Security researchers and hackers gathered in Las Vegas over the past week to show off and learn about the latest vulnerabilities that affect devices and software that the world relies on every day. Black Hat and DEF CON, the world's top security conferences, did not disappoint.
Hackers can mess with the music in your car, and then cause you to crash
The highlight of this year's Black Hat conference was a remote hack of the Jeep Cherokee and other Fiat Chrysler vehicles demonstrated by security researchers Charlie Miller and Chris Valasek.
The attack was the culmination of a year of painstaking work that involved reverse engineering car firmware and communications protocols. It eventually allowed the two researchers to hack into the car infotainment systems over mobile data connections and take over brake, steering and other critical systems. The research forced Chrysler to recall 1.4 million automobiles so they could be patched and prompted a car cybersafety legislative proposal from the U.S. Congress.
Rootkits in your CPU are now a thing
Researcher Christopher Domas from the Battelle Memorial Institute disclosed a design flaw in Intel's x86 CPU microarchitecture that dates back to 1997. The vulnerability, which affects all Intel CPUs older than the second generation Core processor family, also known as Sandy Bridge, can be leveraged to install a rootkit into the deepest parts of a system, the System Management Mode (SMM). This can make malware undetectable to security products and allows attackers to reinfect the operating system even after a complete wipe.
Intel released firmware updates for some of its server and desktop motherboards, but other manufacturers have to follow suit. Since Sandy Bridge was released in 2011, older boards might not even be supported anymore and might not receive updates. Even if they do, it's unlikely many users will install the updates, so vulnerable systems will still be around for years to come.
Critical vulnerabilities put hundreds of millions of Android devices at risk
There were two major Android security issues presented at Black Hat that put hundreds of millions of Android devices at risk. One was a vulnerability in a core Android media processing library called Stagefright that could be exploited via a single MMS message or browsing to a Web page. The flaw prompted Google, Samsung and LG to commit to monthly security updates for their devices.
In a different talk at Black Hat, Android's lead security engineer, Adrian Ludwig, referred to the Stagefright patching effort as the "single largest unified software update in the world."
The second issue was not in the core Android components, but in the support tools that manufacturers and carriers install on their devices so that technical support staff can remotely troubleshoot issues. Security researchers from Check Point Software Technologies found multiple issues with these remote support tools that allowed any malicious applications to communicate with them and take control of devices.
Sign up for CIO Asia eNewsletters.