Black Hat Will Once Again Show Our Security Weaknesses

The Black Hat conference, which is happening this week in Las Vegas, has long been one of my favorite security conferences. Part of the appeal is being around all of the interesting hackers and security researchers as they demo cool new ways to exploit holes in our technology infrastructure.

But the most important thing about Black Hat is the reality check it provides on just how insecure everything really is, from computers to networks to mobile devices to industrial and other systems that are now increasingly connected and exposed. And this week’s Black Hat will be no exception, as several scheduled demos will display just how scary some of these security holes can be.

One of the most potentially dynamic demos will be from two researchers at iSec Partners, who will show how they can remotely unlock and start a car protected by a modern security system using only SMS text messages. That’s right--someone can steal your car without even being there. Maybe what we don't see in that commercial where the woman remotely controls a car while boarding a plane as two friends look on is that the three are really high-tech car thieves and the two friends are actually about to steal the car.

What's even scarier about the hack that iSec has discovered is that it isn't limited to modern cars. Many of these same GSM-enabled control systems are also found in industrial and physical security locations. So instead of just being able to remotely unlock and start a car, bad guys could potentially remotely control power plants, security systems at businesses and maybe even lock down controls at prisons.

How is this kind of thing possible? Simple. In security today, there is a constant push to enable and add cool new features that make things easy. And who doesn’t like easy?

But the problem is that, in comparison, security is barely being considered at all when adding these cool new features. Before remotely manageable components were added to sensitive control systems, didn’t anyone say, "Hey, shouldn’t we make sure that this is secure and can’t be taken over by bad guys?"

Most likely no one did. And who can blame them? In modern product cycles, the guy who brings up security issues and potentially holds up cool new features looks bad in front of his bosses (even if he does end up being right in the long run).And the problem with poor security systems is that there is often no penalty for having bad security.

A bill currently being pushed through Congress, the ISP Data Retention Bill, will force ISPs to keep their customer surfing data--meaning every site you visited along with all of your account information--for a full year. But to make things a little easier for those ISPs, they have been given blanket immunity if they have a data breach and all of this information is stolen.

So not only will law enforcement be able to access private information without a warrant, anyone who breaks into the ISP will also be able to. And with no penalty for these data breaches, why should ISPs work hard to secure this data they are being forced to keep?

As Black Hat regularly shows, this type of data is often easy for bad guys to get a hold of. Hopefully, the show will once again provide a reminder of the extent to which our systems and data are at risk and why everyone should work hard to design systems from the get-go with security in mind.

Who am I kidding? The pressure will remain for cool features that look good in ads. And politicians won’t care if their policies put our personal information at risk as long as they can campaign that they were tough on crime.