As a Technical Program Manager here at TeleSign I was psyched to get the opportunity to get attend this year’s Black Hat conference in Las Vegas. The schedule was packed with Briefings on topics I was interested in. I couldn’t wait to dive in and hear the latest industry insights on information security. I had to pick and choose which events to attend and left there wishing I could have cloned myself and soaked up all of them. Since that wasn’t possible, yet, here’s a rundown of the ones I did catch and what I thought.
Briefings Day 1
Android Security State of the Union
Lead engineer Adrian Ludwig maintained that the state of Android security is strong, in what turned out to be my favorite Briefing that I attended. He delivered a good speech and it was a great kickoff.
Google is currently updating Nexus devices to address the Stagefright vulnerability; Samsung, Motorola, HTC, LT, Sony, Android One and hundreds of other manufactures are going to push out the patches as well. With 95 percent of devices potentially vulnerable, Ludwig said, “this is the the single largest unified software update the world has ever seen.” And given that there are 1 billion estimated Android users, “hundreds of millions of devices will be updated in the next few days.”
Another Android bug due to the integer overflow flaw allow phones to crash, cause the UI to become very slow to respond or completely non-responsive and can render a phone silent. apparently dead; unable to make calls and unlock the device if it is locked. The vulnerability lies in the mediaserver service, which is used by Android to index media files. Ludwig promised Google’s messenger app would get updates by the end of the week. In the meantime, the MMS would not build dynamic media thumbnails and jokingly said, “sorry, but thumbnails are going to be very boring for the next week.”
Google is hardening up the Android ecosystem and blocking apps that could be considered malware. In the past few weeks, he has realized that they need to move faster and tell people what they are doing. He announced that Google will provide monthly security updates and service bulletins and ended the talk by stating, “We’re in the midst of the largest software update the world has ever seen. Until next month, when we do it again.”
Why Security Data Science Matters and How It’s Different: Pitfalls and Promises of Data Science Based Breach Detection and Threat Intelligence
Joining this briefing session and unaware it was a two-part session, I caught the second half after “Android Security State of the Union.” The talk, presented by Joshua Saxe, covered both security-specific data science challenges and the solutions to these challenges. The second session addressed security data visualization, discussed ongoing visualization, past log visualization, malware analysis visualization and threat intelligence visualization.
Remote Exploitation of an Unaltered Passenger Vehicle
Charlie Miller and Chris Valasek presented my second favorite talk of the conference. A majority of the briefings I selected to attend were talks relating to mobile, operating system and malware; it was refreshing to take a break from those topics and attend a session on hacking of automobiles.
The presentation demonstrated how a remote attack works against unaltered factory vehicles. Previously recorded demo video was played on the hack of a 2014 Jeep Cherokee vehicle; controlling the vehicle’s subsystems (radio, AC, wipers, transmission, steering and brakes) from miles away using the Internet connection to the entertainment system; using the Harman-Kardon head unit to reach the vehicle’s CAN bus and tapping into the cellular connection, which goes through Sprint’s wireless network.
Faux Disk Encryption: Realities of Secure Storage on Mobile Devices
It is apparent the number of mobile users surpasses the number of desktop users. Daniel Mayer and Drew Suarez presented the talk; Mayers covered iOS, while Suarez covered Android. They emphasized the importance of mobile device security and the challenges mobile developers face in securing data stored on the devices. One main concern is the loss or the theft of a device, which can grant attackers physical access. In turn, this can be used to bypass security controls to gain access to application data. For each iOS and Android platform, they discussed in-depth mechanisms available and how they technically operate. They closed the talk by addressing current best practices and what the security and mobile device community can do to address these flaws.
Briefings Day 2
Ah! Universal Android Rooting Is Back
This talk started off with the current situation of Android rooting, followed by bug hunting surfaced by Wen Xu, a member of Keen Team. His findings were surfaced by using an open source kernel syscal fuzzer, Trinity, which he stated was easy to use. The flaw lies in all versions of Linux kernel and leveraging the bug to root Android devices and the series of events to find a universal root solution. He talked about a two-stage return oriented programming to first leak the kernel address and then change the address. He then pivoted to using the preferred jump-oriented programming. He continued the presentation with a demo and completed the discussion with stating that the 64 bit devices could be more secure by preventing memory collision with physmap.
Fingerprints on Mobile Devices: Abusing and Leaking
This talk was back-to-back scheduled in the same conference hall immediately following the “Ah! Universal Android Rooting Is Back” briefing. It was my third favorite presentation, by Yulong Zhang and Tao Wei. This briefing revealed severe issues with the current Android fingerprint framework providing in-depth analysis of the mobile fingerprint scanner technology. Using the “fingerprint sensor spying attack,” hackers can remotely harvest fingerprints in a large scale. The presenters reviewed the difference between authentication of users and authorization of transactions. A demo showcased how attackers can trick a user to authenticate a transaction when in actually the attacker is authorizing a payment transfer in the backend without the user knowing.
Review and Explicit Neglected Attack Surfaces in iOS 8
This talk was the final briefing I attended while at the Black Hat conference before heading to the Business Hall. The presentation was held in a long narrow hall with less than a dozen rows of seats positioned from the front stage and projection screen to the back of the temporary wall. The Pangu Team consisted of speakers Tielei Wang, Hao Xu, and Siaobo Chen who spoke on the security design of iOS 8 and its vulnerability in details. The talk started off with reviewing known attacks against mobile Safari and IOKit kernel extensions and then focused on analyzing and identified weaknesses of the neglected surface attacks.
Overall it was a terrific conference and I look forward to going back next year. To get info on all of the briefings, check out Black Hat’s full listing, here.