SSL and privacy issues are no longer the exclusive conversation of crypto-geeks and tech-elite circles. In the wake of Edward Snowden and the massive surveillance of government institutions, mainstream media and consumers are becoming more concerned about their privacy. Consumer are now paying closer attention to how data is encrypted on the web and ensuring the confidentiality of digital transactions.
However, what many don’t yet realize is that our personal safety could be impacted when cryptography is not implemented properly. Craig Young, Security Researcher at Tripwire’s VERT team, has been identifying SSL implementation failures in a variety of mobile applications, including the Uber Android client.
He has identified various situations where poor SSL implementations combined with inherent weaknesses in the 802.11 WiFi standards create weaknesses that can be exploited by attackers with devastating real-world consequences.
To illustrate, we have created a short video that demonstrates how a simple hack with a Pineapple WiFi can be used to abduct, stalk, spy on or even physically harm unsuspecting victims:
Young will be presenting his new security research at DEF CON 22 Wireless Village. The conference will take place August 7-10, 2014, at the Rio Hotel and Casino in Las Vegas, Nevada.
Session attendees will learn:
- A general strategy for confirming that an SSL-based application performs appropriate certificate validation
- How to recognize and examine trust manager implementations within a compiled Android APK
- What types of applications are most at-risk
- Tactics to minimize exposure to 802.11 protocol design flaws, which enable man-in-the-middle attacks
Young is an award-winning cybersecurity researcher, who has uncovered multiple router security flaws, Google authentication vulnerabilities, and has filed numerous CVEs. His research and commentary have been featured in many top publications, including CNN Money, Forbes, Yahoo! News and BBC Online.
What: Pineapple Abduction
Who: Craig Young, security researcher, Tripwire VERT
When: Friday, August 8, 2014 – 6:00 PM