Defcon 2017 Roundup: 7 Lessons for Information Security ProfessionalsPublished August 3, 2017 by Karen Walsh • 6 min read
The country’s biggest annual hacker meeting is over, and the DEFCON 2017 roundup stories are filtering across the internet. DEFCON first opened its doors in 1993. What started as a farewell celebration for a network that was going to shut down has, twenty-four years later, turned into the premier gathering of hackers. After the best in the hacking business, black hat or not, showed up in Las Vegas this year, lessons for the information security world abound.
Defcon 2017 Roundup Lesson 1: Malicious Hackers Will Exploit Old Stuff
The most important general news item coming out of DEFCON 2017 is that hackers can exploit voting machine vulnerabilities in under two hours. The hacks included everything from taking apart machines to turning them into music players. Though international hackers won’t be coming to the United States to take apart machines, this ability shows a level of vulnerability that could lead to ongoing hacks.
More concerning for many readers, voting machines are less protected than the average laptop. Although the majority of the devices were purchased on eBay, only one was ever decommissioned. As concern grows over interference in the 2016 election, DEFCON showed us how interference could happen quickly.
Many of the hackers used Google to find the machines’ information. The big lesson for the information security community is that outdated WiFi security is a huge vulnerability. As malicious hackers become more advanced, everyone—government or not—needs to be more in tune with the dangers of remote hacking.
Defcon 2017 Roundup Lesson 2: Physical Safety Is Just as Vulnerable
Just when we thought our homes were safe, Nathan Seidle of SparkFun Electronics proved everyone wrong. After buying a Sentry Safe you can buy at Home Depot, he set his robot to the test of cracking it.
Seidle’s robot cost approximately $200 to build. Controlled remotely using an Arduino microcontroller, the robot uses magnets that attach to the outside of the safe. According to the Mashable article,
“No matter how much money you spend on a safe, nothing is impervious,” noted Seidle. Which, well, was basically music to the crowd’s ears.
For those in the security world, the real lesson here is that physical safety needs to be a concern as much as electronic safety. As physical locks become increasingly reliant on technology, and as technology itself advances, dangers to location safety increase. While information security professionals need to focus on their system controls, they cannot ignore the implications for physical security.
Defcon 2017 Roundup Lesson 3: Your Processor May Be Your Vulnerability
Premiered at Defcon, Sandsifter reviews the instructions executable by a PC. Created by Batelle cyberscientist and whitehat hacker Chris Domas, Sandsifter reviews the instruction set architectures of the x86.
Since the x86 instruction set has been around since 1976, the ongoing updates build a lot of backwards compatibility into current models. In his whitepaper, Domas notes that being able to create a comprehensive search of this hardware can help locate flaws built into the hardware.
Domas’s whitepaper continues,
Whereas the techniques for finding bugs, secrets, backdoors in software are well studied and established, similar techniques for hardware are non-existent. This is troubling, in that it is the processor that enforces the security of the system, and is ultimately the system’s most trusted component. It seems necessary to stop treating a processor as a trusted black box for running software, and instead develop systematic tools and approaches for auditing processors, in much the same way that we can audit software.
Due to the wide array of options for system controls integrity, hardware often gets left behind. Security professionals, however, need to be more aware of the vulnerabilities inherent in their hardware. The x86 is one of the most prevalent processing chips, so the ability to exploit it has large repercussions for businesses.
Defcon 2017 Roundup Lesson 4: Your Health IoT Can be Deadly
On Friday, Daniel Regalado presented “Inside the Alaris Infusion Pump, Not Too Much Medication Por Favor!” Infusion pumps provide patients with necessary medications, fluids, blood, and blood products, helping to save the lives of adult, pediatric, and neonatal patients. As the market share for infusion pumps increases, they become increasingly important to hackers.
Regalado shared that infusion pumps not only offer access to personally identifiable information, but are vulnerable to a ransomware attack that can hold pump users’ lives in the balance. For example, as Regalado demonstrated, an attacker can change the device’s PIN number and make the pump do whatever the attacker wants it to do. Hospitals have anywhere between 400 and 1,000 pumps, so this could endanger a lot of lives at the same time.
