5 Key Takeaways from Black Hat USA 2019

I attended the Black Hat conference last week and had a chance to listen to many of the security research briefings and walk the show floor. What did I come away with from this year’s conference? Here are my 5 key takeaways….

1. Even more interest in IoT

I know there have been demonstrations of hacks against IoT devices at prior shows, but this year there were more discussions than ever before. There were separate talks about—

• Attacks against hotel door locks
• Attacks against electric motors 
• Attacks against microcontrollers
• Attacks against industrial sensors in water treatment plants
• Attacks against jet airplanes
• Attacks against the hundreds of millions of devices running vulnerable versions of VxWorks (this was Armis’ presentation, by security researchers Ben Seri and Dor Zusman)
• Attacks against enterprise devices such as VoIP phones, printers, and video decoding machines (this was Microsoft’s presentation).

Microsoft’s presentation expanded upon a blog posted a few days prior by the Microsoft Security Response Center titled “Corporate IoT – a path to intrusion”. Microsoft caught a nation-state actor known as “Strontium” attacking IoT devices in enterprise networks. The attackers were using VoIP phones, printers, and video decoding machines to gain initial access to corporate networks. From there, they would perform network scans to look for other insecure devices and move across the network in search of higher-privileged accounts that would grant access to higher-value data. The diagram below shows the kill chain.

The Microsoft presenter, Eric Doerr, posited that these unmanaged devices were attacked simply because they were the easiest way into the network. The devices had vulnerabilities and/or were misconfigured, and they ran no security agents to alert that they had been compromised.

Later that day, Armis’ presentation on URGENT/11 was attended by hundreds of people. In the session, Armis researchers Ben Seri and Dor Zusman demonstrated how a patient monitor running VxWorks could be easily compromised. While Ben was wearing the pulse monitor clipped to his finger, Dor was able to make the patient monitor show that Ben’s heart had stopped. 

2. Cloudy weather, Cloudy security

Besides the fact that it rained one day during the show (an extremely rare event in Las Vegas in August), there were clouds everywhere on the show floor. This broke down into two forms of cloudiness:

• Security in the cloud. Some vendors want you to know that they have moved some portions of their security product from on-premises to the cloud. In one booth, the vendor had a total of twelve signs ensuring that you knew their endpoint protection product is now “cloud-native”.
• Security of the cloud. Other vendors want to be sure you know that they help you secure your cloud environments. I could not find any new forms of security related to cloud environments, just new forms of marketing. For example, one vendor announced that they are “Securing the Cloud Generation”.  I wonder if this has anything to do with the “Pepsi generation”?

3. More automation, more integration

From the keynote speaker on Wednesday morning (Dino Dai Zovi) to the trade show floor, I saw and heard more emphasis this year on integration and automation. I honestly believe that security vendors have finally learned that standalone products that operate as silos are not what enterprises want to buy. Vendors are beginning to think more holistically. There is more information sharing between vendors and more integration of different data types and sources. We might have DevOps to thank for some of this change. Indeed, DevSecOps seems to now be firmly entrenched as a thing. It was mentioned by the keynote speaker, and there were two excellent presentations about helping security to “shift left” into the DevOps workflow. 

4. Does security research matter?

The understanding of the value brought forth by the research community still appears to vary wildly among technology companies. Some companies place great value on the role that researchers play and the impact they have on preventing the exploitation of unknown vulnerabilities. For example:

• Microsoft clearly embraces the research community. They announced and celebrated those researchers who contributed the most in relation to Microsoft vulnerability and 0-day reports.  
• Similarly, Apple announced that bug bounties have been extended to macOS, tvOS, watchOS, and iCloud products and services. And, they increased the maximum payout to $1 million. Wow.

But on the other side, some companies don’t seem to care much. For example:

• Valve, the creator of the 100 million user digital video game marketplace “Steam”, dismissed researchers and refused to fix the 0-day privilege escalation vulnerabilities that researchers found in the gaming platform. 
• The makers of WhatsApp have fixed only one of three vulnerabilities that Check Point researchers disclosed at last year’s Black Hat conference. The vulnerabilities allow attackers to change users’ chat messages, make private messages public, and change sender identities.

My belief is that security researchers are one of the most powerful tools that we have in the fight against nation-state attacks in particular.

5. Bigger crowds

The growth of the show seems to be commensurate with the growth of everything else in the world of security. The exact number of attendees has not been announced, but the crowds definitely seemed bigger than last year. Queues for elevators and escalators were sometimes 5 minutes long—the first time I’ve seen such a thing. 

Getting from one place to another was aided by a large number of “shouters”—people who are paid to shout instructions at the moving crowd, such as “Turn left for South Seas! Turn right for registration!” I really appreciated the hard work those people did. 

I did not see any evidence of grasshoppers. Before the show, there were reports that Las Vegas had been overrun by grasshoppers. I didn’t see even one.

Were you at Black Hat?  I’d love to hear your thoughts about the conference. Drop a note to [email protected].