Last week I attended Defcon21, where in addition to hanging out with my most excellent co-workers, I had the opportunity to see the complete presentation given by Charlie Miller and Chris Valasek, that I had written about here.
This research demonstrates that a vehicle could be “hacked” into and made to perform in such a way as to endanger the life of the operator and occupants.
Picture courtesy of http://www.cso.com.au
They went in much greater depth than their teaser interview with Andy Greenberg’s article.
They covered how the vulnerabilities were discovered in great detail, demonstrated the various attacks that could be executed, and released all their research, so that the rest of the security community could build upon it.
We saw how these vulnerabilities, when exploited, caused the early demise of Charlie’s lawn mower, the destruction of the back of his garage, and ultimately the premature death of Chris Valasek’s Toyota Prius.
If you read my post last week about some of the Malwarebytes team heading out to Las Vegas for DEFCON 21 then you might be interested in how it went. Well, rather than doing what I did last year and just list the talks and describe them, here is a little story about my adventures in hacker land.
Day 1 Thursday:
I got up SUPER early (for me anyway and considering I traveled back in time 2 hours when I landed in LV) in order to head downstairs from my room in the Rio to purchase my DEFCON badge.
After waiting for 30 min to get a coffee from one of the two Starbucks in the casino, I took the walk to where the line for badges started. I waited in line for about an hour and a half and once I got my badge, we spent the next few hours just trying to figure out exactly what we were looking at.
The badges are very neat and as with the badges at DEFCON every year, they have multiple puzzles and purposes that might not even be discovered by attendees until months after DEFCON ends.
This week is full of security conferences, with Black Hat already starting off, along with BSides LV and later this week, DEFCON!
Being part of the security community, Malwarebytes is going to be hanging out in Las Vegas for DEFCON, the largest gathering of security specialists in the world. We are going to be watching some talks, live tweeting our adventures and letting our readers in on the DEFCON world!
While lots of fun and very informative, DEFCON can also be a dangerous place and if you plan on going this week, we are also giving you some tips on how to keep your money and info safe — though we can’t protect you against losing at poker.
There is a fascinating presentation scheduled at Defcon21, by Charlie Miller of Twitter and Chris Valasek of IOACTIVE in regards to “hacking cars” — Miller and Valasek received a grant from DARPA , The Defense Advanced Research Agency, to perform research on this.
As motor vehicles advance technologically, they incorporate more and more computers.
So far, the threat of them being hacked has largely been ignored, as they have been seen as “stand alone” systems.
There is a trend to increase vehicle connectivity, and with this comes the potential risks of vehicles falling prey to malicious software. Suddenly, the glowing magnet devices of the latest iteration of the “Fast and Furious” franchise, that caused the hero’s cars to careen through buildings uncontrollably, do not seem all that far fetched.
My colleague Adam Kujawa recently wrote a great post about the Malwarebytes experience at the hacker convention DefCon this year.
By popular demand, here's a round-up of my top four favorite DefCon talks from a development perspective:
1. “Stiltwalker”, by “DC949” (http://www.dc949.org/projects/stiltwalker)
I am sure everyone is familiar with reCAPTCHA. You have likely wasted hours of your life (in the aggregate) on it. The basic idea is that there are tasks (image or audio recognition of words or letters) that a machine cannot successfully do reliably (usually!) but that are very easy for humans, and so performance on these tasks can distinguish a real person from a machine, like a bot on a forum or message board. The Stiltwalker talk was about a machine-learning attack on audio CAPTCHA: the speakers found that they could train a neural net to “beat” it using not much more than a few basic background-subtraction tricks. Depending on the precise implementation of CAPTCHA they tested, they could get 60-99% accuracy. This is easily enough to consider the system “broken.” Really cool! Actually, I notice it's already up on Wikipedia: http://en.wikipedia.org/wiki/ReCAPTCHA#Security
2. “Hammer: Smashing Binary Formats into Bits” by Meredith Patterson and Dan “TQ” Hirsch
The lead-in to this talk was something to the effect of “have you ever used parser generators like Yacc or Bison? Don't you hate them? Here's something better.” Patterson and Hirsch then launched into an argument for “language-theoretic security” (basically, how virtually every parsing-bug-turned-security-flaw could be obviated with intuitive robust parsing – think along the lines of SQL injection). See http://www.cs.dartmouth.edu/~sergey/langsec. Then they showed a parsing library they have written called “Hammer” (https://github.com/UpstandingHackers/hammer) which has quite honestly the prettiest syntax I've ever seen in a parsing library. I really want to find some time to play around with it.