Eric De Grasse
Chief Technology Officer
Project Counsel Media
2 August 2019 (Las Vegas, Nevada) – Every summer we attend the mega security/hacker conferences of the year: Black Hat and DEF CON, both in Las Vegas, and back-to-back (we are here for about 12 days). BlackHat does not technically begin until tomorrow (running August 3rd to August 8th) but there have been tech briefing and workshops galore the week. DEFCON follows on its heels, running August 8th to August 11th.
Some background
For Black Hat, it is a place where every major security executive and analyst is gathered. You don’t have to travel around the globe or hunt them down on the Internet – they’re all here. In the age of seemingly “everything-is-cyber-and-IoT” these security hacker conferences have become paramount “must go” events.
And while these conferences revolve around security topics, they cater for different target audiences. Unlike the Black Hat conference, which is hosted by a large media company (UBM Tech), DEF CON is considered a classical hacker convention. They are looking to engage participants and be engaged by them. They want your feedback, insights, opinions and questions.
Both conferences are brilliant. This is where we build on our existing cyber/security/intelligence community networking contacts who we call upon all year to assist in our cyber work for clients
We have a penetration testing company, used for testing computer systems, networks and web applications to find security vulnerabilities that an attacker could exploit. If you were at the Legaltech trade show in New York earlier this year you may have met with our cyber team who showed you how vulnerable the Hilton Hotel (location of the show) wi-fi can be.
Between these two events you capture the entire gamut of hacker culture. And to give you an idea on the number of attendees, preliminary registration figures indicate Black Hat will attract 22,000+ this year and DEFCON event more – close to 25,000. At both events you’ll find security executives, hackers, academics, law enforcement, military intelligence personnel and a bunch of government and law enforcement staffers. Also, for the third year running, a huge continent of e-discovery vendors.
As Mark Ward of the BBC (who covers all manner of tech and who I met at MWC a few years ago) describes them:
“Black Hat is the sensible, grown-up conference, where the clothes might be casual but the shoes are shiny. DEFCON is their freewheeling, raucous, free-spirited sibling. With tattoos. And a mohawk. And some pretty outrageous clothes. But in a way, much more fun. I learned how to break into a digital lock at DEFCON – and my hotel TV”.
I will get to that digital lock and the hotel TV hack further below in this post.
These conferences always attract droves of Feds and a favorite game at both conferences every year has been “Spot the Fed”. Well, except they are now pretty open because the Feds need lots and lots of help and try to recruit at these events.
And the e-discovery crowd (lawyers and techies) who are here are just trying to learn the tech behind the legal cyber issues they need to address. Like that major document review room breach in D.C. this past week. More on that in a later post.
For many years, Black Hat has generated pre-conference announcements that catch the media’s attention, and this year was no different. There will be myriad presentations on how easy it is hack [name your devise] as well as 4 presentations alone on how to weaponize the GDPR through its “Right of Access” in order to steal identities. And a biggie: how the Chinese have been able to hack just about any cloud service provider.
Mindsets
The people at Black Hat and DEF CON have a completely different relationship to the world around them. Because hackers understand how technology works, they understand how the world works, And because they know how the world works, they can use this understanding to shape it, and influence it. Reality has become a sort of playground that, with enough talent, skill and in many cases bloody-minded obsession, will answer to their commands. But to take the even bigger view, a quote from my partner, Greg Bufithis, from his upcoming book:
If you take a big view, classes within societies have often been divided by their relationship to the fundamental resources of the age. The primary source of wealth in agrarian societies came from cultivating crops and farmland. Land was its fundamental resource, and when it was organised – as often it was – into a small number of large estates owned and protected by a small number of powerful families, they sat atop that society’s economic and social pyramid. They were a group who spoke a different language, maintained different customs, and whose rank, honour and privileges directly related to how much land they controlled. Within industrial society, there was a new class that, through not only land, but also capital, owned the mills, factories and mines, the means of production that now produced wealth.
Owning a fundamental resource makes you different; it puts you at the very centre of how your society works and what it does. Today it is the control and manipulation of information.
To these hackers, there are no black boxes. They can crack everything. They have kept on pulling things apart, refusing to let technology become the black box that it is to everyone else. “I WAS BORN TO HUNT” is my favorite tee shirt at DEFCON.
And their presence in Las Vegas alone causes the world to change around them:
– The electronic bus timetable is now only a blue screen of errors, locked down by the City Fathers because it has been hacked so many times before.
– The digital menus at restaurants have disappeared. Too easy for a knowledgeable hacker to access the restaurant control systems.
