August 12, 2019//Tony Howlett
This year’s 27th annual DEFCON security conference (has it really been that long?) saw the continued expansion of the “Villages” which are dedicated areas set-up for the hacking of specialized systems. This year’s debutante was the Aviation Hacking Village. To put it in simpler terms, a whole room full of people working on ways to hack planes.
Why you might ask? In order to educate the manufacturers and the public of the vulnerabilities in these aluminum tubes full of electronic chips and jet fuel that we use to travel long distances at 30,000 feet above the earth. There was also a considerable expansion of the car hacking villages, the voting hacking village, and the medical device hacking villages, which has now been consolidated into an entire multi-room hall called the Bio-Hacking Village.
The villages have always been places to focus efforts on niche or nontraditional computer devices or processes. The long-standing villages, such as lock-pick and social engineering cover a traditional weakness in standard infrastructures, like physical and social. As hackers expanded to nontraditional methods and attack vectors, so did the villages to explore and understand them.
At this year’s CON, there were no fewer than 37 hacking villages with topics as diverse as AI, Bitcoin, and sea-hacking (refers to the hacking of maritime devices i.e. large vessels, like oil tankers, cruise ships even military craft). But the ones that garner the most attention from the broader media tend to be the ones that affect most of our everyday lives. Cars, elections, medical devices, and planes.
To see all these diverse activities while wandering through them and to learn how vulnerable these mission-critical systems really are was both awe and fear-inspiring. You might now fear leaving your house, afraid that maliciously controlled robots are ready to take you out, no matter what mode of transport you took. However, the good news (yes there is good news) is that the companies that make these vehicles and devices are starting to cooperate with the security research community and not only provide sample devices to be examined and looked at, but even sponsoring contests to help them find the bugs now versus letting bad actor hackers do it for them.
The car hacking villages actually had cars provided for car hacker specialists to comb through, ripping open the dash and hood, looking for any poorly written code and exposed interfaces (spoiler alert, there are A LOT of them). Tesla, GM, and Honda have been avid supporters of this joint effort to keep the code in cars safe and secure.
The new-comer to the ball, the Aviation hacking village was very well-organized and I was lucky enough to get a guided tour with some of the other press delegations. The section was being run by a group called Digital Defense Service, which is a public-private partnership with the Pentagon and volunteers from the aviation space, working together to make sure planes are safe from electronic interference or attack. The exhibits showed everything from military applications (clearly an interest of the Pentagon), to commercial passenger jets, and the hundreds of electronic sub-systems that need to be pen tested, both in the cockpit and in the passenger space.
The medical device hacking villages greatly expanded this year and had dozens of devices provided for examination; everything from ER and OR monitoring devices to drug and infusion pumps, and facilities cooling and heating controls. While we all had to sign a release not to disclose any vulnerability found without going through the responsible disclosure process, sponsor companies such as Abbott, Medtronic, BD, ThermoFisher and Siemens are to applauded for committed and engaging with the security community to become more secure.
It was also heartening to see some actual Congress representatives show up both at the election hacking village to see the work going on and giving keynote speeches about what they are doing via legislation and oversight to keep our elections secure. Representative Ted Lieu (D-CA) announced the introduction of the Encrypt Act to rationalize federal encryption standards while admitting that the readiness of the federal government for a large cyberattack was “pretty messed up” right now. But hopefully, with attention from the lawmakers and a lot of effort on the part of companies, we can get our elections, our vehicles, and our medical devices reasonably security from malicious hackers.
Security on the brain? Check out our blog to see which of the remote access solutions is the most secure.