LAS VEGAS—For years hackers have been telling us that everything in the digital world is already owned. “No, everything,” is part of a logo for the Smoo Group, for example. But there’s always been small comfort that some technologies are too difficult for hackers to break and therefore safer to use.
The MacIntosh operating system, our carrier-bound wireless phones (in the U.S. anyway), virtual machine-to-host system connections, and sub-layers in the physical hardware are examples of technologies in which I’ve had some level of faith in the past. Not anymore.
In the third and fourth-floor ballrooms at Caesar’s Palace, all of these technologies were shown to be broken during Black Hat 2009 in Las Vegas this week.
All research demonstrated at Black Hat was done so responsibly—specific vulnerabilities have been patched by the technology vendors who where alerted to the problems by the researchers presenting at Black Hat this year. Nevertheless, these harbingers have stripped away any delusion that there is a single technology we could consider “safe” from attacks and abuse.
Imagine, if you will, rampant phishing directly off wireless devices, and the carrier is powerless to protect because the attacks being conducted are invisible to the carrier. This is entirely possible by tricking SMS into buffer overflowing a place in memory to accept remote commands, as demoed on the iPhone by Charlie Miller and Collin Mulliner.
“You’re phone is your most ‘personal’ personal computer,” said John Hering in a followup session. Hering sat on a panel that essentially described how to use similar techniques in the iPhone hack to look for these bugs in all smart phones. The tool they developed is called Fuzzit.
Work like this is taking place ahead of the crime wave that will ultimately follow as more zero day vulnerabilities are discovered by the real criminals that are not part of the ethical research community at Black Hat.
Ahead of the curve research like this offers some comfort. So, too, does the unprecedented cooperation between vendors and researchers this year—a far cry from the Cisco/ISS gaffe against researcher Michael Lynn in 2005.
Still, there’s so much work to be done it’s overwhelming, which was particularly evident during the panel on Washington, in which government, security and privacy experts couldn’t agree on who should handle the cyber security problem or how it should be handled. But it was clear to all that today’s Band Aid solutions to each individual problem will only hold up so long.
Ultimately, this begs the question that was asked more than once at Black Hat: Should we tear up the Internet as we know it and rebuild a backbone structure that starts with security first? Or should we hope that the current model of playing Whack a Mole with patches and standards holds up for our future generations?