LAS VEGAS -- Prior to Wednesday's opening keynote by National Security Agency Director General Keith B. Alexander, Black Hat conference founder Jeff Moss commented that he hadn't seen the sort of tension that now exists in the security community since the "encryption wars" of the early 1990's.
That tension was evident not only in the mixed audience reaction to Alexander's talk, but it was also evident in the nature of several zero-day vulnerabilities being announced at Black Hat 2013, the sixteenth annual U.S. gathering of security researchers and corporate security practitioners .
While Alexander in his address sought to allay the existing suspicions of a standing-room-only collection of security experts by delivering what he called "the facts," new suspicions arose; hours before Alexander took to the stage, U.K.-based The Guardian released the latest leaked information from Edward Snowden, offering the first information about a previously unknown secret Internet surveillance program.
As The Guardian reported, this program, called XKeyscore , gives analysts access to what leaked agency documents claimed were "nearly everything a typical user does on the Internet." While Alexander claimed that every move the NSA makes to monitor electronic communications is subject to clear governmental oversight, The Guardian's story indicated that XKeyscore operations required no such oversight, even if the two specific programs Alexander was discussing did.
From the back of Alexander's keynote room, a heckler shouted, "You lied to Congress. Why would we believe you're not lying to us right now?" Alexander responded by encouraging the heckler to read the transcript of his congressional testimony. And, on the whole, Alexander's message was well-received, or at least warmly applauded, by most of the audience.
Hackable smart devices
While Alexander defended U.S. surveillance of American citizens, claiming it's a necessity in a world threatened by what he called "terrorists among us," SeungJin "Beist" Lee showed attendees the possibilities of another sort of surveillance: how cameras and microphones on smart TVs (there were more than 80 million sold worldwide last year, according to Lee) can be turned into state-of-the-art snooping devices by malicious hackers.
"I don't care about being watched," said Lee, an independent researcher based in Korea, "but I worry about my family and my girlfriend."
In a separate session, Tom Ritter, Doug DePerry and Andrew Rahimi, all researchers at San Francisco-based security firm iSEC Partners, demonstrated the downsides of femtocell devices, which are used to boost cell phone reception in homes and offices.
The devices, which offer up to six cellular device users a connection that is then backhauled to the carrier's network over the Internet using an SSL connection, run an embedded version of Linux that the research team was able to root. The researchers' modified femtocell box makes it possible to intercept and record traffic traveling to and from any phones associated with the device.
"Your phone will associate with a femtocell automatically and without your knowledge. This is not like joining a Wi-Fi network -- you don't have a choice," Ritter said. "In fact, there may be some of you with phones that are connected to our network right now." Referring to notices posted on the doors leading into the session room, he noted: "The signs out front are not just for show. You might want to put your phone in airplane mode."
The iSEC team's research centered on femtocells used on the Verizon network, meaning the vulnerability could be exploited against as many as one in three American cellular customers, according to the speakers. Ritter noted that Samsung, the manufacturer of the femtocell device that the researchers modified, has since provided a patch for the vulnerabilities his team used to gain root access to the device.
The trio then performed live demonstrations in which voice traffic, text messages and the data transmission of a digital image were intercepted and played back to the audience.
Though it was possible to patch the compromised femtocell units, the team said they felt the overall approach was flawed, insofar as it puts a piece of hardware with direct access to the provider's network into the hands of potentially malicious actors. They prefer an approach that uses the Wi-Fi capabilities within phones to handle these sorts of calls. Meanwhile, smartphones will pair with whatever cell tower or femtocell device is currently sending the strongest signal. While some phones will display a small icon indicating the phone is paired with a femtocell, many, including iPhones, will give no indication.
Long-distance factory attacks
Several sessions at Black Hat 2013 focus on attacks against the embedded control devices used to operate valves, sensors and the like in industrial settings. One creative and disconcerting set of related vulnerabilities uncovered by two researchers at IOAactive Inc., allows attackers to manipulate radio-controlled devices at distances spanning up to 40 miles.
Researchers Lucas Apa and Carlos Penagos can wirelessly attack a factory's control system from 40 miles away.
"There are some cryptographic problems, some problems with the communications among the devices, that allow you to break into the network of these industrial wireless sensors," said Lucas Apa, a security researcher and consultant who worries about the implications of these vulnerabilities for the oil fields of his native Argentina. "We were looking for a new way to compromise these facilities. We found these devices and some of them have strong radio signals, so you are able to communicate with them from a distance of 40 miles away."
According to Apa and his co-presenter Carlos Penagos, a senior security researcher and consultant for Seattle-based IOActive, the way that keys are handled in these devices is different from typical key management in business networks. Generally speaking, these devices use IEEE's IEEE 802.15.4 standard, laying proprietary security controls on top of the lower-level protocols.
Unlike the attacks shown in many other sessions, these vulnerabilities are not patched yet. "This impacts a lot of facilities around the world," Penagos, said.
"We are talking about generating big monetary losses or causing explosions," Apa added. Because of these risks, the researchers will not be releasing details of the workings of their attacks.
"This is bad," Apa bluntly said.