Light Dark
August 16, 2019 By Jasmine Henry 5 min read
News

As Black Hat USA and DEF CON 2019 draw to a close, the security industry continues to buzz over events from the annual Las Vegas security week. Each year, nearly 20,000 security professionals, researchers and hackers convene on the Las Vegas strip for a week of cutting-edge security trainings, sessions and research. Black Hat and DEF CON sessions served up a shocking amount of internet of things (IoT) vulnerabilities and research on security best practices.

Whether you were on the ground on the Las Vegas strip or unable to attend, the biggest stories from these conferences can offer important security takeaways for the enterprise. Here are seven can’t-miss cybersecurity lessons from Vegas security week.

1. Cyberthreats in Your Mailroom

It’s true, the latest threat could be lurking in your mailroom. IBM X-Force Red explored how cybercriminals might exploit the era of next-day delivery by demonstrating a technique they named “warshipping.” Global Head of X-Force Red Charles Henderson explained how his team “investigated how cybercriminals might seek to exploit package deliveries to hack into corporate or personal home networks right from the office mailroom or from someone’s front door.”

Researchers spent less than $100 on off-the-shelf components to build a 3G, remote-enabled, single-board computer device that can be tucked into the bottom of packaging and delivered straight to a victim’s mailroom. When the device arrives, it can be remotely controlled to obtain a target’s wireless access, including hash data that can be remotely cracked.

Henderson advised businesses and individuals to “treat packages like they would a visitor” and consider using scanning devices for malicious tech-enabled devices in large corporate mailrooms.

2. Zero-Interaction Mobile Hacks

It’s now possible for cybercriminals to worm their way into a mobile device without actually interacting with the victim. In a presentation titled, “Look No Hands! The Remote, Interaction-Less Attack Surface of the iPhone,” security engineer Natalie Silvanovich demonstrated fully remote, zero-interaction methods to hack iOS through SMS, MMS, Visual Voicemail, iMessage and Apple Mail. In other words, vulnerabilities in iOS 12.3 or older allow hackers to take control of an iPhone without the victim interacting with a malicious text message. Mobile devices compromised through these interactionless methods provide no signs to a victim that the device was hacked.

These critical flaws highlight the importance of updating all Apple mobile devices to iOS 12.4 immediately, whether your device is corporate or private. For enterprise security professionals, the era of interactionless, remote hacks is a clear sign to take control of your corporate mobile fleet and gain the ability to deploy OS updates as soon as they’re available.

3. Spoofed Satellite Navigation

At Black Hat USA, Victor Murray demonstrated “Legal GNSS Spoofing and Its Effects on Self-Driving Vehicles,” — in other words, how global navigation system data can be spoofed to cause self-driving cars to stop, change directions or veer off the road. Murray spoofed global navigation data from the Global Navigation Satellite System (GNSS), revealing critical vulnerabilities in GPS navigation systems.

Murray explained in an interview that GNSS signals are low-power, and it’s not difficult to drown out GNSS broadcasts with fake data sets. GPS receivers lack built-in integrity mechanisms that can protect against such spoofing.

While this flashy hack may seem to have little impact on those who don’t own a self-driving car, Murray’s methods align with adversarial machine learning techniques. Cybercriminals can attempt to poison or flood legitimate data sets used for machine learning in the enterprise with fake data streams.

4. Vulnerabilities in Biometric Authentication

There was no shortage of biometric hack demonstrations during Vegas security week, including a presentation titled “Biometric Authentication Under Threat: Liveness Detection Hacking.” Researchers showed that it is possible to bypass authentication methods such as Face ID by simply putting a pair of eyeglasses modified with tape on the lenses over a victim’s face.

This hack is remarkably low-cost, but not exactly a widespread threat. To successfully use this tactic, a hacker would need to find a sleeping or unconscious victim and place the glasses without the victim noticing. While it’s likely not a meaningful risk to your enterprise, it’s a clear example of potential authentication vulnerabilities. If you don’t know weaknesses in your biometric systems, you could be at risk of spoofing.

5. Fake iPhone Cables

Source: iStock

The security researcher known as MG, or Mike Grover, demonstrated a look-alike lightning cable at DEF CON. The cable is a perfect doppelganger for an Apple device charger, but if plugged in, it can be used to hijack a smartphone or PC. The O.MG cable “looks like a legitimate cable, and works just like one. Not even your computer will notice a difference, ” MG told Motherboard.

However, hackers can hijack the cable and device at will from a remote location due to an operating system flaw that detects cable inputs as a human interface device (HID). MG’s prototype isn’t widely available, thankfully, but he believes cable hacks that enable cybercriminals to remotely launch malware could be an underexplored area of security.

6. Smart Hotel Hacks

Black Hat USA researchers demonstrated a vulnerability in a popular IoT smart lock that is used in high-end European hotels. Increasingly, hospitality chains are switching to mobile-enabled IoT locks instead of key cards, which allow guests to unlock their rooms via a smartphone app. These smart locks rely on communication via Bluetooth Low Energy (BLE), which is common for IoT devices. Researchers used wireless sniffing to identify the lock system’s credential packet and gained access to hotel rooms.

The researchers provided limited information on which hotel chains were still using the vulnerable locks, highlighting challenges white-hat researchers face in the disclosure process. When it comes to IoT device vulnerabilities, there’s a need for researchers to disclose issues to vendors, manufacturers and, in some cases, end users. Community and cooperation were major themes during Vegas security week, and it’s clear that protecting your organization against IoT threats could require stronger cooperation with researchers, vendors and third-party security experts.

7. Stingray Surveillance

5G has arrived, but it’s not perfect. Researchers demonstrated flaws in the new mobile 5G standard, which was designed to stop the use of surveillance devices known as stingrays. Stingray devices are used to intercept phone calls or track the movements of mobile devices by creating fake cell towers that are indistinguishable from actual cell towers. A critical vulnerability in 5G implementations by mobile carriers allows a device’s network connection to be downgraded to vulnerable 4G or 3G connections.

There’s an active effort to close this gap in 5G implementations, but the lesson is clear. There’s no such thing as a silver bullet in security, and new standards are rarely perfect.

Cybersecurity Lessons From Vegas Security Week

IoT vulnerabilities were among the most shocking stories from Black Hat USA and other events during Vegas security week. As we consider potential risks lurking in the mailroom or interaction-less mobile vulnerabilities, it’s clear that endpoint visibility is key to surviving the threat vector. Understanding what’s on your network is key to protecting against critical vulnerabilities in both IoT and mobile endpoints.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
Jasmine Henry

More from News
December 16, 2024

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

December 9, 2024

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

December 2, 2024

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature