Company continues to break new boundaries
Seattle, USA ― July 30, 2014 ― IOActive, Inc., the leading global provider of hardware, software, and wetware security services, announced today that the company will have six of its top researchers and consultants present their ground-breaking research at the annual Black Hat and DEF CON security conferences. In addition to the talks, the company will also have a tool showcased in the Arsenal section at Black Hat.
The IOActive team will present a total of seven talks at the two events, which take place in Las Vegas during the first week of August.
“Every year the team at IOActive breaks new boundaries with their research, taking information security to the next level and keeping us focussed on tomorrow’s threats,” said Jennifer Steffens, chief executive officer for IOActive. “This year the team raises the bar once again as they develop new exploitation techniques and explore new ways of securing technologies that have an impact on a global scale.”
IOActive has a long history of delivering industry-defining security research at Black Hat and DEF CON. This year IOActive’s team will break new ground in automotive attack surfaces, miniaturisation, SATCOM terminal vulnerabilities, traffic control systems, Windows kernel graphics, and Windows page table shellcode.
In recent years, the company has given progressive presentations covering the latest vulnerabilities associated with automobiles and wireless for Industrial Automation and Control Systems (IACS). These talks have also covered a broad range of other subjects including: RFID access control limitations, critical flaws in global DNS infrastructure, Smart Meter worms, jackpotting ATMs, and breaking semiconductors.
Overview of Briefings at Black Hat
-
A Survey of Remote Automotive Attack Surfaces
By Chris Valasek, director of vehicle security research for IOActive and Charlie Miller, security engineer for Twitter
August 6, 2014 at 11:45Automotive security concerns have gone from the fringe to the mainstream, with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes. Unfortunately, research has only been presented on three or four particular vehicles. Each manufacturer designs their fleets differently; therefore, analysis of remote threats must avoid generalities.This talk takes a step back and examines the automotive network of a large number of different manufacturers. From this larger dataset, we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last five years? What does the future of automotive security hold? How can we protect our vehicles from attack moving forward?
-
Windows Kernel Graphics Driver Attack Surface
By Ilja van Sprundel, director of penetration testing for IOActive
August 6, 2014 at 11:45Ever wondered about the attack surface of graphics drivers on Windows? Are they similar to other drivers? Do they expose ioctl’s? In this talk from Ilja, all those questions will be answered and more. Whether you’re a security researcher, a developer looking for some security guidance when writing these drivers, or just generally curious about driver internals, there’s something here for you. The research presented focuses both on C/C++ code, when available, as well as reverse engineering of these drivers.
-
Miniaturisation
By Jason Larsen, principal security consultant for IOActive
August 7, 2014 at 14:15Too often researchers ignore the hard parts of SCADA hacking. Too many presentations could be described as “I got past the SCADA firewall so I win!!!” Little information is available on what to do after the attacker gains control of the process. Consider the scenario where you control of a paint factory. Now what? The answer to that question is often specific to the process, but there are a number of generic techniques that can be discussed. Often, designing an attack leads to interesting hacking and computer science challenges.Miniaturization is one of those problems. Suppose an attacker wanted to hide in a PLC. Suppose he wanted to hide all the way down in a pressure sensor. Is such a thing possible? The attack must be miniaturized to fit within the constraints of the embedded device and may need to be miniaturized into just a few kilobytes of memory. This is an interesting problem.The sensor has only a few kilobytes of memory and the attacker has a number of tasks to perform. During the attack he must spoof the original process to keep the operator happy. He must estimate the state of the physical process by extracting artifacts from noisy sensor signals. He must also process those artifacts to extract the necessary constants to perform an attack.In order to keep the presentation real and understandable, Jason will walk through setting up an optimal pressure transient in a chemical piping system (commonly referred to as a water hammer). A set of novel algorithms will be described that would allow someone to pull off such an attack. A variant of “runs analysis” taken from statistics will be used to produce nearly perfect sensor noise without a previous look at the sensor. An algorithm derived from 3D graphics will be used to extract artifacts from noisy sensor data. Finally scale-free geometry matching techniques will be used to process the artifacts into the time constants needed to pull off an attack.
-
SATCOM Terminals: Hacking by Air, Sea, and Land
By Ruben Santamarta, principal security consultant for IOActive
August 7, 2014 at 15:30Satellite Communications (SATCOM) play a vital role in the global telecommunications system. We live in a world where data is constantly flowing. It is clear that those who control communications traffic have a distinct advantage. The ability to disrupt, inspect, modify, or re-route traffic provides an invaluable opportunity to carry out attacks.SATCOM infrastructure can be divided into two major segments, space and ground. Space includes those elements needed to deploy, maintain, track, and control a satellite. Ground includes the infrastructure required to access a satellite repeater from Earth station terminals.IOActive found that 100% of the devices in scope could be abused. The vulnerabilities uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols or weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.This presentation from Ruben will show all the technical details, mainly based on static firmware analysis via reverse engineering, also including a live demo against two of these systems.
Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.
Overview of Arsenal at Black Hat
-
Melkor – an ELF File Format Fuzzer
By Alejandro Hernandez, senior security consultant for IOActive
August 7, 2014 at 10:00Since its adoption as the standard binary file format for *nix systems, a variety of vulnerabilities in ELF parsers have been found and exploited in OS kernels, debuggers, libraries, etc. Most of these flaws have been found manually through code review and binary modification. Nowadays, 15 years later, common programming mistakes are still being implemented in many ELF parsers that are being released these days very often, either as debuggers, reverse engineering tools, AV analysers, plugins or as malware (yes, malware has parsers too). Here’s where ELF file format fuzzing comes into the game to help you to identify these bugs in an automated fashion.In this presentation, Alejandro will show you the security risks involved in the ELF parsing process as well as the materialisation of such risks by showing different bugs found during this research. After that, he’ll explain how intelligent file format fuzzing can help greatly in the flaw discovery process. Having a good background about the ELF file format and how smart fuzzing could help, he’ll continue with a detailed explanation on how he mixed and implemented both concepts in Melkor – an ELF file format fuzzer.Melkor, written in C, it’s an intuitive and easy-to-use ELF file format fuzzer. Its fuzzing rules were designed using three inputs: ELF specification violations, programming patterns seen in ELF parsers, and other misc ideas and considerations. In order to have higher code/branch coverage in the programs to be tested, certain metadata dependencies must be in place; Alejandro will show you how Melkor implements these rules when creating malformed ELF files.In the end of the presentation, the code of Melkor will be released and Alejandro will show you how to use it with some live demos where some real-world applications will be tested against fuzzed ELF files.
Overview of Briefings at DEF CON
-
Hacking US (and UK, Australia, France, etc.) Traffic Control Systems
By Cesar Cerrudo, chief technology officer for IOActive Labs
August 8, 2014 at 13:00Cesar recently conducted research involving devices used by traffic control systems in important cities around the world, including the US, UK, France, Australia, and China. The end result, he was able to hack into and exploit these devices.In this presentation, Cesar will tell the whole story: how the devices were acquired, the research and onsite tests he conducted, the vulnerabilities he discovered, and how they can be exploited. Cesar will conclude his presentation with demonstrations of cyberwar-style attacks against the vulnerable devices.
-
A Survey of Remote Automotive Attack Surfaces
By Chris Valasek, director of vehicle security research for IOActive and Charlie Miller, security engineer for Twitter
August 9, 2014 at 15:00Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes. Unfortunately, research has only been presented on three or four particular vehicles. Each manufacturer designs their fleets differently; therefore analysis of remote threats must avoid generalities.This talk takes a step back and examines the automotive network of a large number of different manufacturers. From this larger dataset, we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last five years? What does the future of automotive security hold? How can we protect our vehicles from attack moving forward?
-
Weird-machine Motivated Practical Page Table Shellcode, and Finding Out What’s Running on Your System
By Shane Macaulay, director of cloud services for IOActive
August 10, 2014 at 13:00Shane will provide an overview of a brand new detection technique (and tool) for AMD64 systems that will detect any hidden process. A large class of rootkit type malware can now conclusively be detected. Also the current Windows based detection (of these process hiding or DKOM type rootkits) is applicable cross platform and will be ported to Linux, FreeBSD and others. The rootkit is dead!Windows7, Server 2008R2, and earlier kernels contain significant executable regions available for abuse. These regions are great hiding places and more. For example, using PTE shellcode from ring3 to induce code into ring0 and hiding rootkits with encoded and decoded page table entries.This session will also show you how to walk a page table, why Windows8 makes life easier, what to look for and how to obtain a comprehensive understanding of what possible code is hiding/running on your computer.Shane will conclude the presentation by providing insight on using VM’s to fully describe/understand any possible code running on a Windows system.
IOAsis Vegas
IOActive will host its annual IOAsis Vegas tradeshow sanctuary at the Four Seasons hotel from August 6–7. The IOAsis provides a unique opportunity to have in depth discussions with IOActive’s top researchers and view hands-on demos of upcoming IOActive Labs research. To RSVP visit: http://ioasislasvegas.eventbrite.com/?aff=PRIOASIS
About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established track record in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA, and Asia Pac regions.
-###-