By Jack Marsal, Senior Director of Product Marketing
I attended the Black Hat conference last week and had a chance to listen to many of the security research briefings and walk the show floor. What did I come away with from this year’s conference? Here are my 5 key takeaways….
1. Even more interest in IoT
I know there have been demonstrations of hacks against IoT devices at prior shows, but this year there were more discussions than ever before. There were separate talks about—
- Attacks against hotel door locks
- Attacks against electric motors
- Attacks against microcontrollers
- Attacks against industrial sensors in water treatment plants
- Attacks against jet airplanes
- Attacks against the hundreds of millions of devices running vulnerable versions of VxWorks (this was Armis’ presentation, by security researchers Ben Seri and Dor Zusman)
- Attacks against enterprise devices such as VoIP phones, printers, and video decoding machines (this was Microsoft’s presentation).
Later that day, Armis’ presentation on URGENT/11 was attended by hundreds of people. In the session, Armis researchers Ben Seri and Dor Zusman demonstrated how a patient monitor running VxWorks could be easily compromised. While Ben was wearing the pulse monitor clipped to his finger, Dor was able to make the patient monitor show that Ben’s heart had stopped.
2. Cloudy weather, Cloudy security
Besides the fact that it rained one day during the show (an extremely rare event in Las Vegas in August), there were clouds everywhere on the show floor. This broke down into two forms of cloudiness:
- Security in the cloud. Some vendors want you to know that they have moved some portions of their security product from on-premises to the cloud. In one booth, the vendor had a total of twelve signs ensuring that you knew their endpoint protection product is now “cloud-native”.
- Security of the cloud. Other vendors want to be sure you know that they help you secure your cloud environments. I could not find any new forms of security related to cloud environments, just new forms of marketing. For example, one vendor announced that they are “Securing the Cloud Generation”. I wonder if this has anything to do with the “Pepsi generation”?
3. More automation, more integration
From the keynote speaker on Wednesday morning (Dino Dai Zovi) to the trade show floor, I saw and heard more emphasis this year on integration and automation. I honestly believe that security vendors have finally learned that standalone products that operate as silos are not what enterprises want to buy. Vendors are beginning to think more holistically. There is more information sharing between vendors and more integration of different data types and sources. We might have DevOps to thank for some of this change. Indeed, DevSecOps seems to now be firmly entrenched as a thing. It was mentioned by the keynote speaker, and there were two excellent presentations about helping security to “shift left” into the DevOps workflow.
4. Does security research matter?
The understanding of the value brought forth by the research community still appears to vary wildly among technology companies. Some companies place great value on the role that researchers play and the impact they have on preventing the exploitation of unknown vulnerabilities. For example:
- Microsoft clearly embraces the research community. They announced and celebrated those researchers who contributed the most in relation to Microsoft vulnerability and 0-day reports.
- Similarly, Apple announced that bug bounties have been extended to macOS, tvOS, watchOS, and iCloud products and services. And, they increased the maximum payout to $1 million. Wow.
But on the other side, some companies don’t seem to care much. For example:
- Valve, the creator of the 100 million user digital video game marketplace “Steam”, dismissed researchers and refused to fix the 0-day privilege escalation vulnerabilities that researchers found in the gaming platform.
- The makers of WhatsApp have fixed only one of three vulnerabilities that Check Point researchers disclosed at last year’s Black Hat conference. The vulnerabilities allow attackers to change users’ chat messages, make private messages public, and change sender identities.
My belief is that security researchers are one of the most powerful tools that we have in the fight against nation-state attacks in particular.
5. Bigger crowds
The growth of the show seems to be commensurate with the growth of everything else in the world of security. The exact number of attendees has not been announced, but the crowds definitely seemed bigger than last year. Queues for elevators and escalators were sometimes 5 minutes long—the first time I’ve seen such a thing.
I did not see any evidence of grasshoppers. Before the show, there were reports that Las Vegas had been overrun by grasshoppers. I didn’t see even one.
Were you at Black Hat? I’d love to hear your thoughts about the conference. Drop a note to firstname.lastname@example.org.