August 16, 2019 By Jasmine Henry 5 min read

As Black Hat USA and DEF CON 2019 draw to a close, the security industry continues to buzz over events from the annual Las Vegas security week. Each year, nearly 20,000 security professionals, researchers and hackers convene on the Las Vegas strip for a week of cutting-edge security trainings, sessions and research. Black Hat and DEF CON sessions served up a shocking amount of internet of things (IoT) vulnerabilities and research on security best practices.

Whether you were on the ground on the Las Vegas strip or unable to attend, the biggest stories from these conferences can offer important security takeaways for the enterprise. Here are seven can’t-miss cybersecurity lessons from Vegas security week.

1. Cyberthreats in Your Mailroom

It’s true, the latest threat could be lurking in your mailroom. IBM X-Force Red explored how cybercriminals might exploit the era of next-day delivery by demonstrating a technique they named “warshipping.” Global Head of X-Force Red Charles Henderson explained how his team “investigated how cybercriminals might seek to exploit package deliveries to hack into corporate or personal home networks right from the office mailroom or from someone’s front door.”

Researchers spent less than $100 on off-the-shelf components to build a 3G, remote-enabled, single-board computer device that can be tucked into the bottom of packaging and delivered straight to a victim’s mailroom. When the device arrives, it can be remotely controlled to obtain a target’s wireless access, including hash data that can be remotely cracked.

Henderson advised businesses and individuals to “treat packages like they would a visitor” and consider using scanning devices for malicious tech-enabled devices in large corporate mailrooms.

2. Zero-Interaction Mobile Hacks

It’s now possible for cybercriminals to worm their way into a mobile device without actually interacting with the victim. In a presentation titled, “Look No Hands! The Remote, Interaction-Less Attack Surface of the iPhone,” security engineer Natalie Silvanovich demonstrated fully remote, zero-interaction methods to hack iOS through SMS, MMS, Visual Voicemail, iMessage and Apple Mail. In other words, vulnerabilities in iOS 12.3 or older allow hackers to take control of an iPhone without the victim interacting with a malicious text message. Mobile devices compromised through these interactionless methods provide no signs to a victim that the device was hacked.

These critical flaws highlight the importance of updating all Apple mobile devices to iOS 12.4 immediately, whether your device is corporate or private. For enterprise security professionals, the era of interactionless, remote hacks is a clear sign to take control of your corporate mobile fleet and gain the ability to deploy OS updates as soon as they’re available.

3. Spoofed Satellite Navigation

At Black Hat USA, Victor Murray demonstrated “Legal GNSS Spoofing and Its Effects on Self-Driving Vehicles,” — in other words, how global navigation system data can be spoofed to cause self-driving cars to stop, change directions or veer off the road. Murray spoofed global navigation data from the Global Navigation Satellite System (GNSS), revealing critical vulnerabilities in GPS navigation systems.

Murray explained in an interview that GNSS signals are low-power, and it’s not difficult to drown out GNSS broadcasts with fake data sets. GPS receivers lack built-in integrity mechanisms that can protect against such spoofing.

While this flashy hack may seem to have little impact on those who don’t own a self-driving car, Murray’s methods align with adversarial machine learning techniques. Cybercriminals can attempt to poison or flood legitimate data sets used for machine learning in the enterprise with fake data streams.

4. Vulnerabilities in Biometric Authentication

There was no shortage of biometric hack demonstrations during Vegas security week, including a presentation titled “Biometric Authentication Under Threat: Liveness Detection Hacking.” Researchers showed that it is possible to bypass authentication methods such as Face ID by simply putting a pair of eyeglasses modified with tape on the lenses over a victim’s face.

This hack is remarkably low-cost, but not exactly a widespread threat. To successfully use this tactic, a hacker would need to find a sleeping or unconscious victim and place the glasses without the victim noticing. While it’s likely not a meaningful risk to your enterprise, it’s a clear example of potential authentication vulnerabilities. If you don’t know weaknesses in your biometric systems, you could be at risk of spoofing.

5. Fake iPhone Cables

Source: iStock

The security researcher known as MG, or Mike Grover, demonstrated a look-alike lightning cable at DEF CON. The cable is a perfect doppelganger for an Apple device charger, but if plugged in, it can be used to hijack a smartphone or PC. The O.MG cable “looks like a legitimate cable, and works just like one. Not even your computer will notice a difference, ” MG told Motherboard.

However, hackers can hijack the cable and device at will from a remote location due to an operating system flaw that detects cable inputs as a human interface device (HID). MG’s prototype isn’t widely available, thankfully, but he believes cable hacks that enable cybercriminals to remotely launch malware could be an underexplored area of security.

6. Smart Hotel Hacks

Black Hat USA researchers demonstrated a vulnerability in a popular IoT smart lock that is used in high-end European hotels. Increasingly, hospitality chains are switching to mobile-enabled IoT locks instead of key cards, which allow guests to unlock their rooms via a smartphone app. These smart locks rely on communication via Bluetooth Low Energy (BLE), which is common for IoT devices. Researchers used wireless sniffing to identify the lock system’s credential packet and gained access to hotel rooms.

The researchers provided limited information on which hotel chains were still using the vulnerable locks, highlighting challenges white-hat researchers face in the disclosure process. When it comes to IoT device vulnerabilities, there’s a need for researchers to disclose issues to vendors, manufacturers and, in some cases, end users. Community and cooperation were major themes during Vegas security week, and it’s clear that protecting your organization against IoT threats could require stronger cooperation with researchers, vendors and third-party security experts.

7. Stingray Surveillance

5G has arrived, but it’s not perfect. Researchers demonstrated flaws in the new mobile 5G standard, which was designed to stop the use of surveillance devices known as stingrays. Stingray devices are used to intercept phone calls or track the movements of mobile devices by creating fake cell towers that are indistinguishable from actual cell towers. A critical vulnerability in 5G implementations by mobile carriers allows a device’s network connection to be downgraded to vulnerable 4G or 3G connections.

There’s an active effort to close this gap in 5G implementations, but the lesson is clear. There’s no such thing as a silver bullet in security, and new standards are rarely perfect.

Cybersecurity Lessons From Vegas Security Week

IoT vulnerabilities were among the most shocking stories from Black Hat USA and other events during Vegas security week. As we consider potential risks lurking in the mailroom or interaction-less mobile vulnerabilities, it’s clear that endpoint visibility is key to surviving the threat vector. Understanding what’s on your network is key to protecting against critical vulnerabilities in both IoT and mobile endpoints.

More from News

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

CISA director says banning ransomware payments is off the table

3 min read - The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands? The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today