Moreover, even if attackers chose to focus on information, they could use the pumps to get into hospital networks, where they could access patient information or even destroy files.
Although Regalado’s demonstration required physical access to the pumps, he was adamant that remote access is the next logical step. In fact, with the rise of the Internet of Things, this progression may not be that far off.
In light of the impact that WannaCry had on the UK’s health services community, compromising medical IoT might be the biggest threat facing the security industry. Information security professionals in the health industry need to make sure that they’re working towards better protections.
Defcon 2017 Roundup Lesson 5: Artificial Intelligence Can Make Us More Accurate and Efficient
Gerry Kasparov, the world chess champion who lost to IBM’s Deep Blue computer, tried to allay fears that AI would be taking over the world and ruining humanity. In his speech, he stated that Deep Blue was “as intelligent as an alarm clock though losing to a $10m (£7.6m) alarm clock did not make me feel any better.”
More importantly, he clarified that while intelligent machines have begun to replace human jobs, it doesn’t mean the end of a human workforce. He argued that technology kills jobs before it creates them. He also noted that this means that people’s skills will be used more efficiently going forward.
In the long term, AI will require people to help it reach its maximum productivity. Smart machines can be smart only when there are people working with them. This means that AI will allow us to be not only more efficient but also more accurate.
For security professionals, this means embracing the help technology can provide. Using AI and machine learning can protect our systems more efficiently.
Defcon 2017 Roundup Lesson 6: Everyday Products Are Risky
Between a car wash that can be hacked to destroy a car and a Tesla that can be disabled, IoT and AI are risky propositions from a security standpoint. In their demonstration, Billy Rios and Jonathan Butts hacked an automated car wash. Their hack, done with the owner’s permission, closed the door on a car’s hood multiple times.
Beyond doing this remotely to a specific car wash, they used the internet to find 150 other similarly situated locations. Their demonstration showed that they could not only guess the usernames and passwords used by the car wash owners, but also override the security features that keep the robotic arms from touching the cars. This meant that they were able to remotely shut both doors to the car wash and hijack the robotic arm to demolish a car. Though they did not demonstrate this ability with a driver in the car, the hack certainly could be used against both a car and driver.
Moreover, though Tesla provided patches to cover security issues in its model S, the cars are not foolproof. Last year, Tencent’s Keen Labs found a way to access the brakes through a WiFi hotspot. Tesla provided instant patches to protect drivers. At Defcon, the same team took the same model S Tesla and showed how the car could be hacked by using a cellular signal.
For the information security professionals, this suggests taking a deeper look into the seemingly innocuous things around you. While the Tesla is clearly cutting edge, car washes are not. Instead of focusing only on the complex issues, all areas of an organization should be double checked for safety.
Defcon 2017 Roundup Lesson 7: Hackers Can Be Hacked
A good offense has always been considered the best defense. In the case of hacking, this means understanding not only your own vulnerabilities but also how to exploit your attackers’ weaknesses.
There are many tools available to hackers, but the majority tend to use a few common “remote administration tools.” For better or for worse, this means that security professionals have a strategic advantage for exposing vulnerabilities. Hacking the hackers can provide information such as their targets and the types of information they’re seeking.
More importantly, however, it shows that these malicious attackers are using tools that are as flawed as what they’re trying to access. In other words, hackers are just as prone to security flaws as everyone else. They’re not any more secure than our businesses and aren’t an “untouchable group.”
That said, if we’re going down the road of cliches, two wrongs don’t really make a right. The real lesson here for information security professionals is that while hackers may be assaulting our systems, they’re not that much more sophisticated than us. Being paralyzed by fear is one of the main distinctions between legitimate industry and malicious attackers.
Defcon 2017 is over, but the lessons it brought the security world will continue to mold our activities into 2018. For many organizations, understanding how to protect themselves against malicious attackers is the best way to create a safer world of information. A strong compliance stance is one way to meet these evolving needs.
See how consolidating your objectives can help strengthen your compliance landscape while lessening your vulnerabilities in “6 Time Saving Steps to Simplifying Your GRC Strategy.”