Mobile, web security will be major topics at Black Hat
Security researchers are expected to disclose new vulnerabilities in near field communication (NFC), mobile baseband firmware, HTML5 and Web application firewalls next week at the Black Hat USA 2012 security conference.
Marking its 15th year, thousands of security enthusiasts and IT professionals flock to the annual Las Vegas conference to watch some of the industry’s top researchers present their latest findings.
With the rise of smartphones during the last few years, mobile technologies have become a major focus of security research—and for good reason. Many of today’s mobile phones are actually mini computers that store a wealth of sensitive data and this makes them attractive targets for attackers.
Some smartphone vendors have implemented NFC technology to enable contactless mobile payments. Users only have to wave their phones over NFC-capable devices to complete a transaction.
Renowned Apple hacker Charlie Miller, who works as a principal research consultant at security consulting firm Accuvant, has investigated the security of current NFC implementations and found ways in which the technology could be abused to force some mobile phones to parse files and open Web pages without user approval.
In some cases, attackers can take complete control of the phone through NFC, enabling them to steal photos and contacts, send text messages and make calls. Miller will present his findings in what is probably one of the most anticipated talks at this year’s U.S. edition of the conference.
In another mobile security presentation, University of Luxembourg researcher Ralf-Philipp Weinmann will discuss attacks against baseband processors—the phone microprocessors responsible for communicating with cellular networks.
Last year, Weinmann demonstrated how vulnerabilities in the firmware of baseband processors can be exploited to turn mobile phones into remote spying devices after tricking them into communicating with a rogue GSM base station—a scaled-down version of a cell phone tower. The base station had been set up using off-the-shelf hardware and open source software.
This year, Weinmann plans to show that rogue base stations are not even necessary to pull off such attacks, because some baseband vulnerabilities can be exploited over IP-based (Internet Protocol) connections.
If some components of the carrier network are configured in a certain way, a large number of smartphones can be attacked simultaneously, Weinmann said in the description of his presentation.
Mobile malware is viewed as a growing threat, particularly on the Android platform. To protect Android users and prevent malicious applications from being uploaded to Google Play, Google created an automated malware scanning service called Bouncer.
At Black Hat, Nicholas Percoco and Sean Schulte, security researchers from Trustwave, will reveal a technique that allowed them to evade Bouncer’s detection and keep a malicious app on Google Play for several weeks.
The initial app uploaded to Google Play was benign, but subsequent updates added malicious functionality to it, Percoco said. The end result was an app capable of stealing photos and contacts, forcing phones to visit websites and even launch denial-of-service attacks.
Percoco would not discuss the technique in detail ahead of the Black Hat presentation, but noted that it doesn’t require any user interaction. The malicious app is no longer available for download on Google Play and no users were affected during the tests, Percoco said.
Web attacks and vulnerabilities in new Web technologies will also be the subject of several Black Hat presentations this year.
Cybercriminals are increasingly relying on so-called drive-by download attacks to infect computers with malware by exploiting known vulnerabilities in widespread browser plug-ins like Java, Flash Player or Adobe Reader.
Jason Jones, a security researcher with HP DVLabs, Hewlett-Packard’s vulnerability research arm, is scheduled to present an analysis of some of the most commonly used Web exploit toolkits, like Blackhole or Phoenix.
Some of the trends observed by Jones in Web exploit toolkit development this year include an increased reliance on Java exploits and faster integration of exploits for new vulnerabilities.
In the past, Web exploit toolkits targeted vulnerabilities for which patches had been available for over six months or even a year. However, their creators are now integrating exploits for vulnerabilities that are a couple of months old or even unpatched by vendors, Jones said.
As far as website defenses go, webmasters use Web application firewalls (WAFs) to detect and block known attack techniques like SQL injection, directory traversal and others.
Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall, will discuss protocol-level evasion techniques that could allow attackers to bypass WAFs.
Ristic will release a tool containing around 150 tests that can be used to determine if a Web application firewall is vulnerable to the evasion techniques he developed and researched.
Ristic hopes that website administrators will use the tool to test their WAF products and report whatever vulnerabilities they find to vendors. The tool’s goal is not to empower attackers, but to spark a more open discussion about protocol-level evasion between WAF vendors, their customers and security researchers, Ristic said.
The security of new Web technologies, like those found in HTML5—a standard that empowers developers to build innovative Web apps and services—will also be discussed at Black Hat, which happens on Wednesday and Thursday.
Shreeraj Shah, founder of application security vendor Blueinfy, will have a presentation about how HTML5 technologies can enable stealth attacks and silent exploits.
In addition, Qualys software engineers Sergey Shekyan and Vaagn Toukharian will discuss possible attacks scenarios with WebSockets, an HTML5 technology that enhances communication capabilities between browsers and Web servers.
One of the biggest problems with WebSockets is that most firewalls and network-layer security systems are not capable of inspecting such traffic at the moment, Shekyan and Toukharian said. This means that information stealing malware can use WebSockets to communicate with its command and control servers without being detected.
In addition to mobile and Web security, Black Hat presentations will also cover security issues and attack techniques affecting industrial control systems, smart meters and embedded devices.