What happens in Vegas, shouldn't always stay there

2015-08-31, 13:54 Posted by: Janne Haldesten

A report from Blackhat USA 2015 / DEFCON 23

Being THE information security events of the year, Blackhat and Defcon in Las Vegas, USA, had a lot to offer this year too. In general, Internet-of-Things and cyber physical systems security received a lot of attention ranging from spread spectrum satcom hacking and drone takedown, using SDR (Software Defined Radio) and RF-attacks, to attacks against various IoT devices such as Linux powered rifles and payment solutions.

Malware also received some attention, being one of the more severe threats, where the areas of nation-state malware research and machine learning approaches for malware intelligence and detection was covered during several talks with different angles.


In the backwater of Snowden’s revealing’s where the NSA ANT-catalogue, containing several elaborate high-tech gadgets used for spying, was disclosed, Michael Ossmann held a briefing where he presented a tool-kit for the security industry with similar functionality, where the tools can be used for security assessments and penetration testing.

One of the more creepier insights during Defcon was delivered by Chris Rock in his presentation 'I will kill you' where he provided the audience with insights and techniques on how to “kill” someone and obtain a real death certificate, shutting down their lives. It largely focused on the lack of security controls that allow any of us to virtually kill off anyone or any number of people, explaining the death process, highlighting the vulnerabilities and its implications world-wide.

The briefing 'Remote exploitation of an unaltered passenger vehicle' given by Charlie Miller and Chris Valasek was epic where it held the same quality and entertainment level as the talk they gave at Defcon back in 2013 when they pawned a Toyota Prius and a Cadillac Escalade.  In this year's talk, they showed the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle by exploiting U-connect.

Another interesting presentation with the same theme was 'How to Hack a Tesla Model S' where Marc Rogers and Kevin Mahaffey gave some interesting insights into Tesla security. Being the most connected car in the world, the Tesla Model S, it is surprisingly also one of the most secure, which was illustrated when walking through the security architecture of the vehicle.

Another new thing for this year at Defcon, was the car hacking village where conference attendees were given the opportunity to physically reverse-engineer passenger vehicles for various purposes. One of the challenges was to collect as many VIN-numbers as possible (Vehicle Identification Numbers).

Old favorites, such as the social engineering, lock picking and evidence tampering villages was a joy to visit as well as new ones such as the IoT-village where I still wonder why someone would bother to wirelessly connect a water boiler. Needless to say, but everything gets connected somehow and by visiting events such as Blackhat and Defcon, one does get new ideas about how new technologies can be exploited and why we continuously need to protect them.

Having attended several presentations at Blackhat, I also took a long tour in the exhibitor's hall to get an updated picture regarding available tools and products where data visualization, malware defenses and social media correlation were hot topics. The global need for skilled cybersecurity talent manifested itself through all the headhunters and recruiting agents that were canvasing Blackhat for talent. With all of the above combined, this clearly illustrates the emerging need for security and who am I to disagree?

Blackhat and Defcon are events that every IT-security professional should experience at some point in their career because of bleeding-edge research and disclosures, but also the opportunity to network and get to know people in the industry.

comments powered by Disqus