Black Hat Hackers Highlights: Awards, Attacks, and Apple

Hotel locks, iris scans, GooglePlay and other "secure" technologies are cracked in demonstrations at the security conference.

Denizens of the digital world are feeling a little less secure this week as another edition of the Black Hat hacker conference wrapped up in Las Vegas.

Among the technologies cracked by security researchers at the show were hotel room locks, iris scanners, Google Bouncer, point of sale terminals, and near-field communication technology.

Those attending the conference and staying in hotel rooms must have found unsettling a presentation by Mozilla software developer Cody Brocious. He demonstrated a homebrewed device made for $50 that unlocks hotel rooms.

The gadget is similar to what hotels use to program locks to accept master key cards. However, the device works only on locks made by Onity, and it works about 33 percent of the time. On the other hand, there are from 4 to 5 million hotel rooms worldwide that have the locks to experiment on.

Biometric Security Undermined

A highly secure biometric form of identity authentication was also undermined at Black Hat. Spanish researchers showed how they could create a lifelike image of the iris of a person's eye. In tests against a top commercial recognition system, the iris scanner was fooled 80 percent of the time, according to the team from Universidad Autonoma de Madrid.

Images of fake irises have been created in the past, but this is the first time the iris of an actual person has been duplicated from data gathered about the organ.

When Google introduced Bouncer to its online app store, GooglePlay, it was believed that the technology would go a long way toward cleaning up apps infected with malware distributed through the outlet. Doubt was cast on that notion at Black Hat by Trustwave. The company demonstrated how, through the use of sophisticated masking techniques, it was able to slip a pernicious app under Bouncer's radar and remain camped in GooglePlay for two weeks before the researchers took it down.

Malicious apps, though, aren't the only ones snooping in data stored in smartphones, according to a study released at Black Hat by Appthority. It found that 96 percent of iOS apps and 84 percent of Android apps have the capability to access sensitive information on a smartphone, such as contacts, location, and calendar information.

Mobile Shoppers Beware

Electronic commerce was also a target of boffins at Black Hat. A pair of researchers demonstrated a payment card they designed that would infect a point of payment terminal when it was swiped by the device. The card planted on the terminal a Trojan that collected credit card information and PIN numbers entered into the device. That information could be later extracted from the terminal with another malicious card.

The researchers also showed how vulnerabilities found in the terminal could be used to fool store clerks into thinking a purchase had been approved by a bank when it hadn't.

Near Field Communications (NFC), an up and coming technology used for financial transactions from mobile phones, also attracted the attention of Black Hat researchers. Accuvant researcher Charlie Miller showed how a tag embedded with an NFC chip could be used to compromise the information in an Android phone simply by brushing against it.

A tradition at Black Hat is the Pwnie Awards, which recognize achievements and failures during the 12 month period leading up to the event. One of the award winners this year was the creators of the Flame software who developed a scheme that used Windows Update to deliver malware to PCs. Not surprisingly, the authors of Flame did not accept their award when it was announced.

A first at Black Hat this year was the appearance of Apple as a presenter at the show. The presentation, though, was a letdown. After rehashing the information in a white paper on iOS security released by the company in May, Security Platform Engineer Dallas de Atlas bolted from the forum without answering any questions.  

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place