USA 2014: AppSec Grab Bag
They're all around us, just waiting to be hacked. Wi-Fi signals? Well, sure, but today we want to talk about embedded systems, the hackable internals in an ever-growing number of everyday devices. Cars, air conditioners, lighting systems... if it has electronic guts, they're probably hackable. Today's trio of Black Hat Briefing highlights explore this wild world of secretly vulnerable goods, from both attack and defense perspectives.
Modern cars are hackable; this we know. Unfortunately, thus far research has only been presented on three or four particular vehicles. Since each manufacturer designs their fleets differently, analysis of remote threats must avoid generalities. A Survey of Remote Automotive Attack Surfaces takes a step back and examines the automotive network of many manufacturers from a security perspective. Now we can ask better questions: Are some cars more secure from remote compromise than others? And has automotive network security changed for the better over the last five years?
USB: The ubiquitous interface is a friend to everyone, at least when they can figure out which way to flip that darn connector. But ubiquity, of course, does not equal safety, which Karsten Nohl and Jakob Lell will prove with brutal aplomb in BadUSB - On Accessories that Turn Evil. They'll introduce a new form of malware that operates from controller chips inside USB devices. A full system compromise from USB? Sure. A self-replicating USB virus not detectable with current defenses? Why not. They'll wrap by diving into the USB stack, assessing where USB malware defense should set up shop.
Finally, in Breaking the Security of Physical Devices Silvio Cesare will describe a series of attacks on objects ranging from a car to a baby monitor to home alarm systems. The common thread here is that all his attacks are simple but effective. He'll also show you how to mitigate them, a lot of which comes down to buying the right goods, thus avoiding their easily broken competitors.
One and a half months until the event... time to lock down your travel plans. Regular registration ends on July 26. Please visit Black Hat USA 2014's registration page to get started.