Black Hat: Mobile Flaws Get Attention

As security professionals converge in Las Vegas for Black Hat USA 2010, July 24-29, conference founder Jeff Moss says interest in mobile vulnerabilities is growing.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 21, 2010

3 Min Read
Dark Reading logo in a gray background | Dark Reading

At the Black Hat USA 2010 conference, July 24 - 29 in Las Vegas, mobile security won't just be over the air, it'll be in the air. Nowadays, said conference founder Jeff Moss, "it's all mobile all the time. It's like when they introduced Windows 7 or Windows XP -- it's all new. Everybody is trying to figure it out."

Rootkits used to get a lot of attention, but this year there was only one rootkit presentation submitted, Moss says. Of course, a range of security issues will be explored, such as timing attacks and smart grid vulnerabilities. But mobile security problems are seeing a surge of interest.

Moss says that app stores and the apps themselves are getting more scrutiny from security researchers. People are looking at what it takes to get malicious apps into app stores undetected.

Kevin Mahaffey and John Hering of Lookout Mobile Security will be delving into the security of mobile apps next Wednesday, July 28, in a presentation titled "App Attack: Surviving the Mobile Application Explosion."

Moss recommends a talk that explores the default permissions that apps have on mobile devices. "They allow you to do things you shouldn't do," he explained.

That presentation, "These Aren't the Permissions You're Looking For," also takes place on Wednesday afternoon.

Moss also suggests paying attention to a presentation being given on Wednesday morning that deals with GSM base-station and mobile phone base-band attacks. "These GSM base-band radios are in all the phones and it turns out that the firmware dealing with the radio stuff is not really designed for malicious attack," he said.

There's one mobile phone maker that has stronger radio security than its competitors, but Moss is leaving that revelation for the presenter of the GSM talk.

Perhaps the most highly anticipated talk deals with vulnerabilities in automatic teller machines. The presentation, titled "Jackpotting Automated Teller Machines Redux," is the result of work by Barnaby Jack, director of research at IOActive Labs.

"Everybody wants to see that one because they want to see why there was pressure last year to cancel it," said Moss. "Like this year, Jack announced that he was going to do this talk about ATMs and make all the money come out. A couple of ATM vendors got really nervous and started pressuring him and his employer, and the employer pulled the talk on him. So he then went and quit his employer and found a new one and is doing the talk this year."

Similar pressure this year led to the cancellation of a talk titled "The Chinese Cyber Army: An Archaeological Study from 2001 to 2010."

Moss said he was disappointed to learn about the cancellation of this presentation, which was supposed to reveal data about Chinese military involvement in cyber espionage. "I was really looking forward to it because they had real research and real numbers and real packet captures, nine years of log data," he said. "I thought it was really going to advance the state of the debate because it's not full of speculation."

Unfortunately, he said, "the Chinese government applied pressure to the Taiwanese government which applied pressure to the speakers. The Chinese don't like it when people suggest that they're breaking into [other people's computers]."

When Google said in January that it would no longer censor search results in China, the company attributed its change of policy to a sophisticated cyber attack from China. Some security researchers believe those who hacked Google's systems had ties to the Chinese military.

Conclusive evidence to that effect, if it exists, has not been made public and Chinese authorities have emphatically disputed such claims, as they have done in the past when similar allegations surfaced.

Black Hat USA 2010 begins with training sessions, which run from Saturday, July 24 through Tuesday, July 27. The presentations run from Wednesday, July 28 through Thursday, July 29.

Black Hat and InformationWeek are both properties of TechWeb.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights