The Black Hat conference, which is happening this week in Las Vegas, has long been one of my favorite security conferences. Part of the appeal is being around all of the interesting hackers and security researchers as they demo cool new ways to exploit holes in our technology infrastructure.
But the most important thing about Black Hat is the reality check it provides on just how insecure everything really is, from computers to networks to mobile devices to industrial and other systems that are now increasingly connected and exposed. And this week’s Black Hat will be no exception, as several scheduled demos will display just how scary some of these security holes can be.
One of the most potentially dynamic demos will be from two researchers at iSec Partners, who will show how they can remotely unlock and start a car protected by a modern security system using only SMS text messages. That’s right--someone can steal your car without even being there. Maybe what we don't see in that commercial where the woman remotely controls a car while boarding a plane as two friends look on is that the three are really high-tech car thieves and the two friends are actually about to steal the car.
What's even scarier about the hack that iSec has discovered is that it isn't limited to modern cars. Many of these same GSM-enabled control systems are also found in industrial and physical security locations. So instead of just being able to remotely unlock and start a car, bad guys could potentially remotely control power plants, security systems at businesses and maybe even lock down controls at prisons.
How is this kind of thing possible? Simple. In security today, there is a constant push to enable and add cool new features that make things easy. And who doesn’t like easy?
But the problem is that, in comparison, security is barely being considered at all when adding these cool new features. Before remotely manageable components were added to sensitive control systems, didn’t anyone say, "Hey, shouldn’t we make sure that this is secure and can’t be taken over by bad guys?"
Most likely no one did. And who can blame them? In modern product cycles, the guy who brings up security issues and potentially holds up cool new features looks bad in front of his bosses (even if he does end up being right in the long run).