Black Hat 2019 Insights
The Black Hat USA conference enjoyed its 22nd year of operation in Las Vegas this August. Each year presents new opportunities for hackers, researchers, cybersecurity vendors, and other personnel to share their insights regarding the evolving threat landscape, and any potential corresponding countermeasures. As equipment manufacturers, designers, and developers continue to churn out technologies with greater capabilities, they simultaneously introduce new targets for hackers to focus their attention on in the hopes of finding an exploitable vulnerability. As the size and scale of the Internet of Things (IoT) continues to grow, this ecosystem has become a prime target for cyber criminals. It’s becoming a common thread that in order to address the gaps in the security of IoT components, the devices and their corresponding systems need to be hacked by the “good guys”, before the “bad guys” can use them to their advantage.
GNSS Spoofing Can Have Disastrous Implications
Victor Murray, the Engineering Group Leader at the Southwest Research Institute (SwRI), provided an audience with insight into the security complications present within Global Navigation System Satellites (GNSS). The number of interconnected systems that are entirely reliant upon accurate GNSS data is growing with each passing year. One of the primary concerns Murray highlighted was that public GNSS systems lack any form of integrity mechanisms designed to verify the data has not been tampered with. As a result, the GNSS system is vulnerable to spoofing, or the act of passing off altered data as authentic and legitimate.
Murray and his team followed strict protocol and research requirements necessary to develop a legal spoofing system designed to test Unmanned Ground Vehicles (UGV). These test automobiles were outfitted with autonomy kits designed to drive using GNSS waypoints. Through their tests, the SwRI was able to manipulate the GNSS signals remotely, and in real time. Through these attacks, the team was able to manipulate the movements of the vehicles in multiple ways. Under this test environment, they could force the cars to change lanes, turn early or late, and even nudge the car off the road entirely. Their work highlights not only the importance behind the development of data integrity solutions for future GNSS devices, but the need for manufacturers to address these vulnerabilities prior to any large-scale deployments
Electronic Motor Systems Remain a Target
Vehicle hacks continued to be a source of discussion at the conference, as a team from George Mason University showcased attacks on electric motor (EM) systems used by an ever-growing range of markets. Matthew Jablonski and Dr. Duminda Wijesekera, working with the University’s Radar and Radio Engineering Lab (RARE Lab), began this endeavor by seeking out the various opportunities for potential compromise present in the movement control mechanisms of modern engines. Their research discovered that the complexity of modern EM systems provides several opportunities for potential compromise. However, it’s only through the act of identifying these potential threats that any solutions can be developed to address them.
The team conducted analysis from a wide range of EM systems, including drones and other transportation systems, to fully fledged Supervisory Control And Data Acquisition (SCADA) systems operating within industrial and critical infrastructure markets. The types of failures the team discovered included everything from loss of device control, intentional component degradation, to even starting fires. It is due to the very nature of engines themselves, and our collective dependence upon them, that represents the growing security challenges within the IoT. Any cyberattack targeting these engines has the potential to bridge the gap between the digital and physical worlds, introducing the potentiality for tangible damage or harm to person and property alike.
Vulnerabilities Remain in Mass Deployed 4G Modules
With the growing proliferation of IoT devices comes the increased dependence upon various communication methodologies. Gao Shupeng, Huang Zheng, Xie Haikuo, and Zhang Ye are all members of the Baidu Security Lab out of Beijing China. The Baidu Security team conducted research on the security of over 15 different types of 4G communication modules. The results of their research highlighted that all of these modules suffer from similar security vulnerabilities. They demonstrated sophisticated attacks such as injecting fraudulent commands into the AT command process present in each module, to attacks that utilized over the air (OTA) upgrade spoofing techniques.
While these attacks require advanced technical knowledge, these modules still suffered from basic vulnerabilities like weak passwords that can be brute forced within a day. Despite these vulnerabilities, the Baidu Security team outlined that there are several effective solutions that are relatively easy to implement that would counter many of these threats. Simple awareness of the various attack surfaces that vulnerabilities can hide within is vital. Organizations need to be conscientious of system processes that might be listening on open ports. Lastly, by applying specific firewall rules, roughly 90% of the vulnerabilities discovered by the team can be protected from potential compromise.
Processor Vulnerabilities Still Remain a Threat
When it comes to IoT security, there is one fundamental component that ties all devices together, the processor. Unfortunately, processors are frequently overlooked when assessing potential cybersecurity threats. Thomas Roth and Josh Datko, co-founders of Keylabs, described many of how many of these processors, which represent the foundation of the IoT, have considerable vulnerabilities present. Roth and Datko outlined their insight into why security on these components are often overlooked.