– Numerous stores have stopped accepting credit cards. Past experience: hackers were cracking point-of-sale terminals.
In the years we have attended, we have learned several things:
– Get a burner phone, keep bluetooth off and don’t bring any electronic gear with you. If you do, turn it off and stick it in your hotel closet.
– Get cash before you go. Do not use cash machines in Las Vegas that week.
– Two years ago Greg learned how to hack his hotel television using an infrared remote control and access the hotel’s entertainment systems.
– I learned how to reset my minibar bill, log into my neighbour’s television and watch them surf the internet, setting their wake-up call for 5:30 a.m. And then check them out.
– And the Las Vegas police always has a high-tech SWAT team waiting around the corner from one of the conferences, waiting to go in, for serious stuff (not my mini bar manipulation).
It is a party, it is shopping mall, it is a conference, it is a technical play park … all happening at the same time. It is a trade fair where thronging crowds press five-deep around vendors to buy all manner of cheerfully branded hacking hardware … “for research purposes”. But it is in the “villages” (how the DEF CON event is divided up) where hackers get their hands dirty. There are large, open rooms, full of people soldering circuit boards, mangling gadgets, peering at code. There are events and sessions for everybody: the “car hacking village”; the “devise village” so hackers can learn how to send specific commands to electrical components; the “Internet of Things village” got a wee bit out of control: how to hacked children’s toys, routers, thermostats — almost anything that can be connected to the internet.
And the biggies: social engineering (ok, how to execute disinformation), wifi, cryptography, reconnaissance, lock picking, etc., etc.
What else have we learned? There is not enough room but just a few from last year:
– An intricate hack. The hacker had built something called a tunnelling algorithm to comb (hacker lingo: “to fuzz”) an Intel microprocessor. Baked on the chip itself were instructions that allow the microprocessor to work. And the hacker was now revealing what he found: hidden instructions that WERE NOT in the manual and for which there is no explanation. Flaws? Bugs? Or worse. Secrets.
– Hackers do help build and protect cybersecurity, so they also demonstrated their capacity to protect us. The very fact that these hackers were making their discoveries public implied, usually, that they were on the right side of the law – but you never know.
– And backdoors. On the screen, the hacker demonstrated how a hidden instruction locked the microprocessor and any computer using it. What about computers not connected to the internet? The convential wisdom is that the most secure systems are deliberately cut off from the internet … “air-gapped” .. to keep them out of the clutches of attackers. But hackers don’t need the internet. Nope. Light! Hack with light. I saw how to send instructions through the air using light, and into the ambient light sensors of the computer, the things that adjust the screen to different light conditions. The huge screens around the room cut to a live video on the stage. A laptop and a bulb, connected to a small circuit board by a few wires, stood in front of a normal laptop, not connected to the internet. The bulb started to flash, an impossibly fast Morse code. Then – to rising applause – the laptop, not connected to the internet, opened the calculator program. In hacker lingo, this is called “popping cal”. It means that the hacker has achieved the Holy Grail: remotely programmable code. If you can get it to open the calculator, you can get it to open anything. The laptop, through the bulb, responded to his commands. He could make it run things, drag data out of it, do whatever he wanted.
– We have seen how easy it is to seize control of cameras, printers, routers and doorbells. Earlier this year I wrote about a shadowy Chinese group that can receive calls and texts meant for your mobile phone, and send calls as if you’d made them. NOTE: this is how the U.S. intelligence services believe the Chinese spy on Trump when he is at Mar-a-Lago.
Computers are everywhere. We trust our lives to them. Everyone relies upon technology, but hardly any of us understand it. It just works – we don’t need to understand how. Yet hackers have made it their business, their identity, to question how technology works and why. They do not accept, nor do they trust, locked doors, black boxes, hidden code or anything else that might be used to control them, and they go to extraordinary lengths to break them open. To them, the technologies that surround us actually make sense. They are open: chips understandably arranged on circuit boards, obeying programmatic instructions that they can interpret, and throwing out data, wifi, radio frequencies
As I said, these people have a completely different relationship to the world around them. Because hackers understand how technology works, they understand how the world works, And because they know how the world works, they can use this understanding to shape it, and influence it. Reality has become a sort of playground that, with enough talent, skill and in many cases bloody-minded obsession, will answer to their commands.
On to our first report … finally:
Security fears aren’t stopping enterprise IoT
A whopping 97% of executives responsible for implementing IoT projects have concerns about security but are going ahead with projects anyway, according to a survey presented by Microsoft this week. The software giant commissioned an independent firm to interview 3,000 IoT decision-makers at enterprise companies to understand that sector’s state of adoption for its first-ever “IoT Signals” report.
