The 25th annual Black Hat USA 2022 conference and the 30th annual DEF CON conference took place during the first week of August in Las Vegas, bringing together some of the biggest companies and professionals in cybersecurity and hacking. Here are some of the biggest cybersecurity takeaways of 2022 from the conferences.
1. Multi-Factor Authentication Isn’t Bullet Proof
The Black Hat conference brought attention to the dangers of multi-factor authentication (MFA). Even though MFA is an important defense that should be part of a system’s cybersecurity strategy, according to MFA expert Roger Grimes, 90 to 95 percent of MFA can be phished around and bypassed.
Proving this point, Cisco Systems explained how one of its employees falling for a phishing scam on their personal Google account led to a hacker breaching the company’s VPN. After the hacker received the victim’s Cisco credentials stored in their browser, the hacker sent fake MFA messages to the victim. The MFA messages included a voice phishing attack that impersonated trusted members of the organization to convince the victim to accept the MFA push notification. Once the victim accepted the MFA notification, the attacker was able to successfully authenticate to the Cisco VPN.
As a big takeaway from this, a larger focus must be placed on employee education for cybersecurity and phishing schemes.
2. Mobile Attacks Are Increasing
The ease of hacking into mobile smartphones and internet sites was a repeated cybersecurity trend discussed at Black Hat 2022 and DEF CON.
Many of these mobile attacks can be attributed to human error. For example, at a Black Hat briefing, two threat intelligence experts from PwC warned that global threat actors are taking advantage of “the great resignation” by targeting job seekers on sites like Indeed.com and LinkedIn with phishing links. Hackers will create fake websites, job descriptions, job posts, and social media profiles. The messages and posts will often contain links to spoofed websites that install malware on the compromised mobile device or computer.
To make matters worse, an academic research team explained at Black Hat how they could hack into a touch-screen interface. In this “invisible finger” presentation, a research team demonstrated how they can initiate an attack on smartphones by triggering touch-screen events from several centimeters away. If the smartphone is set down on a table containing the hidden antennas, the attack can use its invisible finger to take control.
3. IoT with 5G Network Poses Risks
As the Internet of Things (IoT) and 5G networks grow, the communication between multiple devices opens up a plethora of risks. Since 5G architecture is fairly new in the industry, a lot of research is still needed to ensure the system is secure from external attacks.
For example, Atlaf Shaik, a researcher at the Technical University of Berlin, presented his findings on Application Programming Interfaces (API). An API is a software intermediary that allows two or more computer programs to talk to each other; it can make IoT data accessible to developers. In his examinations of APIs offered by ten mobile carriers, Shaik found basic API vulnerabilities in every single one. These vulnerabilities could reveal SIM card identifiers, SIM card secret keys, billing information, and the identity of the SIM card purchaser.
To combat the risk of the IoT, NetRise announced its first product at Black Hat. The product, also called NetRise, is a cloud-based SaaS application that offers insights into the shared vulnerabilities across the extended IoT (XIoT) of an organization. The product aims to provide complete visibility to all of the IoT products used within an organization in order to identify risks, misconfigurations, and more.
4. Even Largest Companies Are Vulnerable
Throughout both conferences, several researchers and foundations exposed security flaws in some of today’s most highly regarded and respected companies. For example, the founder of the Objective-See Foundation, Patrick Wardle, highlighted the video conferencing application Zoom at DEF CON. Wardle demonstrated how he used the macOS version of Zoom to gain access to the entire macOS operating system.
Also at DEF CON, cybersecurity firm Pen Test Partners revealed how a flaw in the Electronic Flight Bag tablets used by some Boeing aircraft pilots could have been tampered with. The firm found that hackers could be given direct access to the tablet with the ability to modify data and cause pilots to make dangerous miscalculations.” Boeing responded in a statement to express that it was not aware of any airplane that has been affected by the issues and released a software update to address the problem.
Meanwhile, at Black Hat, Starlink, the satellite operated by SpaceX that provides internet access to over 36 countries, was shown vulnerable to a hack via a $25 modchip. Researcher Lennert Wouters presented how he successfully carried out a voltage fault injection attack on a Starlink User Terminal. The attack allowed Wouters to explore the Starlink network and its communication links. Before publicly presenting the issues, Wouters notified SpaceX of the vulnerability.
For more information on cybersecurity, tune in to Tomorrow’s World Today’s “Cyber Security: Thinking Like An Attacker” at 8:30 AM on Saturday, August 27 on the Science Channel, 6:30 AM on Sunday, August 28 on Discovery Channel, or watch the full episode below.