A payments expert's experience of Black Hat

29 August 2019

This year, for the first time, we sent one of the Security and Compliance team members - Arthur Van Der Merwe - to Black Hat in Las Vegas. Arthur immersed himself in the Nevada desert’s annual hacking conference, now in its 22nd year, and came back with some useful insights.

Security is a shared responsibility

The atmosphere buzzed with over 20,000 cybersecurity experts from around the world, smoke machines, strobe lighting and a building sense of anticipation. And against this smoke and light-filled backdrop, the dominant message in the opening keynote from Square’s Dino Dai Zovi was that the responsibility of security has shifted to a shared responsibility.

The significance of this is that today, security goes beyond software professionals and instead relies on a collaborative effort of communication, automation and feedback. Dino explained that we are now seeing offensive security teams uncovering creative ways to break traditional software systems. He also advised the testing of each component of a device must uphold the same standard, and that security must be at the heart of every design.

The three-day conference featured talks across 19 different tracks, covering an array of information security topics. These sessions included interactive elements such as training in exploit development techniques and looking at hardware backdoors to the current state of public-interest technology. Public-interest technology is a movement that seeks to promote the fact that we need technologies that work in the public interest.

Payments, mobile devices and the cloud

The conference highlighted how the payments industry is beginning to move closer towards using mobile devices as EFTPOS Terminals as well as investigating how Cloud environments can improve efficiency and mitigate risk. These developments echo recent updates published by the Payment Card Industry (PCI) - Security Standards Council, especially the Software-based PIN entry on commercial off the shelf. These new standards point to mobile devices being powerful multi-use modules that interact with the cellular network. And we see this first-hand in the payments infrastructure in Australia.

An interesting talk which looked at mobile devices was by Shupeng Gao from the Baidu Security Lab who conducted a security analysis on several manufacturers of 4G modules. Gao discovered that he could remotely downgrade the signal of a 4G device to 2G with a custom base station, and then execute custom commands remotely on the module.

Gao pointed out that the manufacturing of these 4G modules is outsourced to external providers, who all use the same type of chips in their modules. The security weakness is that none of the manufacturers of the modules checks or tests the security of the chips. Vendors simply connect the modules to their mobile phones, leaving responsibility of the module and any security concerns to its manufacturer.

He admitted that some mobile phone manufacturers were unaware that the 4G Modules were running a Linux kernel (operating system), which was running unprotected. They also discovered that through a firmware update, usernames and passwords were hardcoded, and the remote firmware repository was left exposed.

If an attacker had access to this information, they could potentially inject malicious code into the firmware update server and infect millions of devices. The attacks presented by Gao did not expose the data that the module transmitted; but it really brought home the idea that the responsibility of security is most definitely a shared responsibility.

Securing group chats

Another compelling keynote was by Raphael Robert from Wire on the latest Message Layer Security Standard, which is meant to secure group communication for apps like WhatsApp. In Australia, there is currently a working group looking at this in the Internet Engineering Task Force. Robert took us through the standards, with a focus on its applicability and ability to scale rapidly like no other group protocol.

His presentation outlined how participants in group encryption are represented as nodes on a left weighted binary tree. This structure means the addition and removal of participants has minimal effect on the rest of the group, unlike existing protocols. The adoption of the protocol still hangs in the balance, and only time will tell how successful Message Layer Security (MLS) will be. This concept is a dramatically different approach to the group protocols we have today and will be increasingly important to payments as group chat apps roll out payment functionality.

Sheila Berta, Information Security Specialist and Developer, showed how it’s possible to create a backdoor on a microcontroller using various tools. Berta used reverse engineering techniques with buffer-overflows to inject malicious code into the running program of the microcontroller. The method she used required physical access to the PC board and microcontroller, which means it’s not scalable but it’s a good illustration of the fact that security is a shared responsibility. The creation of back doors in hardware recently sparked concern in 5G devices. We invariably forget that there are multiple microcontrollers in hardware devices which also have the potential to have back doors.

HSMs - the last word in security

Hardware Security Modules (HSM) have traditionally provided the foundation of trust in payments, as well as in other industries, with sector-specific standards and security requirements. One of the highlights of Black Hat was a final briefing by security experts Gabriel Campana and Jean-Baptiste Bédrune from Ledger where they went through the techniques used to compromise a payment HSM.

Both presenters showed how the reverse engineering of unencrypted firmware exposed every encryption key stored inside the HSM. Campana presented the attack on a computer attached (Peripheral Component Interconnect) HSM, with the implication being that extending the attack to a network HSM using the same mechanisms would be trivial. Both experts reported the vulnerability to the vendor and the appropriate updates to the firmware were released. Not only is this attack practical and scalable, HSM users who do not update their current firmware are vulnerable to attacks.

Breaking things to fix security

The resounding message I took from Black Hat 2019 was about the importance of building diverse teams, and creating a culture in which security obligations are a shared responsibility. The briefings illustrated the significance of this innovative approach. They proved that each participant in the value chain needs to have a discerning view of the over-arching system. Gone are the days where vendors can construct parts from various manufacturers and deliver it to clients. In today’s world, the cycle of assessment and patching, enforced by continuous security testing, is vitally important to making everyday products more secure.

Conferences like Black Hat and DEF CON play an important role in improving security. They bring technology experts together to break into apparently secure products with the goal of exposing and fixing vulnerabilities, keeping the ecosystem secure.

As the lights dimmed, and the smoke faded, bringing Black Hat 2019 to a close, you could feel the next buzz of excitement build as we all headed down the road to DEF CON 27.

Check back soon for Arthur’s insights from DEF CON which include thoughts on quantum computing and privacy.