Once the target of choice for hackers of all stripes, personal computers (PC) will be -at most- a side attraction at this year’s annual Black Hat Briefings show in Las Vegas, where presentations on ways to attack mobile devices and other networked “stuff” will take center stage.
Just over ten percent of the scheduled talks and turbo talks at The Black Hat Briefings in early August (5 of 47) will be devoted to attacks against what might be considered “traditional” endpoints, like end user systems and servers running Microsoft’s Windows, Apple’s Mac OSX and Linux. By contrast, more than 30% will discuss security flaws and attacks against mobile phones or other “smart” devices including wireless surveillance cameras, home automation systems and smart meters.
The dearth of PC-focused talks isn’t a new trend in and of itself. As far back as 2006, talks that explicitly discussed security issues with components of Microsoft’s Windows operating system or those of Apple’s Mac OSX or the open source Linux made up less than a quarter of the “briefings” – technical presentations of new research that have become a Black Hat staple. What is striking in recent years, however, is the move away from discussions of attacks on traditional computer networks like local area networks (LANs) and wide area networks (WANs).
In 2006, as now, Web and application-focused attacks were big news at Black Hat. However, seven years ago, the Briefings schedule was still dominated by discussions focused on traditional enterprise environments. There were talks about network based attacks on database and application servers, including Oracle. There were presentations on attack detection (IDS) and evasion against technologies like Network Access Control (NAC), as well as a spate of talks on the security of Voice Over IP (VoIP) technology that was (and is) being adopted within enterprise environments.
At this year’s show, discussions of attacks and protections aimed at those kind of traditional IT systems and perimeter-based networked environments are few and far between. In their place is a wealth of discussions about vulnerabilities in mobile device platforms, such as Google’s Android operating system, as well as attacks on a wide range of other networked and “smart” devices. Some examples:
- Researcher Jeff Forristal of Bluebox Security will present a (known) exploit for a vulnerability in the Google Android mobile operating system, including proof of concept exploits for “major Android device vendors.”
- Cyrill Brunschwiler of Compass Security Network Computing AG will discuss vulnerabilities in the M-Bus protocol, which is used for remote “smart” meter monitoring by utilities.
- Craig Heffner of Tactical Network Security will demonstrate a collection of zero-day vulnerabilities that can be trivially exploited by remote attackers to gain administrative and root-level access to network surveillance cameras manufactured by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision.
Researchers of all stripes have stepped up their work on such systems. In recent months, reports have noted exploitable holes in products like the FitBit health monitoring and Samsung’s SmartTV. The National Highway Traffic Safety Administration has called for more scrutiny of the security of onboard computers in late model cars, as well as the security of vehicle to vehicle (V2V) communications.
Hacks against non-traditional systems are nothing new at Black Hat. In 2010, Barnaby Jack of IOActive famously coaxed an ATM machine to barf up a stream of fake cash in a demonstration of a vulnerability in common embedded systems software.
Ron Gula, the CEO of security firm Tenable, said that the notable shift to non-traditional targets is evidence of improvements in the security of PC and server software. “Servers have become a lot harder to hack,” Gula said by way of explanation. “You basically have to have a zero day to do it.”
Rather than expend time, money and resources uncovering those, financially motivated cyber criminals have shifted to client-side exploits and to areas like SCADA and ICS, where exploitable holes are low hanging fruit. “The world has shifted from getting root on a desktop or server to getting root on everything else that has an IP address,” he said.
Gula said the change of focus is healthy for the security industry, which remains preoccupied with vulnerabilities and patching for traditional systems like Windows PCs. Many of those threats and attacks are more of a concern for consumers than enterprises. Still, Black Hat is a reliable bell weather of where attacks are heading.
“It’s a gut check – a sense of the way the winds are blowing,” he said.