Thousands of hackers and security professionals gathered in Las Vegas last week for the annual Black Hat conference. The event showcases the newest and most innovative threats facing the security sector today, with security researchers and hackers revealing weaknesses in connected devices, business infrastructure and more.
The threats this year included vulnerabilities in cars, ATMs, payment systems and much more. With so much to choose from, Research and Markets have compiled a list of the four most notable hacks from the conference.
1. Vehicle Hacking
Vehicle hacking has been a key talking point for a couple of years now. Last year, hackers Charlie Miller and Chris Valasek remotely hacked into a Jeep Cherokee using a zero-day exploit in the car's UConnect system and paralyzed it on a highway. They demonstrated the ability to control braking, steering and acceleration systems, disabling the car’s brakes at low speeds.
This year they performed a similar, but significantly more difficult, feat. They once again showed they could remotely take control of a Jeep's braking system - but did so at speeds over 5 MPH.
Fiat Chrysler responded to the hack by saying the methods Miller and Valasek used were costly, time consuming and required extensive technical expertise. They insisted that this was not something the average driver needed to worry about.
Miller and Valasek, who now work for the ride-hailing service Uber, agreed that it did take them considerable time and effort. The hackers also announced that, after four years of hacking cars together, they have decided to move on. They encouraged other hackers to pick up where they left off.
2. Mobile Payment Systems
A recent report described the mobile payments market as “one of the most diverse, competitive and technologically complex market in recent years.” These systems, like Apple and Samsung Pay, have begun to gain traction with users looking for a convenient and safe method of payment.
However, security researcher Salvador Mendoza says these systems are far from secure. He discovered a flaw in the security of Samsung Pay, which allows the attacker to make fraud payments using a victim's phone.
How is this possible? Mendoza focused his presentation around the app's use of tokens. Just like Apple Pay, Samsung Pay uses tokenization. Card payments are made secure by creating a token that replaces your card details. This token is stored within a secure element chip on your device, and when a payment is initiated, the token is passed to the retailer.
Mendoza says that after a certain point, attackers may be able to predict future tokens, without needing to gather any card information. Now those stolen tokens can be used to make fraud transactions. He even proved it, using a friend from Mexico as an example.
3. BYOD Security
An increase in employee mobility and the rising adoption of the bring your own device (BYOD) policy has made it easier for hackers to gain unauthorized access to corporate networks, firewalls, and virtual private networks. A report on the Global BYOD Security Market says enterprises are increasingly adopting BYOD security solutions to secure their networks.
According to Vincent Tan, a senior security consultant for Singapore-based VantagePoint Security, there are a number of vulnerabilities in EMS platforms and they shouldn’t be relied on as the sole protective measure for mobile security. Tan’s presentation showed how EMS solutions could be attacked through both jailbroken and non-jailbroken devices.
He says enterprises don’t realise that by blindly trusting these vendors, they actually open up their organization to a completely different set of risks.
4. ATM Card skimming
Over the years, ATMs have been prone to hacker attacks, fraud, robberies and security breaches. Companies have worked hard to address these flaws, introducing next-generation ATMs that weren’t as susceptible to skimming attacks.
However, in a Black Hat presentation this week, Rapid7 security researcher Weston Hecker demonstrated a technique that allowed tens of thousands of dollars to be withdrawn in less than 15 minutes.
“La Cara” is an automated cash out machine that can be put on current ATMs to withdraw money and credit card data. The device is placed in the gap between where the ATM user's card chip will be and the roof of the area where the card is inserted. This device reads data from a card’s chip, including the pin number, and feeds the information to a criminal who could be up to 400 miles away.
This year’s conference showcased a wide variety of impressive (and frightening) attacks. A growing preference for technologically advanced products, smart homes and wearables has created a number of exciting opportunities in the IoT market. However, Black Hat provided numerous examples of how hackers can manipulate every gadget to launch attacks.
Stay up-to-date with the latest trending news stories and industry advances with the Research and Markets blog. Don’t forget to join our mailing list to receive alerts for the latest blog plus information about new products.