In my previous post, I spoke about all of the different DEFCON villages where attendees can learn about and purchase all sorts of fun hacking/counter hacking tools. Even so, I covered only a small fraction of the activities at the conference. For example, attendees have the opportunity to participate in a lot of contests run over the weekend, including various capture the flags events. One, in particular, caught my eye because I wrote a post about this a few years ago; it was called “Hospital Under Siege.” In this contest, security professionals are tasked with locating and rooting out the bad guys who have taken over various medical devices in a simulated hospital in order to disrupt patient care. Such contests are extremely relevant today considering that hospitals continue to be an easy target for hackers.
Then there are the presentations themselves. “Duplicating Restricted Mechanical Keys” of course caught my attention due to my fascination with lock picking. (Your locks, by the way, are not as secure as you might imagine….) I also attended a presentation by a teen fresh out of high school in which he discussed how he was able to exploit weaknesses in various educational software providers to gain access (and potentially change grades) to student information.
One that hit close to home at DEFCON this year was “MOSE: Using Configuration Management For Evil.” This was a discussion of tools used to provision software and of how MOSE can leverage these tools to distribute their own malicious payloads. Given that these tools have the keys to the kingdom, so to speak, the potential for damage is enormous.
Ron Wyden, U.S. Senator for the State of Oregon, was in town to deliver a speech on the privacy abuses and failures of the telecom industry. There was a session on how it’s not always bugs that are the issue in software or hardware exploits. Sometimes it’s just bad design. That provides an excellent seg-way to some of the sessions I attended around ICS issues. In those presentations, the central message was the same: security is often an afterthought if it’s given any thought at all.
For instance, there was a session on “Backdooring Hardware Devices by Injecting Malicious Payloads on Microcontrollers.” The speakers talked about hacking elevators, cars, industrial systems and even your fridge (which I talked about back in 2014 here). The fact that IoT and IIoT are still problems that need to be addressed gives me the warm and fuzzies…or at least a strong sense of job security….
Another research team did a presentation on what they called “HVACking: Understand the Difference Between Security and Reality.” They had found a zero-day exploit in a common building controller and were able to manipulate temperature controls and other critical components. If used in the real world, that exploit would have enabled the hacker to cause damage to critical industrial systems or data centers.
I don’t want to sound all doom and gloom because these were just a few of the sessions I was able to attend. At any given hour, I had the chance to attend talks within four speaker tracks where experts spoke in front of packed rooms about all sorts of threats and exploits that would make you want to curl up into a fetal position and cry. However, the beautiful thing about DEFCON and even the more corporatized Black Hat is that all of these presentations are designed to illuminate these things so that we can try to do something about them. Now, of course, it’s up to the designers and manufacturers to actually listen to what is being said during this week of cyber-apocalypse, but for the most part, I find myself getting excited by the research that is being done and the counter-measures that are devised as a result of these sessions.
Many a sticker and T-shirt bearing the words “Hacking is not a crime” were seen over the weekend. This message is true. Curiosity is a good thing. Just like learning to pick locks might make me fearful for the security of my stuff because now I see how easy it is, at the same time I am now aware of these vulnerabilities and can take steps to mitigate or put my defense in depth into place.
There is no magic software or hardware that is going to solve all security problems all the time. It takes a layered approach with an eye on realistic threat vectors and ways to mitigate things that can’t be immediately addressed. So go forth and hack. Do your research and contribute your findings to the security community. I hope to see you someday up on the DEFCON stage.