August 16, 2019 By Jasmine Henry 5 min read

As Black Hat USA and DEF CON 2019 draw to a close, the security industry continues to buzz over events from the annual Las Vegas security week. Each year, nearly 20,000 security professionals, researchers and hackers convene on the Las Vegas strip for a week of cutting-edge security trainings, sessions and research. Black Hat and DEF CON sessions served up a shocking amount of internet of things (IoT) vulnerabilities and research on security best practices.

Whether you were on the ground on the Las Vegas strip or unable to attend, the biggest stories from these conferences can offer important security takeaways for the enterprise. Here are seven can’t-miss cybersecurity lessons from Vegas security week.

1. Cyberthreats in Your Mailroom

It’s true, the latest threat could be lurking in your mailroom. IBM X-Force Red explored how cybercriminals might exploit the era of next-day delivery by demonstrating a technique they named “warshipping.” Global Head of X-Force Red Charles Henderson explained how his team “investigated how cybercriminals might seek to exploit package deliveries to hack into corporate or personal home networks right from the office mailroom or from someone’s front door.”

Researchers spent less than $100 on off-the-shelf components to build a 3G, remote-enabled, single-board computer device that can be tucked into the bottom of packaging and delivered straight to a victim’s mailroom. When the device arrives, it can be remotely controlled to obtain a target’s wireless access, including hash data that can be remotely cracked.

Henderson advised businesses and individuals to “treat packages like they would a visitor” and consider using scanning devices for malicious tech-enabled devices in large corporate mailrooms.

2. Zero-Interaction Mobile Hacks

It’s now possible for cybercriminals to worm their way into a mobile device without actually interacting with the victim. In a presentation titled, “Look No Hands! The Remote, Interaction-Less Attack Surface of the iPhone,” security engineer Natalie Silvanovich demonstrated fully remote, zero-interaction methods to hack iOS through SMS, MMS, Visual Voicemail, iMessage and Apple Mail. In other words, vulnerabilities in iOS 12.3 or older allow hackers to take control of an iPhone without the victim interacting with a malicious text message. Mobile devices compromised through these interactionless methods provide no signs to a victim that the device was hacked.

These critical flaws highlight the importance of updating all Apple mobile devices to iOS 12.4 immediately, whether your device is corporate or private. For enterprise security professionals, the era of interactionless, remote hacks is a clear sign to take control of your corporate mobile fleet and gain the ability to deploy OS updates as soon as they’re available.

3. Spoofed Satellite Navigation

At Black Hat USA, Victor Murray demonstrated “Legal GNSS Spoofing and Its Effects on Self-Driving Vehicles,” — in other words, how global navigation system data can be spoofed to cause self-driving cars to stop, change directions or veer off the road. Murray spoofed global navigation data from the Global Navigation Satellite System (GNSS), revealing critical vulnerabilities in GPS navigation systems.

Murray explained in an interview that GNSS signals are low-power, and it’s not difficult to drown out GNSS broadcasts with fake data sets. GPS receivers lack built-in integrity mechanisms that can protect against such spoofing.

While this flashy hack may seem to have little impact on those who don’t own a self-driving car, Murray’s methods align with adversarial machine learning techniques. Cybercriminals can attempt to poison or flood legitimate data sets used for machine learning in the enterprise with fake data streams.

4. Vulnerabilities in Biometric Authentication

There was no shortage of biometric hack demonstrations during Vegas security week, including a presentation titled “Biometric Authentication Under Threat: Liveness Detection Hacking.” Researchers showed that it is possible to bypass authentication methods such as Face ID by simply putting a pair of eyeglasses modified with tape on the lenses over a victim’s face.

This hack is remarkably low-cost, but not exactly a widespread threat. To successfully use this tactic, a hacker would need to find a sleeping or unconscious victim and place the glasses without the victim noticing. While it’s likely not a meaningful risk to your enterprise, it’s a clear example of potential authentication vulnerabilities. If you don’t know weaknesses in your biometric systems, you could be at risk of spoofing.

5. Fake iPhone Cables

Source: iStock

The security researcher known as MG, or Mike Grover, demonstrated a look-alike lightning cable at DEF CON. The cable is a perfect doppelganger for an Apple device charger, but if plugged in, it can be used to hijack a smartphone or PC. The O.MG cable “looks like a legitimate cable, and works just like one. Not even your computer will notice a difference, ” MG told Motherboard.

However, hackers can hijack the cable and device at will from a remote location due to an operating system flaw that detects cable inputs as a human interface device (HID). MG’s prototype isn’t widely available, thankfully, but he believes cable hacks that enable cybercriminals to remotely launch malware could be an underexplored area of security.

6. Smart Hotel Hacks

Black Hat USA researchers demonstrated a vulnerability in a popular IoT smart lock that is used in high-end European hotels. Increasingly, hospitality chains are switching to mobile-enabled IoT locks instead of key cards, which allow guests to unlock their rooms via a smartphone app. These smart locks rely on communication via Bluetooth Low Energy (BLE), which is common for IoT devices. Researchers used wireless sniffing to identify the lock system’s credential packet and gained access to hotel rooms.

The researchers provided limited information on which hotel chains were still using the vulnerable locks, highlighting challenges white-hat researchers face in the disclosure process. When it comes to IoT device vulnerabilities, there’s a need for researchers to disclose issues to vendors, manufacturers and, in some cases, end users. Community and cooperation were major themes during Vegas security week, and it’s clear that protecting your organization against IoT threats could require stronger cooperation with researchers, vendors and third-party security experts.

7. Stingray Surveillance

5G has arrived, but it’s not perfect. Researchers demonstrated flaws in the new mobile 5G standard, which was designed to stop the use of surveillance devices known as stingrays. Stingray devices are used to intercept phone calls or track the movements of mobile devices by creating fake cell towers that are indistinguishable from actual cell towers. A critical vulnerability in 5G implementations by mobile carriers allows a device’s network connection to be downgraded to vulnerable 4G or 3G connections.

There’s an active effort to close this gap in 5G implementations, but the lesson is clear. There’s no such thing as a silver bullet in security, and new standards are rarely perfect.

Cybersecurity Lessons From Vegas Security Week

IoT vulnerabilities were among the most shocking stories from Black Hat USA and other events during Vegas security week. As we consider potential risks lurking in the mailroom or interaction-less mobile vulnerabilities, it’s clear that endpoint visibility is key to surviving the threat vector. Understanding what’s on your network is key to protecting against critical vulnerabilities in both IoT and mobile endpoints.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today