One of the primary reasons, they acknowledge, comes from the fact that there is inherent trust from many product developers and designers that these devices “just work”, and will perform their security duties exactly as they advertise. However, this sadly not always the case. Faults in processors have made their ways into everything from bitcoin wallets and authentication tokens, to even security focused hardware products. As part of their presentation, they provided insight into fault injection attacks on various IoT processors. More impressively, they managed to describe how these attacks could be implemented using equipment that costs less than $100 to purchase.
Automotive Security Threats Continue to Evolve
Automobile security continued to keep a substantial presence at the conference, with individuals from Tencent’s KeenLab teaming up with representatives from BMW in one specific session. Zhigiang Cai, Aohui Wang, and Wenkai Zhang from KeenLab spoke about the various steps they took to compromise specific BMW car models in ways that required no interaction from the end user whatsoever. It should be noted that after discovering these vulnerabilities, the KeenLab team followed responsible disclosure procedures, and provided BMW with a detailed security assessment, allowing BMW to develop and rollout all necessary fixes to address the discovered vulnerabilities within 6 months.
The initial methods of compromise used by the KeenLab team was through two separate internal components of the vehicles. KeenLab first targeted the Head Unit, also known as the car’s infotainment system, using external interfaces such as USB and On-Board Diagnostics-II (OBD-II) ports. The team was able to gain root access to the Head Unit and execute arbitrary commands within the vehicle diagnostic service. Next, the team moved on to the Telematics Control Unit. They were able to deliver an attack payload to the control unit by HTTP and SMS through the use of a counterfeit mobile network. In conclusion, the speakers all recognized the importance of implementing multiple, redundant information security checks throughout all areas of the automotive manufacturing process, as well as the need to develop responsible vulnerability discovery and disclosure practices.
VxWorks Zero Days Discovered
Ben Seri and Dor Zusman, security researchers at Armis, spoke about the various vulnerabilities their team has discovered within VxWorks. VxWorks is one of the oldest real-time operating systems available and is currently in use by over 2 billion IoT devices worldwide. The devices with this operating system onboard include everything from hospital MRI machines, to firewall systems within critical infrastructure environments. However, despite its age, there are only 13 CVEs related to VxWorks listed on the national vulnerability database.
The researchers from Armis walked the audience through 11 different critical zero-day vulnerabilities present on the VxWorks operating system. During their demonstration, the pair highlighted how these vulnerabilities affected every VxWorks version released in the last 13 years. Six of these vulnerabilities allowed for Remote Code Execution (RCEs), and the remaining five resulted in information leaks, denials of service attacks, and logical flaws. The RCE vulnerabilities would allow an attacker to bypass traditional network security solutions in order to compromise any VxWorks device, and do so without required any form of user interaction. Armis detailed how the criticality of these vulnerabilities increases greatly, as many of these are used in medical settings.
Exploring the New World: Remote Exploitation of SQLite and Curl - SLIDES
Several members of the Tencent Blade Team spoke about specific vulnerabilities that have been discovered in two of the most widely used software libraries. Wenxiang Qian, YuXiang Li, and HuiYu Wu, senior security researchers on the Blade Team, presented their findings surrounding vulnerabilities they named “Magellan” and “Dias”, existing within SQLite and Curl respectfully. Unfortunately, these vulnerabilities have potential consequences for web servers, developer tools, and one of the most popular IoT devices in use today, Google Home.
Magellan is a set of three heap buffer overflow and heap data disclosure vulnerabilities within SQLite. Dias is two remote memory leak and stack buffer overflow vulnerabilities discovered in Curl. The team walked the audience through how they were able to exploit these vulnerabilities and gave insight to developers on various methods to implement solutions to address these vulnerabilities. The team also provided a responsible disclosure to a comprehensive list of companies such as Apple, Intel, Facebook, and Microsoft, as well as solutions to mitigate the threats present in some of their products.
While not traditionally a primary focal point for discussions at Black Hat, the IoT has begun to make inroads that the conference. As new devices are introduced at a staggering pace, they become common targets for hackers to seek ways with which to compromise them. Unfortunately, the challenge remains consistently one-sided. To prevent a breach, security professionals need to be cognizant of all potential vulnerabilities on all systems. In order to break that security, a hacker needs to find only one that works.