The results are not surprising, although they seem incredibly optimistic. For example, despite nearly all of the respondents having security concerns, 94% are planning an IoT implementation in the next two years. And 88% believe it will be critical for their business (“we need to get out there and beat our competition”) comprising about 30% of their revenue during that time frame.
— Chart courtesy of Microsoft’s “IoT Signals” report
And yet … there are challenges. One of the biggest perceived barriers to implementation is scaling – taking a prototype or a pilot process across an entire company or production line. This is not a new challenge. What works at 100 sensors becomes unwieldy at 10,000. The types of solutions needed at that level also change. For example, configuration and error detection become far more challenging at scale and should be automated.
Lifecycle management, which is the ability to understand the status of the software and functioning of a sensor or gateway, also needs to be automated. As part of that, people responsible for the system have to know where the physical devices are and be able to access them. As sensor densities increase, even the physical necessities of serving a device will likely become the responsibility of robots as opposed to people.
Though for now, that’s a bit far-fetched. Based on this survey, IoT may increase the efficiency, productivity, and safety of workers across the board. However, it’s not resulting in fewer jobs at the moment. A third of those surveyed said they don’t have the staff to handle their IoT projects. Without sufficient staff, the respondents typically said their projects took longer to reach a point where they were “in use.” It took those with sufficient workers to reach the “in use” phase an average of nine months as opposed to a year.
And one of the biggest points: all companies are struggling to find folks that can build out a cloud-based system and manage devices at scale. That’s really the realm of very talented cloud solution developers, and there’s a pretty significant shortage of those worldwide. And it echos what I heard at the Cloud Develop Summit in NYC just before I headed to Las Vegas: the most critical shortages are cloud solution developers.
As someone who discusses IoT projects with companies, I can say with certainty that figuring out how to build a scaled-out IoT solution in the cloud is a challenge, and there are few folks out there with those skills — and those that do have them tend to get snapped up by the large cloud companies.
But I can also say that from an employee strategy standpoint, once you build and start using IoT in day-to-day operations you then have another problem – your workers will need training to level up to the new tech. And it’s not simply a matter of training people how to reboot a device or building a new process around automated alerts coming from sensored machines. It will also include giving workers more autonomy to make decisions when alerts happen.
This explains the race to automation. Once automation takes on basic tasks, workers have to be trained to handle the resulting alerts and notifications of looming problems. I also believe that with increasing automation workers will have new jobs to tackle, which will require even more skills. Though in industries where there is a shortage of skilled labor, the efficiencies wrought by IoT will help mitigate those shortages.
But the gorilla in the room: as the IoT takes over the world, IoT security remains, well, pitiful. Connected devices emerged as one of the biggest attack vectors of 2018, and so far in 2019 an even bigger attack vector. While organizations are finally recognizing that the IoT is a threat to their overall cybersecurity, Microsoft found they continually fail to ensure that the networks and data generated by IoT devices remain protected.
As I explained in a post last year, one reason why the IoT became one of the biggest attack vectors of 2018 was its invisibility on enterprise networks. According to a report from Gemalto (an international digital security company that really does a fantastic job tracking security issues) 48% percent of businesses admitted they are unable to detect the devices on their network. Yet consumers expect businesses to have a handle on IoT security. It’s become a sort of paradox for businesses: they have to protect what they cannot see on their networks.
At the same time, in the “race to get to market”, IoT vendors are failing on their end by not developing devices and software with security built in — nor do they have to because there aren’t security standards for the IoT. Nick Ismail, who writes for Information Age said it perfectly:
Consider the operating systems for such appliances. How do you upgrade the OS in a wall-mounted air conditioning unit that’s connected wirelessly? Or a smart light bulb? If you can’t upgrade an operating system, how can you attempt to patch any vulnerabilities?
That’s why cybercriminals are specifically targeting IoT devices. Their security is weak on the device/software side as well as on the network side because organizations struggle to account for all of their connected devices. And despite all these NIST papers and other “policy briefs”, just what can you do? Or, more importantly, who can force you to do anything?
In 2018, favorite targets for threat actors included routers and firewalls. The United States Computer Emergency Readiness Team (US-CERT) put out a warning last spring that attackers were going after network devices, saying that if they can own the router, they’ll also take charge of the traffic. The alert added that a “malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.” Legacy systems or systems that are never updated are low-hanging fruit for the picking.
Cybercriminals know that IoT connections and devices are easy targets, which is why experts warn that we will see an uptick in the number of specifically targeted attacks in the coming years. And remember; lots of folks are here to learn just that – how to attack these systems. We’ll have more as these conference officially open.