Blackhat EU - The Virtual Edition

Well, we are still here, we've baked more sourdough than any country needs, we've got the craziest hairstyles and somehow made Bezos even richer thanks to doing nothing but purchasing stuff online that we don't really need but what else was there to do?

The good thing is that the research community didn't spend time baking, well they did and it wasn't using yeast but gray matter and whoah boy did we see some amazing security research being submitted.

On Wednesday, Blackhat EU will start, and what is now very much a tradition with me, here's my list of talks that got me truly excited and why I think they should do the same to you too.

First up two amazing keynotes and I really mean this, I'm not just saying it.

I think we can all admit that hacking governments, disrupting the democratic process, and generally being a nuisance has been news at 6 for a while now. It's a huge problem and this is why I can't wait to hear Pete Cooper, who is in gov and also responsible for possibly one of the hardest tasks in government, explaining the how and whys of the issues we face.

Then Andrew "bunnie" Huang, a researcher who is a HUGE influence on me, and also a damn good chap, will be talking about a subject that's close to my heart and also one that's really important: trust in hardware.

Hardware security is very hard, and in recent years it took the backseat to all things fancy software security but as we've seen in the last 18 months, attacking hardware has become very en vogue and it brings us back to how we trust said devices we use on a regular basis. This will be the top talk for me and I can't wait.

A lot of people do ask if we pick certain topics or subjects during the review process and the short answer is no. What is often the case is that the industry does shape research directions and we, the review board, try and pick the best talks submitted (of which there are many).

Ransomware is one of those talks that really grabs our world. Ransomware is a huge problem, it isn't going away and if anything, the groups are more confident than ever before. If we look at REvil (ransomware group) offering millions of dollars as part of a recruitment drive and earning hundreds of millions from campaigns, you start to see how attractive this element of criminality is.

Mitchell and Tom are looking at the evolving maturity of such operations and this talk grabbed me as it's one many need to watch. From profit-sharing schemes in place with those who can give access to other operators, to the ease of which campaigns operate, this will be of interest to all.

Who doesn't want a new Apple M1 device? They have truly done something amazing with the M1 chip from a speed and battery-life perspective and in a way, ARM really has shown progress against the old guard (Intel).

The R&D that has gone into dynamic binary translation technology (in the case of Apple, Rosetta 2) enables ARM-based products to run software built for Intel x86 CPUs. What Ko and Hiromitsu have found is that, in the case of Windows 10, the X86 emulation function is vulnerable to a new code injection technique made possible by abusing the XTA cache file process. This research fascinates me as the race between ARM and Intel is heating up and as more customers demand faster, leaner more efficient machines, the translation tasks needed to get X86 code working on ARM will see a lot more issues pop up.

Now the Internet of Things, the annual kicking target of many a researcher and in past years, deserved. However, the amazing team over at Limited Results have taken a different approach and looked at the beating heart of most IoT devices today: the Nordic nRF52 System-on-Chips (SoCs) that make use of ATM Cortex CPUs. What's cool about these chips is that they make use of a tech called APPROTECT, which stops prying eyes from dumping code. Turns out it's not foolproof and they've found a way to do such things.

What I found amazing about this research is how hard this is to patch, you can't without redesigning the silicon, and also how this impacts trust in the device (see Bunnie's talk above). This is the research I live and breathe for.

Next up our favorite North Korea topic

Jason and Josh's talk appeals to me a lot. It's not about malware or anything like that but how Kim made the best hacking team we've ever seen, with very little experience in doing so and a small investment. Usually, when we hear a talk about Kim and co, it's about the malware and TTPs and so on but this one takes a step back and looks at the organisational structure, the struggles faced, and believe it or not, I feel a lot of attendees could learn a lot from this talk on how they too might build very capable Blue/Red teams.

The hardest task in IT is getting a printer to work, it's a fact but now Rancho has shown that just because the technology is old, it doesn't mean all the bugs have been found. In his research, he managed to find a flaw in the print driver of Windows 10 and the journey they took to create a fuzzer to aid discovery. I'm a sucker for a research journey and old bugs, well yes, please!

