For the second part of our report about Black Hat USA 2015, we decided to change topic, and switch from web application security to two hot topics nowadays: Security in Internet of Things and mobile security. We encourage you not only to read this summary but also to go online and take a closer look at the videos or the slides. We aimed at giving you all the relevant links for each talk.
Remote Exploitation of an Unaltered Passenger Vehicle
One of the most publicized talks before Black Hat even started, was the manipulation of the Jeep car. Some content of this talk could already be seen on YouTube weeks before the Black Hat conference. Therefore, the expectation for this presentation were really high.
Charlie and Chris, the two speakers, mastered the pressure in a very sovereign way. They presented the whole attack, from discovering the cars that could be hacked remotely, to the point of completely take control over the car’s management interfaces, including components affecting the driving features such as the car’s breaks. Besides the technical details of the car architecture and the attacks used to circumvent some of the car’s security mechanism, they fill the talk with funny stories occurred during the months of research. An example was how they managed to explain to the garage mechanic repairing their test car why the display of the media center got suddenly black, “without” any obvious reason for it. These funny stories together with the demonstration videos make the talk worth of watching it.
In conclusion, despite the cool presentation and the nice techniques used, this talk illustrates the fatal consequences of poor security in the Internet of Things. A lot of objects nowadays are connected to the Internet and can be managed remotely. If the security mechanisms implemented are not sufficient to circumvent malicious attacks the outcome can be very scary, like for example a car remote controlled by an hacker. If you are interested in IoT security and want to know more about attacks and how to protect against these, don’t miss our new and upcoming Compass Security course for Internet of Things next year.
StageFright: Scary Code in the Heart of Andorid
Mobile security became very popular in the last years. One of the presentation at Black Hat 2015 that received most reactions regarding mobile security was certainly StageFright. StageFright is an Android’s Multimedia Framework library written primarily in C++. It handles all videos and audio files and also MMS. The weaknesses found inside this library, a buffer overflow, was also baptized StageFright and permits an hacker to execute arbitrary operations on the victim device through remote code execution and privileges escalation. The talks showed a proof of concept that didn’t require user interaction but get directly executed when an MMS was received on an Android device. It means, the number of the victim, together with knowing that the OS of his cellphone is an Android, is the only information that an hacker needs to know to perform the attack.
The StageFright weakness was rated so high that Deutsche Telekom decided for example to disallow the transmission of MMS on his network.
Some proofs of concept performed by Compass Security showed that the attack vector is not as straightforward to exploit as explained during the talk and that the payload need to be adjusted depending on which version of OS is in use. However, the consequences can be fatal if the attack is a minimum targeted. As mitigation there are several approaches: First of all apply the Android patch. If this cannot be achieved, disable automatic retrieval of MMS messages. However, this is not supported in all MMS applications and does not cover the download through the web browser. As the ultimate solution one can block the reception of text messages from unknown senders.