Black Hat Hackers Highlights: Awards, Attacks, and Apple

Denizens of the digital world are feeling a little less secure this week as another edition of the Black Hat hacker conference wrapped up in Las Vegas.

Among the technologies cracked by security researchers at the show were hotel room locks, iris scanners, Google Bouncer, point of sale terminals, and near-field communication technology.

Those attending the conference and staying in hotel rooms must have found unsettling a presentation by Mozilla software developer Cody Brocious. He demonstrated a homebrewed device made for $50 that unlocks hotel rooms.

The gadget is similar to what hotels use to program locks to accept master key cards. However, the device works only on locks made by Onity, and it works about 33 percent of the time. On the other hand, there are from 4 to 5 million hotel rooms worldwide that have the locks to experiment on.

Biometric Security Undermined

A highly secure biometric form of identity authentication was also undermined at Black Hat. Spanish researchers showed how they could create a lifelike image of the iris of a person's eye. In tests against a top commercial recognition system, the iris scanner was fooled 80 percent of the time, according to the team from Universidad Autonoma de Madrid.

Images of fake irises have been created in the past, but this is the first time the iris of an actual person has been duplicated from data gathered about the organ.

When Google introduced Bouncer to its online app store, GooglePlay, it was believed that the technology would go a long way toward cleaning up apps infected with malware distributed through the outlet. Doubt was cast on that notion at Black Hat by Trustwave. The company demonstrated how, through the use of sophisticated masking techniques, it was able to slip a pernicious app under Bouncer's radar and remain camped in GooglePlay for two weeks before the researchers took it down.

Malicious apps, though, aren't the only ones snooping in data stored in smartphones, according to a study released at Black Hat by Appthority. It found that 96 percent of iOS apps and 84 percent of Android apps have the capability to access sensitive information on a smartphone, such as contacts, location, and calendar information.

Mobile Shoppers Beware

Electronic commerce was also a target of boffins at Black Hat. A pair of researchers demonstrated a payment card they designed that would infect a point of payment terminal when it was swiped by the device. The card planted on the terminal a Trojan that collected credit card information and PIN numbers entered into the device. That information could be later extracted from the terminal with another malicious card.

The researchers also showed how vulnerabilities found in the terminal could be used to fool store clerks into thinking a purchase had been approved by a bank when it hadn't.

Near Field Communications (NFC), an up and coming technology used for financial transactions from mobile phones, also attracted the attention of Black Hat researchers. Accuvant researcher Charlie Miller showed how a tag embedded with an NFC chip could be used to compromise the information in an Android phone simply by brushing against it.

A tradition at Black Hat is the Pwnie Awards, which recognize achievements and failures during the 12 month period leading up to the event. One of the award winners this year was the creators of the Flame software who developed a scheme that used Windows Update to deliver malware to PCs. Not surprisingly, the authors of Flame did not accept their award when it was announced.

A first at Black Hat this year was the appearance of Apple as a presenter at the show. The presentation, though, was a letdown. After rehashing the information in a white paper on iOS security released by the company in May, Security Platform Engineer Dallas de Atlas bolted from the forum without answering any questions.  

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

• Tweet