This week marks the 18th annual BlackHat USA conference where many of the world’s brightest security minds come together to discuss and showcase techniques capable of defeating and compromising a wide array of technologies. This year’s show arrives at a critical time in the world of online security and privacy, with near daily headlines of massive breaches and widespread critical vulnerabilities, all undermining the viability of mitigating today’s threats. All the while technology marches forward, integrating itself into new devices that will make up the future Internet of Things.
There were three headlines from the past few weeks which were especially concerning. The first was the discovery of the DYLD_PRINT_TO_FILE vulnerability affecting OS X Yosemite. What is so alarming about this vulnerability is that, with a single command, you are able to modify any file as a root user, including the sudoers file which stores usernames and passwords. This vulnerability is a perfect example of security oversight during the development process and how such an oversight can have a massive impact on security integrity. At least in this case, the exploit is specific to Yosemite and has been fixed in the latest OS X release.
The second alarming headline talked about 950 million Android phones being at risk of compromise by simply receiving a MMS. The exploit exists within a piece of code, called Stagefright, which is responsible for playing MMS messages. This vulnerable piece of code is part of all Android versions between 2.2 and 5.1, with an update needed to address the flaw. Unfortunately, it is very difficult to patch all devices as updates flow through network carriers at different speeds for different devices. While there are no current examples of this exploit being used in the wild, this won’t be the case for long; and the result of this vulnerability is that there will be millions of Android devices which are vulnerable to being remotely hacked.
The third, and most alarming, headline was for the recall of 1.4 million cars by Fiat Chrysler due to the demonstrated ability to remotely hack and control vehicles through the Uconnect infotainment system. What is so concerning about this hack is that so many critical systems could be controlled remotely. Everything from the wiper blades to the brakes to killing the engine. This begs the questions of, “Why does Uconnect need to have access to the brakes or engine?” It seems obvious that for basic security, these systems would be separated. However this hack demonstrated otherwise.
But as concerning as these headlines are, there is a silver lining. Unlike many headlines, these were all the result of security researchers who were looking to validate that proper security is in place. Thankfully in these cases, the researchers came forward to disclose their findings to improve security for everyone else. I cannot stress how important this type of behavior is to the viability of the future of security. The reality is that it is very difficult to design a bulletproof OS or application and that mistakes will be made. What is important is that when mistakes are discovered, that they are disclosed and addressed rather than sold on hacking forums to be used for malicious purposes. Some companies have done a great job in creating bug bounty programs to encourage the disclosure of vulnerabilities and I hope to see more of this in the future.
So back to BlackHat and why this year’s event is so timely and important. It is because BlackHat drives awareness and attention to the critical issues facing security from all angles. The conference also provides a common ground for collaboration and innovation that often finds its way into the products and technologies of the future.
As we move forward and embrace the Internet of Things, we must learn from our past mistakes and focus on ensuring we integrate the convenience technology has to offer without losing our privacy or security along the way.