Now PDFs, everyone uses them, Adobe really struggles to write secure code to make them work and now Gareth Hayes has gone and found a truly beautiful flaw that could allow someone to exfiltrate data by means of XSS, yes XSS within the bounds of a PDF document.

The PortSwigger team are truly something else.

I get inundated by vendors trying to push their latest and greatest SAST/DAST tool that leverages AI and ML and can find all teh bugs, but most fail miserably when you start to really tear them apart and use real bugs in code to see how they find them.

What Bas and Kevin from Github have done is do the same as we do, but at scale. They took every major security vulnerability out there and assigned it a CVE identifier and metadata and then started to see how the SAST tools found bugs. And find bugs they did and they will be releasing the benchmarking dataset and tooling for all to use.

This is a huge thing as it means we get to keep vendors honest and in my experience, this is really needed so I can't wait for this.

It's funny, we assume that bugs found today are in new technologies as surely the older ones have had so many people looking at them that no bugs should exist anymore?

Well, this is often not the case, as Daniel, Stanislav, Jos, and Amine are showing with their research into embedded device TCP/IP stacks. What they found was that often critical infrastructure making use of embedded stacks are a breeding ground for serious vulns, and this impacts the whole supply chain (which is a very popular topic currently).

Their research is thorough and also impacts both closed-source and open-source vendors. One to watch.

Gamers and gaming, I watched the fever pitch on social media as many received their latest gaming console. Consoles today are impressive machines and not something you often hear about having vulnerabilities. This is especially the case with Sony's PlayStation, which traditionally had a solid-state of security, well that is until Quentin and Mehdi came about and find out a WebKit 0hday. I loved this submission as their journey is cool as only a handful of public exploits for the PS4 have ever been released and it touches upon how hard it is to make a secure browser, even today.

LASERS, we need moar lasers!

You can't attend Blackhat and not have a talk that just blows your mind and this is my personal 'mad as a box of frogs' talk. Using lasers to hack voice assistants.

So admit it, how many of you have voice assistants in your home? A device that listens in all the time with sophisticated microphones and probably using some form of AI or ML to do stuff. Sara, Benjamin, and Daniel have found a way to use light commands to manipulate the microphones through the glass and from long distances. All of the voice vendors are vulnerable and I just...

Boss: We must intercept all traffic to check for bad things? happening

Vendor: Here's a blinky light that does just that, buy it, and be secure.

Who watches the watchers? Morten and Matteo have some amazing research that shows how, as we've seen in the last 18 months, security tools that are meant to protect us aren't as robust as they should be. Their research found a stealthy way to exfiltrate data that bypasses the same tools meant to detect such an attack. As we've seen with many VPN providers shipping truly awful code that led to RCE's and ransomware, the security industry has a problem of writing secure code too and this talk is one that many should attend. We need to do better.

I've had many newcomers in this field ask me what to concentrate on, especially those with a keen interest in finding bugs. Many think that because the technology is old and established, that the bugs are no longer there. Bluetooth is a wireless technology standard invented by Ericsson in 1994 and you rarely see bugs being reported these days with the technology, but as Yu has shown, the stack has many secrets still waiting to be discovered. He found over a dozen 0hdays in various Bluetooth stacks of many a vendor. This is brilliant research that should make all realise that just because it's old, doesn't mean there isn't treasure.

Finally, jailbreak wen? I mean just ask Stefan Esser when a new one will be released right?

I love a journey, I love it when researchers share their path of failure and winning when it comes to finding bugs. We can't always think that it's so easy to find stuff when in reality, you fail more than you succeed. What 08Tc3wBB has done is to create their journey of how they jailbroke a pretty secure iOS. If you are keen on bug hunting and want to see what goes into finding bugs, this will be a very good talk.

I always feel bad that I've not listed more, and indeed there are many more, but all I can say is to attend and enjoy the talks. We've had a truly horrible year and I hope next year is much better. God speed to all and have a lovely festive season.