As Black Hat USA and DEF CON 2019 draw to a close, the security industry continues to buzz over events from the annual Las Vegas security week. Each year, nearly 20,000 security professionals, researchers and hackers convene on the Las Vegas strip for a week of cutting-edge security trainings, sessions and research. Black Hat and DEF CON sessions served up a shocking amount of internet of things (IoT) vulnerabilities and research on security best practices.
Whether you were on the ground on the Las Vegas strip or unable to attend, the biggest stories from these conferences can offer important security takeaways for the enterprise. Here are seven can’t-miss cybersecurity lessons from Vegas security week.
1. Cyberthreats in Your Mailroom
It’s true, the latest threat could be lurking in your mailroom. IBM X-Force Red explored how cybercriminals might exploit the era of next-day delivery by demonstrating a technique they named “warshipping.” Global Head of X-Force Red Charles Henderson explained how his team “investigated how cybercriminals might seek to exploit package deliveries to hack into corporate or personal home networks right from the office mailroom or from someone’s front door.”
Researchers spent less than $100 on off-the-shelf components to build a 3G, remote-enabled, single-board computer device that can be tucked into the bottom of packaging and delivered straight to a victim’s mailroom. When the device arrives, it can be remotely controlled to obtain a target’s wireless access, including hash data that can be remotely cracked.
Henderson advised businesses and individuals to “treat packages like they would a visitor” and consider using scanning devices for malicious tech-enabled devices in large corporate mailrooms.
2. Zero-Interaction Mobile Hacks
It’s now possible for cybercriminals to worm their way into a mobile device without actually interacting with the victim. In a presentation titled, “Look No Hands! The Remote, Interaction-Less Attack Surface of the iPhone,” security engineer Natalie Silvanovich demonstrated fully remote, zero-interaction methods to hack iOS through SMS, MMS, Visual Voicemail, iMessage and Apple Mail. In other words, vulnerabilities in iOS 12.3 or older allow hackers to take control of an iPhone without the victim interacting with a malicious text message. Mobile devices compromised through these interactionless methods provide no signs to a victim that the device was hacked.
These critical flaws highlight the importance of updating all Apple mobile devices to iOS 12.4 immediately, whether your device is corporate or private. For enterprise security professionals, the era of interactionless, remote hacks is a clear sign to take control of your corporate mobile fleet and gain the ability to deploy OS updates as soon as they’re available.
3. Spoofed Satellite Navigation
At Black Hat USA, Victor Murray demonstrated “Legal GNSS Spoofing and Its Effects on Self-Driving Vehicles,” — in other words, how global navigation system data can be spoofed to cause self-driving cars to stop, change directions or veer off the road. Murray spoofed global navigation data from the Global Navigation Satellite System (GNSS), revealing critical vulnerabilities in GPS navigation systems.
Murray explained in an interview that GNSS signals are low-power, and it’s not difficult to drown out GNSS broadcasts with fake data sets. GPS receivers lack built-in integrity mechanisms that can protect against such spoofing.
While this flashy hack may seem to have little impact on those who don’t own a self-driving car, Murray’s methods align with adversarial machine learning techniques. Cybercriminals can attempt to poison or flood legitimate data sets used for machine learning in the enterprise with fake data streams.
4. Vulnerabilities in Biometric Authentication
There was no shortage of biometric hack demonstrations during Vegas security week, including a presentation titled “Biometric Authentication Under Threat: Liveness Detection Hacking.” Researchers showed that it is possible to bypass authentication methods such as Face ID by simply putting a pair of eyeglasses modified with tape on the lenses over a victim’s face.
This hack is remarkably low-cost, but not exactly a widespread threat. To successfully use this tactic, a hacker would need to find a sleeping or unconscious victim and place the glasses without the victim noticing. While it’s likely not a meaningful risk to your enterprise, it’s a clear example of potential authentication vulnerabilities. If you don’t know weaknesses in your biometric systems, you could be at risk of spoofing.
5. Fake iPhone Cables
The security researcher known as MG, or Mike Grover, demonstrated a look-alike lightning cable at DEF CON. The cable is a perfect doppelganger for an Apple device charger, but if plugged in, it can be used to hijack a smartphone or PC. The O.MG cable “looks like a legitimate cable, and works just like one. Not even your computer will notice a difference, ” MG told Motherboard.
However, hackers can hijack the cable and device at will from a remote location due to an operating system flaw that detects cable inputs as a human interface device (HID). MG’s prototype isn’t widely available, thankfully, but he believes cable hacks that enable cybercriminals to remotely launch malware could be an underexplored area of security.
6. Smart Hotel Hacks
Black Hat USA researchers demonstrated a vulnerability in a popular IoT smart lock that is used in high-end European hotels. Increasingly, hospitality chains are switching to mobile-enabled IoT locks instead of key cards, which allow guests to unlock their rooms via a smartphone app. These smart locks rely on communication via Bluetooth Low Energy (BLE), which is common for IoT devices. Researchers used wireless sniffing to identify the lock system’s credential packet and gained access to hotel rooms.
The researchers provided limited information on which hotel chains were still using the vulnerable locks, highlighting challenges white-hat researchers face in the disclosure process. When it comes to IoT device vulnerabilities, there’s a need for researchers to disclose issues to vendors, manufacturers and, in some cases, end users. Community and cooperation were major themes during Vegas security week, and it’s clear that protecting your organization against IoT threats could require stronger cooperation with researchers, vendors and third-party security experts.
7. Stingray Surveillance
5G has arrived, but it’s not perfect. Researchers demonstrated flaws in the new mobile 5G standard, which was designed to stop the use of surveillance devices known as stingrays. Stingray devices are used to intercept phone calls or track the movements of mobile devices by creating fake cell towers that are indistinguishable from actual cell towers. A critical vulnerability in 5G implementations by mobile carriers allows a device’s network connection to be downgraded to vulnerable 4G or 3G connections.
There’s an active effort to close this gap in 5G implementations, but the lesson is clear. There’s no such thing as a silver bullet in security, and new standards are rarely perfect.
Cybersecurity Lessons From Vegas Security Week
IoT vulnerabilities were among the most shocking stories from Black Hat USA and other events during Vegas security week. As we consider potential risks lurking in the mailroom or interaction-less mobile vulnerabilities, it’s clear that endpoint visibility is key to surviving the threat vector. Understanding what’s on your network is key to protecting against critical vulnerabilities in both IoT and mobile endpoints.