Wind Farm Control Networks

Speaker: Jason Staggs, security researcher at the University of Tulsa

Location: Lagoon ABCGHI

Date: Wednesday, July 26 | 10:30 am-10:55 am

Format: 25-Minute Briefings

Wind farms are becoming a leading source for renewable energy. Unfortunately, this increased reliance on wind energy makes wind farm control systems attractive targets for attackers.

In his talk, Dr. Jason Staggs explains how wind farm control networks work and how they can be attacked in order to negatively influence wind farm operations (e.g., wind turbine hijacking). He specifically investigates implementations of the IEC 61400-25 family of communications protocols (i.e., OPC XML-DA) using a two-year empirical study of wind farms based in the United States.

Dr. Staggs explains how these security assessments reveal that wind farm vendor design and implementation flaws have left wind turbine programmable automation controllers and OPC servers vulnerable to attack. Additionally, he presents proof-of-concept attack tools that are capable of exploiting wind farm control network design and implementation vulnerabilities.

2. Breaking Electronic Door Locks Like You’re on CSI: Cyber

Speaker: Colin O’Flynn, CEO/CTO at NewAE Technology, Inc.

Location:  Mandalay Bay EF

Date: Wednesday, July 26 | 10:30 am-10:55 am

Format: 25-Minute Briefings

Breaking electronic locks looks so fun in the movies. You get your “tech wizard” member of the team to plug some gadget into the control panel on a locked door. Then the gadget scrolls through all the combinations until the door opens. The hardest part is figuring out what cool catch-phrase to use when you get the right combination.

Why can’t real life be like this? In his talk, Colin O’Flynn looks at a few consumer-grade electronic locks and aims to break them like you’d see in the movies (roughly). Along the way, he dissects the electronics of these locks and discusses multiple vulnerabilities that a hardware hacker could exploit in order to bypass them.

3. New Adventures in Spying 3G and 4G Users: Locate, Track & Monitor

Speakers: Altaf Shaik, researcher at TU Berlin; Andrew Martin, professor at the University of Oxford; Jean-Pierre Seifert, professor at TU Berlin; Lucca Hirschi, researcher at ETH Zürich; Ravishankar Borgaonkar, Oxford research fellow at the University of Oxford; and Shinjo Park, researcher at TU Berlin.

Location: Mandalay Bay GH

Date: Wednesday, July 26 | 11:15 am-12:05 pm

Format: 50-Minute Briefings

3G and 4G devices deployed worldwide are vulnerable to International Mobile Subscriber Identity (IMSI) catchers, aka “Stingrays.” The next generation 5G network may address user privacy issues related to the attack techniques employed by these IMSI catchers. But that’s still in the future. In this talk, Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, and Shinjo Park introduce new attack vectors that enable tracking and activity monitoring of 3G and 4G mobile users.

The research team discusses a new flaw affecting the widely deployed cryptographic protocol used in 3G and 4G cellular networks. They discuss different methods to exploit this flaw using a low-cost setup, and they present several attacks to demonstrate these procedures’ impact on users with 3G and 4G devices. Lastly, they discuss countermeasures to address these privacy issues.

4. Hacking Hardware with a $10 SD Card Reader

Speaker: Amir Etemadieh, senior research scientist at Cylance; CJ Heres, cyber & information security researcher at Draper Laboratory; and student Khoa Hoang.

Location: Mandalay Bay EF

Date: Wednesday, July 26 | 1:30 pm-2:20 pm

Format: 50-Minute Briefings

Dumping firmware from hardware by utilizing a non-eMMC flash storage device can be a daunting task, requiring high-paid programmers, 15+ wires to solder (or a pricey socket), and dumps that contain extra data to allow for error correction. With the growing widespread use of eMMC flash storage, the process can be simplified to 5 wires and a cheap SD card reader/writer, allowing for direct access to the filesystem within flash in an interface similar to that of using an SD card.

In this presentation, Amir Etemadieh, CJ Heres, and Khoa Hoang show attendees how to identify eMMC flash storage chips, how to reverse engineer the in-circuit pinouts, and how to dump or modify the data within. They showcase the tips and tricks to properly reverse engineer hardware containing eMMC flash storage (without bricking) along with a clear explanation of the process from identification to programming. The presentation then finishes with a demonstration of the process along with a number of free SD to eMMC breakouts for attendees.

5. Sweet Security

Speaker: Travis Smith, principal security researcher at Tripwire

Location: Business Hall, Level 2, Station 7

Date: Wednesday, July 26 | 4:00 pm-5:20 pm

Format: Major Update (Arsenal)

Sweet Security is a network security monitoring and defensive tool that’s deployable on hardware as small as a Raspberry Pi. Using the power of Bro IDS and threat intelligence feeds, researchers can expose malicious network traffic, data which is gathered and visualized with the ELK stack (Elasticsearch, Logstash, and Kiban). Going beyond detection, the device can implement blocking for specific devices on a granular level.

Sweet Security is capable of monitoring all network traffic with no infrastructure change and blocking unwanted traffic. It ships with Kibana dashboards as well as a new web administration UI. Even better, the installation can be separated between web administration and sensor.
Attendees can expect to take away methodologies they can put to use right away, from dorm-room to datacenter.

6. Skype & Type: Keystroke Leakage over VoIP

Speaker: Alberto Compagno, researcher at Cisco Systems; Daniele Lain, M.sc. at the University of Padua; Gene Tsudik, professor , University of California-Irvine; and Mauro Conti, associate professor at the University of Padua.

Location: Lagoon ABCGHI

Date: Thursday, July 27 | 9:00 am-9:25 am

Format: 25-Minute Briefings

It is well-known that acoustic emanations of computer keyboards represent a serious privacy issue. As demonstrated in prior work, physical properties of keystroke sounds might reveal what a user is typing. However, previous attacks assumed physical proximity to the victim in order to place compromised microphones. Alberto Compagno, Daniele Lain, Gene Tsudik, and Mauro Conti argue that this is hardly realistic. They also observe that during VoIP calls, people often engage in secondary activities (including typing), thereby unintentionally giving potential eavesdroppers full access to their microphone. From these observations, they’ve built a new attack called Skype&Type (S&T) that involves VoIP software.

In this talk, the researchers present S&T and show that two very popular VoIP software (Skype and Google Hangouts) convey enough audio information to reconstruct the victim’s input from keystroke noise. They present the architecture of S&T, which they’ve released as a tool to the community, in oder to solicit contributions and to raise awareness on underlooked side channels.

7. And Then the Script-Kiddie Said, “Let There be No Light.” Are Cyber-Attacks on the Power Grid Limited to Nation-State Actors?

Speakers: Anastasis Keliris, PhD candidate at New York University; Charalambos Konstantinou, PhD candidate at New York University; and Mihalis Maniatakos, assistant professor at New York University Abu Dhabi

Location: South Seas ABE

Date: Thursday, July 27 | 3:50 pm-4:40 pm

Format: 50-Minute Briefings

To date, cyber-attacks against power systems are considered to be extremely sophisticated and only within the reach of nation-states. But through their presentation, Anastasis Keliris, Charalambos Konstantinou, and Mihalis Maniatakos challenge this perception and provide a structured methodology towards attacking a power system on a limited budget.

They demonstrate how to model and analyze a target power system using information obtained from the web and how attackers can use this information to model power systems throughout the globe.

Next, the researchers discuss a critical vulnerability they discovered in General Electric Multilin products widely deployed in power systems. They broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations. Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack. They then discuss mitigation strategies, including the specific firmware update that addresses this vulnerability, and provide their thoughts on what they think the next steps in securing the power infrastructure should be.

 

Are there additional talks you don’t want to miss at Black Hat USA 2017? If so, please tell us in the comments!

<!-- -->