If you are concerned about the security of your increasingly connected embedded mobile and consumer systems and want to learn more about what you need to do, check out the Black Hat USA Conference this week in Las Vega, Nev.
You can get up-to-date coverage on an hourly basis by going to the Dark Reading web site’s Black Hat coverage page. Some of the papers and presentations that are on my Editor’s Top Pick list are:
Here be back doors , in which Ruben Santamarta looks at the security issues involved in many smart meter, SCADA and industrial control applications, and shows how it is possible to discover ways to subvert security through backdoors and other vulnerabilities. He discloses some previously unknown details of an interesting case: a backdoor discovered in a family of Smart Meters.
In Advanced ARM Exploitation, Stephen Ridley and Stephen Lawler discuss reliably defeating hacks such as XN, ASLR, stack cookies, etc. using nuances of the ARM architecture on Linux (in embedded applications and mobile devices). They will also demonstrate these techniques and discuss how they were able to discover them using several ARM hardware development platforms that they custom built.
A stitch in time save nine , presented by Rafal Wojtczuk, in which he explain the subtleties of the Intel CPU privileged instructions such as “sysret” and the variety of ways they can be reliably exploited on unpatched systems. Exploits for a few affected operating systems will be demonstrated.
Practicing Safe Dex , presented by Timothy Strazzere, in which he explains Android's dex file format and how its file analysis tools parse and manage the format and illustrates some of the exploitable functionalities he found, why they fail and how to fix them.
Don’t stand so close to me , presented by Charlie Muller, a must-read by designers planning to implement near field communications protocols in their mobile or connected embedded devices. He shows how, through NFC, using technologies like Android Beam or NDEF content sharing, one can make some phones parse images, videos, contacts, office documents, even open up web pages in the browser, all without user interaction.