We’re all doomed, 2019 edition

Every year the great and good (and bad) of the hacker/information-security world descend on Las Vegas for a week of conferences, in which many present their latest discoveries, and every year I try to itemize the most interesting (according to me) Black Hat talks for TechCrunch. Do not assume I attended all or even most of these. There are far too many for anyone to attend. But hopefully they’ll give you a sense of the state of the art.

First, though, let me just note that this post title is intended as sardonic. Yes, there is a lot of sloppy software out there, and yes, a lot of smart people keep finding holes, bugs, exploits, and design flaws even in good software, but we are not actually all doomed, and the belief that we are, and that anything connected to the Internet can be and probably has been hacked — an attitude which I like to call “security nihilism” — is spectacularly counterproductive.

In truth there is a lot of extremely good security out there, especially amid the big tech companies, and it keeps getting better, as the market for 0-days (previously undiscovered exploits) indicates. Most (though certainly not all) of the exploits below have already been reported and fixed, and patches have been rolled out. That said, much of the world has a lot of work to do to catch up with, say, Apple and Google’s security teams. Without further ado, the best-sounding talks of 2019:

Liveness Detection Hacking, from Tencent’s Xuanwu Security Lab, discusses how to trick “liveness” detectors for face or voice ID (or, perhaps, cryptocurrency KYC) by injecting fake video or audio streams, or, better yet, ordinary glasses with ordinary tape attached, which, best of all, they have named X-glasses.

All the 4G Modules Could Be Hacked, from Baidu’s Security Lab, recounts the researchers’ investigation of 4G modules for IoT devices — the components which connect machines to the Internet via cell networks, basically. As their summary memorably puts it, “We carried out this initiative and tested all the major brand 4G modules in the market (more than 15 different types). The results show all of them have similar vulnerabilities” and ends with the equally memorable “how to use these vulnerabilities to attack car entertainment systems of various brands and get remote control of cars.” Extra points for the slide with ‘Build Zombie cars (just like Furious 8)’, too.

Arm IDA and Cross Check: Reversing the Boeing 787’s Core Network by Ruben Santamarta of IOActive talks about how, after discovering an accidentally public directory of sensitive Boeing information online(!), Santamarta developed a chain of exploits that could conceivably lead from the Internet to the “Common Data Network” of a 787. Boeing strongly disputes this.

I have considerable respect for Santamarta, whose work I’ve written about before, and as he put it: “Boeing communicated to IOActive that there are certain built-in compiler-level mitigations [author’s note: !!] that, in their point of view, prevent these vulnerabilities from being successfully exploited. IOActive was unable to locate or validate the existence of those mitigations in the CIS/MS firmware version we analyzed. When asked, Boeing declined to answer whether these mitigations might have been added on a later version … We hope that a determined, highly capable third party can safely confirm that these vulnerabilities are not exploitable … We are confident owners and operators of these aircraft would welcome such independent validation and verification.” Indeed. But hey, if you can’t trust Boeing, who can you trust, right?

Reverse Engineering WhatsApp Encryption for Chat Manipulation, from researchers at Check Point Software, described how to abuse WhatsApp group chat to put words into others’ mouths, albeit only in quote texts, and send private messages which look like group-chat messages. (Note however that this is post-decryption, so you have to already be a legitimate member of the chat.)

In Behind the scenes of iOS and Mac Security, Ivan Krstić, Apple’s Head of Security Engineering, publicly spoke about Apple security. That’s remarkable enough right there! In particular, it’s worth noting his exegesis of how Find My works while preserving privacy, and that Apple is going to start to offer rooted iPhones to security researchers.

Simultaneously, an organization almost as devoted to secrecy as Apple revealed more about their security practices too. Kudos! I refer of course to the NSA, who came onstage to discuss their reverse-engineering framework Ghidra, and how it came to be open-sourced.

In Critical Zero Days Remotely Compromise the Most Popular Real-Time OS, researchers from Armis Security explained how VxWorks, a real-time OS you’ve never heard of but which runs on over 2 billion machines including aircraft, medical devices, industrial control systems, and spacecraft, also boasts vulnerabilities in esoteric corners of its TCP/IP stack that could lead to remote code execution. So that’s not good.

Finally, in Exploring the New World : Remote Exploitation of SQLite and Curl, Tencent’s Blade Team (yes, Chinese researchers have been absolutely killing it this year) showed how we actually are all doomed. I kid, I kid. But while you’ve probably never heard of them, SQLite and Curl are two absolutely fundamental software components — an incredibly widely used compact single-file database and a command-line networking tool, respectively — and used an exploit of the former to successfully remote attack Google Home, and the latter to attack curl clients such as PHP/Apache as well as Git. Ouch.