clock menu more-arrow no yes

The Internet of (insecure) Things and other inside observations from the Black Hat hackers conference

It doesn’t feel like we’re quite ready for all this stuff to be connected yet.

Attendees line up for credentials at the 2016 Black Hat hackers conference at the Mandalay Bay Resort & Casino, Las Vegas.
Black Hat Briefings & Training / Flickr

The annual Black Hat hackers conference returned to Las Vegas last week, and was bigger than ever, with attendance up as much as 30 percent, according to the show’s organizers. This year’s attendees were an eclectic bunch, running the gamut from cyberpunks to IT security management suits. At the risk of finding myself on the bandwagon of bemoaning how "commercial" the conference has become — more speakers came from IT vendor, and there werere a lot more golf shirts, with decidedly fewer piercings, mohawks and tattoos — it certainly did feel like a lot has changed since I attended my first Black Hat 10 years ago.

It doesn’t feel like we’re quite ready for all this stuff to be connected yet.

Even so, I suppose it’s what hasn’t changed that’s really worth remarking on: Despite the presence of more and more "corporate types" — and, yes, I am one of those — the conference remains true to its mission, and continues to attract many talented security professionals (that’s the nom de guerre du jour, isn’t it?) presenting talks on on a wide range of topics. Even if the minutiae of cyber-security insurance feel a little too "suit-and-tie," it’s still possible to roll up the sleeves of your hoodie and get down in the guts of crypto, hypervisors, memory heaps and more.

I wish I could have taken in more of the presentations, but in my path through the conference I encountered a few topics that appeared consistently:

Car Hacking

This has been a theme at security conferences for a couple of years, and the safety and security of increasingly computerized and autonomous cars has been making some big headlines recently. The sexiest car hack this year was fairly spectacular, in that it allowed almost total control of the vehicle in question, with the caveat that it required physical access to the diagnostic port. Insofar as cyber security is the 21st century equivalent of seat belts and airbags, and the automotive industry has a vested interest in safety and reliability of its products, this area highlights the best type of engagement between the security community and original equipment manufacturers (OEMs).

Cloud (Read: AWS)

The promises of the cloud for redefining IT and facilitating business transformation are many and compelling: Better performance and reliability, more agility — the list goes on and on. Along with all this promise come a few pitfalls, some old and some new.

If there are common threads in our adoption of any new technology, they would most likely be:

  • We often adopt it before we fully understand the security implications.
  • Our bad habits from legacy technologies are highly portable.
  • We don’t avail ourselves of the new and/or improved security capabilities that are part and parcel of new technology.

This year’s presentations suggested that cloud is no exception. In many ways, cloud bears a resemblance to our existing data centers. In order to prevent the risks from outweighing or overshadowing the benefits, it is critical to understand the ways in which cloud is different, with particular attention to security capabilities available directly from cloud providers. The reality is that there are robust security features and tools already built in to most cloud platforms, but an apparent lack of corresponding good practices, something we must overcome to safely embrace this new form of computing.

The Human Element

It should come as no surprise that wetware (our pet term for "people") is still one of the leading attack vectors and the easiest to reliably exploit. There were no earth-shattering revelations here, only the reminder that people, process and technology often break in roughly equal measure but some combination of the three typically yields the most successful recipe for a breach. The subtext is that an average user’s increased comfort with technology is not the same as understanding what is happening behind the scenes. The path forward is two-pronged: More and better education coupled with better security UX so that users know what (and what not) to do, and doing it isn’t punishingly complicated.

Internet of (Insecure) Things

To repurpose a line from one of my favorite comedians, Patton Oswalt: "[Technology] we’re all about coulda, not shoulda" which in this context means the ubiquity of Ethernet or Wi-Fi in common household objects (e.g., light bulbs). Much has been made of the lack of security in many internet-enabled consumer products. It’s unclear just how serious a problem this will become, but what is clear is that time-to-market — and not security —- is the overriding concern for these products. It’s also clear that bad actors are devoting a great deal of time and energy to finding exploitable vulnerabilities, whether these devices are ultimately the target or simply a position from which to pivot from and attack other, higher-value targets. In any case, it doesn’t feel like we’re quite ready for all this stuff to be connected yet. Exploitable vulnerabilities on isolated devices (i.e., not connected to a network) have limited attack vectors and, therefore, limited utility. It also seems like we’re reluctant to acknowledge the inherent risk that all this connectivity creates.

Machine Learning

I, for one, welcome our new robot overlords. Partly because they aren’t cranking out T-800s to exterminate us, but mostly because, right now, it appears that they offer some promise for helping us identify and thwart emerging threats. While the true utility of "deep learning" in the context of security remains to be seen, better tools for doing the heavy lifting of identifying the patterns in attacks or isolating polymorphic malware are definitely a requirement if we’re going to have any hope of successfully defending against the continually evolving tactics of bad actors.

Mobile Security

Perhaps nearest and dearest to my heart, the state of mobile security is frequently one of the most maligned topics discussed at security conferences. At Black Hat this year, it was, by turns, the subject of very practical discussions and purely theoretical (and occasionally misleading) exercises. The result: Some aspects of mobile security aren’t nearly as dire as we may have been led to believe while some are much, much worse.

Closing Thoughts

Throughout the event, I kept thinking back to a keynote given by Chris Roberts at another hacker conference late last year. In it, he noted that, as security professionals, we talk a lot about problems and not enough about solutions. He then posited that we have a responsibility to go beyond simply identifying the problem, and suggested that we should also fix it if it is within our power to do so.

That theme was similar to a message delivered by Robert Stephenson Smyth Baden-Powell in his farewell letter to the Boy Scouts: " ... leave this world a little better than you found it."

And that, frankly, is where it feels like we may be coming up short. Black Hat was a cavalcade of creativity and inventiveness with regard to breaking things, but too many presentations ended without a proposal for how to fix them or, better still, a way to prevent the problems they’d identified in the first place. While the "gotcha" moments are certainly the most fun and exciting, as an industry we need to be more concerned with creating less opportunity for those gotchas to occur and, if or when they do, how we go about fixing them.


James Plouffe has worked in networking and IT security for more than 15 years, in organizations ranging from startups to the Global 10. He is a lead solutions architect with MobileIron, and a technical consultant for the award-winning hacker drama "Mr. Robot." Reach him @MOBLAgentP.

This article originally appeared on Recode.net.

Sign up for the newsletter Sign up for The Weeds

Get our essential policy newsletter delivered Fridays.