Image from Wikimedia Commons.
This month saw the Black Hat security conference return to Las Vegas for its 17th instalment. Alan Byrne was on hand to give us an overview of some of the most interesting talks he attended during the two-day event. Part one of his report is below.
Nest, a Smart Spy in Your Home
The Nest is a smart thermostat device manufactured by Google [following their $3B acquisition of the Nest company in January 2014]. The programmable thermostat learns what temperatures you like at certain times of the day, and automatically turns on and off your heating to your subconscious satisfaction. It is connected to your home Wi-Fi network allowing you to configure your heating system over the Internet. However, researchers at Black Hat 2014 demonstrated that, should a malicious person get USB access to the Nest device, it can be turned into a much more sinister, spying tool.
When the Nest’s physical button is held down for 10 seconds, the device reboots. But for a split second, it is available to receive new instructions on how to boot. The team created a custom tool that, when directly connected to the Nest, reworked the Nest’s software giving them total, remote control. Although physical access is required for this attack, it is not difficult to think of a number of scenarios in which this could occur. Once a Nest has been compromised, it could, for example, “phone home” to let the attacker know what times you are out of the house at work. Or, when you are away on an extended vacation.
Furthermore, the researchers explained how they could use the Nest as a network “sniffer” to tunnel all the user’s internet traffic through the Nest. This means that the attacker could read a user’s login details, credit card numbers, etc. Even without any exploit, the researchers noted the excessive data logging and communication that the Nest does, raising concerns over user privacy. Does a thermostat really need to contact Google (an advertising company) that much? Nest users are unable to opt out of this data collection.
The full paper is available here.
The State of Incident Response by Bruce Schneier
Bruce Schneier gave a very interesting talk in which he outlined some current trends in cybersecurity, theories from economics and psychology that affect cybersecurity, and he explained a systems theory from the US Air Force that can be used for effective incident response.
Bruce highlighted that with the rise of cloud computing, users have less and less control over their data. It is the vendor that has all the control: this includes devices and operating systems we use to access our data which are locked down, for example iOS.
He warned that cyberattacks are getting more sophisticated. The skill of attackers is getting higher, and their focus is getting stronger.
Finally, Bruce noted the increased cyber-investment from governments and what this might spell for the future of the cybersecurity industry. Will businesses be forced by law to implement cybersecurity measures? Will we see government-managed defence in the future to secure the likes of water reservoirs and electricity power plants? Bruce foretold that the days of letting the industry take care of incident response may soon come to an end as government requirements for data safety are coming.
My Google Glass Can See Your Passwords
Almost every “smart” consumer device today includes a camera – from smart watches to smart TVs, glasses, phones and MP3 players. Researchers at Black Hat demonstrated how these cameras can spy on people tapping and inputting credentials such as passcodes or passwords into phone and tablet keyboards.
By tracking fingertip movements, it was possible to identify the touched points on the victim’s screen and map its location to a reference image of the soft keyboard for that phone. The researchers have had a 90% success rate, up to 9 feet from a victim with this method.
What can be done about this? Well, Apple’s fingerprint technology makes this exploit redundant. But, for the majority of device users out there, combatting this attack will mean installing a keyboard app that does not use a fixed “qwerty” layout, but varies they location of the keys on every unlock attempt.
The full paper is available here.
We will publish part two of Alan Byrne’s report from the Black Hat 2014 conference next week.