DEF CON 27 Demonstrates Real-World Security Issues for MCUs, Medical Devices, Cars, and More

The recent hacker cavalcade was a chance for security matters to take center stage, both for those defending the integrity of electronics and those challenging it.

Stop me if you've heard this one. How do you get electrical engineers to attend a talk about security?

Tell them there's free food and then lock the doors behind them.

This is a joke (more or less?) that a security expert told our EiC at Sensors Expo this year. And it seems to be distressingly accurate.

While security is not the typical EE's favorite topic of conversation, it is still inarguably an important part of this industry. If engineers neglect to consider security in their designs, including hardware-based security and firmware over-the-air updates, they leave vulnerabilities that have widespread repercussions for efficiencies, marketability, and more.

You'd have to be living under a rock to be ignorant of the many groups of people and bots alike that are constantly trying to compromise security systems around the world. But have you ever wondered who these people are and how we have a prayer of counteracting them?

DEF CON, a security-focused conference held in Las Vegas, is an excellent place to start learning about hacker culture and keep up-to-date on some of the risks plaguing electronic systems. If there's anything you could take from this conference, it's that—from medical devices to microcontrollers to automobiles—if you design it, hackers are probably plotting to get into it.

 

What Is DEF CON?

Are there any fans of the 80s TV cop show, Hill Street Blues, in the house? For you guys, DEF CON will remind you of the episode where an old-timer crook explains his criminal methods to the officers, as well as how to counter them. The difference is that the “councilors” at DEF CON are not old-timers at the end of their careers, but rather mostly youngsters at the top of their game.

In fact, when asked, “Do criminals go to DEF CON?”, the answer was “Yes. They also go to high school, college, work in your workplace, and the government. There are also lawyers, law enforcement agents, civil libertarians, cryptographers, and hackers in attendance. Ssshhh. Don't tell anyone.” (This same response has apparently been on the conference's FAQ page for at least a decade.)

We’ve covered the show before for DEF CON 24 in 2016, and the section on hackable Bluetooth door locks is still worth reading today. And, even the gurus at DEF CON might not be as aware of IoT security at the microcontroller level as regular old everyday hardware engineers are. 

Unlike most tech conferences, the show’s website isn’t a very clear guide as to the goings-on to those outside of hacker culture. The organizers want you to dig, search and explore, just as they do in their careers. 

I did some exploring to get you started, and here are some insights I came away with.

DEF CON Speakers

Check out the title of this talk given by security researcher Shiela Ayelen Berta: "Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers". While the methodologies Berta covered were doubtlessly way over the typical EE's head in terms of execution, the concept remains an important one to consider. 

This year's lineup also includes such entries as "Are Quantum Computers Really A Threat To Cryptography? A Practical Overview Of Current State-Of-The-Art Techniques With Some Interesting Surprises" by Andreas Baumhof of Quantum Technologies and QuintessenceLabs Inc. Another highlight might be "D0 N0 H4RM: A Healthcare Security Conversation" which was presented (for the third year at DEF CON) by a panel of security experts, medical experts, and a couple of folks who qualify as both as they discuss what it takes to keep the medical field safe.

 

Image from DEF CON

 

"HTTP Desync Attacks: Smashing into the Cell Next Door"

While HTTP requests are viewed as isolated, standalone entities. In this talk, techniques were introduced to enable attackers to break through the supposed isolation. The speaker, identified only by a pseudonym, described how (s)he was able blast into a variety of commercial and military sites, and rain havoc. Evidently, this presenter was wearing a “white hat” at the time, as evidenced by the $50K bounties received for pointing out the weaknesses.
 

"HackPac: Hacking Pointer Authentication in iOS User Space" by Xiaolong Bai and Min (Spark) Zheng 

Think you’re safe because you’re using Apple? Think again! Pointer Authentication (PAuth) is the latest security mechanism in iOS. A flaw in its implementation exposes vulnerabilities to code-reuse attacks. The authors demonstrate how to use this flaw to launch JOP (jump oriented programming) attacks.

The speakers also presented a new tool, PAC-gadget, to automatically find JOP gadgets in PAuth-protected binaries.

DEF CON Workshops

EEs should be aware that hackers are interested in the devices they design and the connectivity methods they utilize. DEF CON's workshops provide hands-on training on how to defend against attacks on various devices and systems, as well as how to initiate them. 

For example, "Hacking Wi-Fi" and "Finding Vulnerabilities at Ecosystem Scale" are two titles that could make an engineer's ears perk up, especially if they've integrated connectivity into a device recently. Perhaps a chill may creep up another designer's spine if they've developed pacemakers or wearables and see another workshop titled "Hacking Medical Devices" on the list.

Other workshops of interest may include these that caught my eye:

 

"Reverse Engineering 17+ Cars in Less Than 10 Minutes" by Dr. Brent Stone

That's a nice CAN bus you have there for your automotive application. It'd be a shame if a military researcher used automated techniques to reverse-engineer 17 vehicle networks in under 10 minutes in a live demonstration.

 

"Advanced Wireless Exploitation for Red Team and Blue Team" by Besim Altinok and Bahtiyar Bircan 

Here, some hackers learn about attacking wireless networks and others learn how to defend against those attacks. Find out how to attack and gain access to WPA2-PSK and WPA2-Enterprise Wi-Fi networks, bypass the network access controls, and gain administrative control over an active directory environment.
 

"Reverse Engineering Android Apps" by Sam Bowne and Elizabeth Biddlecome

Find flaws in actual Android apps and find out how to avoid making security errors in your own apps. The open nature of the Android system makes the apps easy to unpack, analyze, modify, and repack. In this workshop, the targets include apps from Wells Fargo, Microsoft, Lyft, WhatsApp, Whole Foods, IBM, Harvard, Progressive and the Indian government.

"World Cup of Hacking"

And what computer security conference would be complete without a battle of the nerds?

 

Watch the Best Hackers in the world Duke It Out! Image from DEF CON

 

Over a grueling 72-hours, teams made up of industry workers, students, and government contractors attempted to break into each other’s computer systems and to steal information from their victims. The best cyber thieves of this year (for the fifth time in the last seven years) are the Plaid Parliament of Pwning (PPP) from Carnegie Mellon University.

(To “Pwn”, for the uninitiated, means to conquer, humiliate, and dominate a crushed opponent.)

"These competitions are so much more than just games," said Zach Wade, a student in Carnegie Mellon’s School of Computer Science and one of PPP’s team captains. "They bring together the security community to share and test new ideas that can be used to strengthen the security of the systems and devices we use every day.

There were 16 teams from throughout the world, and Carnegie Mellon faced stiff Competition. Behind Carnegie Mellon, HITCONxBfKin” from Taiwan placed second, and team Tea Deliverers from China was third.

---

 

Listen, we know that the majority of DEF CON's ongoings are outside the typical engineer's realm. But consider taking a look at what hackers are learning and why at DEF CON—and you may find that this is more relevant to the typical EE than you might like to believe.

Did you attend DEF CON? What are your run-ins with security issues in design? Share your experiences in the comments below.