The Black Hat briefings made its reputation as a forum for star security researchers to unveil hair raising vulnerabilities in hardware and software.
But Black Hat has become a more corporate event and collaboration is much in evidence these days. The latest example: the first roundtable discussion ever held at Black Hat.
Speaking on Wednesday, Don Bailey, CEO of Lab Mouse Security, and Zach Lanier, Senior Security Researcher at Duo, facilitated a lively discussion of embedded system security before a group of attendees arranged around a table with a few more chairs off to the side. Bailey asked the audience to start the conversation, and he and Lanier then moderated the discussion.
The conversation started with discussion of new secure chipsets, such as ARM TrustZone, and the fact that few institutions are using them. One factor is cost. Some organizations are gravitating toward open source chipsets such as Ardinuio, which are not secure. One attendee said his company uses these boards primarily for proof of concepts, but that when the business unit hears of a success, they push to use the cheaper boards in production rather than allow them to develop a secure version based on a secure chipset.
Another attendee speculated there needs to be a high profile attack that would result in a change in thinking around hardware security. But Baily disagreed. He said that Heartland Payment System was the largest data breach in US history. After there were changes made to the payment processing system. However we recently had the Target data breach—so have we addressed the fundamental problem? he asked.
Most of the discussion returned again and again to threat models and specific attack vectors for hardware. In particular there was a call by more than one person in the room to quantify common vulnerabilities much the way we currently quantify and rate the severity of common vulnerabilities in software much like the MITRE organization’s Common Vulnerabilities and Exposures database.
It was noted that hardware vulnerabilities, unlike software, may be too expensive to remediate. Some in the audience stated that the classic idea of “firmware” is dead. With firmware updates, they said, the firmware is now soft. So remediation shouldn’t be impossible– for a large company.
A small company might, however, be wiped out. Not because customers won’t buy their insecure product—some will—but because the cost of physical remediation might be too much. One attendee pointed out his company faced this and decided to issue an alert to its customers and promise a fix in the next release. He said customers responded well; some even said their use of the product didn’t put them at risk, but they appreciated the pro-activeness.
Bailey concluded the discussion by inviting panelists to email further thoughts. He will also be posting his notes on his Lab Mouse Security site in the coming weeks.