I Am The Cavalry at BSides Las Vegas 2015

It’s time to take the wraps off what a few of us have been planning for BSides Las Vegas. We are returning again to do an I Am The Cavalry track on Tuesday, August 4th. This year it’ll be a different room, a different format, and a different objective. Like last year, you’ll be able to drop in and drop out of any of the sessions throughout the day.

Our objective this year is to generate discrete initiatives that will make the most difference the quickest. We will spend the morning introducing the concepts, giving background, and priming participants for the afternoon sessions. Those sessions will be focused on two pillars – automotive and medical devices – where there is both popular interest and multi-stakeholder inertia.

To kick off each of the automotive and medical device sessions, we will first give an overview of the current landscape and progress towards cyber safety. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. There will be surprises and unveilings.

During each session, we want to identify 2-3 good projects with strong support and leadership. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

People with subject matter knowledge will be available to guide the hand of those ideas to help others avoid mistakes and replicate what has worked. It’s important to capture not just knowledge in Auto and Medical, but also in public policy, media, legal, insurance, and other stakeholder domains. To make sure that coming out of that room, those initiatives have the best chance for success.

We kick off the day after the BSides Las Vegas Keynote. You won’t want to miss that one.

11:00-11:30 Session Introduction and Overview Josh Corman & Nick Percoco
We will provide a brief overview of I Am The Cavalry, as well as outline the day’s activities. Participants who have yet to be introduced to the initiative will be; those who are very familiar will be updated on activities and progress over the last year. And we will describe the vision for the day’s activities. Even if you miss this first session, you can join for any of the others.

11:30-12:00 Hack the Future Keren Elazari
This talk is about inspiring hackers to be the change agents of the future, with practical things hackers can do to create a positive impact. It’s about being a good hacker while staying out of jail and making the world a better place – with things like community outreach projects, crypto parties, voluntary red teams, responsible disclosure and stopping the spread of FUD.

12:00-12:30 Leading in a “Do”-ocracy Chris Nickerson
A man whose talks need no abstract… Prepare to be informed and inspired, the way only Nickerson can do.

12:30-14:00 Lunch

14:00-14:30 State of Medical Device Cyber Safety Scott Erven & Beau Woods
Beau and Scott will give an overview of the medical device space and talk about the things that have gone on in the past year. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. They’ll also introduce and walk through the Medical Device workshop.

14:30-16:00 How can we ensure safer Medical Devices? (Workshop)
The goal is to identify 2-3 good projects with strong support and leadership in the Medical Device area. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

16:00-17:00 Break

17:00-17:30 State of Automotive Cyber Safety Josh Corman & Craig Smith
Josh and Craig will give an overview of the Automotive space and talk about the things that have gone on in the past year. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. They’ll also introduce and walk through the Automotive workshop.

17:30-19:00 How can we ensure safer Automobiles? (Workshop)
The goal is to identify 2-3 good projects with strong support and leadership in the Automotive area. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

DEF CON 22 Videos

DEF CON fans and aficionados– the wait is over. The videos from DEF CON 22 are now available online. While this is not a complete list of all available videos, it showcases many of the ones of interest to the Cavalry and Cavalry followers. If you are looking for the latest that internet security researchers have to offer, enjoy!

 

DEF CON 22: August 7 – 10, 2014

DEF CON Talks
Hacking US (and UK, Australia, France, etc.) traffic control systems, by Cesar Cerrudo
This presentation discusses how to manipulate traffic signals, including how the devices were acquired, the research, on site testing demos (at Seattle, New York and Washington DC), vulnerabilities found and how they can be exploited, and finally some possible NSA style attacks.
 

Hacking 911: Adventures in Disruption, Destruction, and Death, by Christian Dameff, Jeff Tully & Peter Hefley

Emergency medical services (EMS) are the safety nets we rely on every day for rapid, life-saving help in the absolute gravest of circumstances, but these services rely on antiquated infrastructures that were outdated twenty years ago with vulnerabilities large enough to drive an ambulance through, little municipal governmental support for improved security, and a severe lack of standardized security protocols.Quaddi, r3plicant, and Peter- two MDs and a security pro review the archaic nature of the 911 dispatch system and its failure to evolve with a cellular world, the problems that continue to plague smaller towns without the resources of large urban centers, how the mischief of swatting and phreaking can quickly transform into the mayhem of cyberwarfare, and the medical devastation that arises in a world without 911.
 

The Cavalry Year[0] & a Path Forward for Public Safety, by Josh Corman & Nick Percoco

At DEF CON 21, The Cavalry was born. In the face of clear & present threats to “Body, Mind & Soul” it was clear: The Cavalry Isn’t Coming… it falls to us… the willing & able… and we have to try to have impact. Over the past year, the initiative reduced its focus and increased its momentum. With a focus on public safety & human life we did our best “Collecting, Connecting, Collaborating” to ensure the safer technology dependence in: Medical, Automotive, Home Electronics & Public Infrastructure. We will update the DEF CON hearts & minds with lessons learned from our workshops & experiments, successes & failures, and momentum in industry and with public policy makers. Year[0] was encouraging. Year[1] will require more structure and transparency if we are to rise to these challenges… As a year of experimentation comes to an end, we will share where we’ve been, take our licks, and more importantly outline a path forward…
 

Hack All The Things: 20 Devices in 45 Minutes, by CJ Heres, Amir Etemadieh, Khoa Hoang & Mike Baker

When we heard “Hack All The Things,” we took it as a challenge. So at DEF CON this year we’re doing exactly that, we’re hacking everything. We’ve taken all of our previous experience exploiting embedded devices and used it to bring you a presentation filled with more exploits than ever before™. This presentation will feature exploits for over 20 devices including but not limited to TVs, baby monitors, media streamers, network cameras, home automation devices, and VoIP gateways. Gain root on your devices, run unsigned kernels; it’s your hardware, it’s internet connected, and it’s horribly insecure.
 

The Internet of Fails: Where IoT Has Gone Wrong and How We’re Making It Right, by Mark Stanislav & Zach Lanier

This presentation will dive into research, outcomes, and recommendations regarding information security for the “Internet of Things”. Mark and Zach will discuss IoT security failures both from their own research as well as the work of people they admire. Attendees are invited to laugh/cringe at concerning examples of improper access control, a complete lack of transport security, hardcoded-everything, and ways to bypass paying for stuff.Mark and Zach will also discuss the progress that their initiative, BuildItSecure.ly, has made since it was announced this past February at B-Sides San Francisco. Based on their own struggles with approaching smaller technology vendors with bugs and trying to handle coordinated disclosure, Mark and Zach decided to change the process and dialog that was occurring into one that is inclusive, friendly, researcher-centric. They will provide results and key learnings about the establishment of this loose organization of security-minded vendors, partners, and researchers who have decided to focus on improving information security for bootstrapped/crowd-funded IoT products and platforms.
 

How to Disclose an Exploit Without Getting in Trouble, by Jim Denaro & Tod Beardsley

You have identified a vulnerability and may have developed an exploit. What should you do with it? You might consider going to the vendor, blogging about it, or selling it. There are risks in each of these options. This session will cover the risks to security researchers involved in publishing or selling information that details the operation of hacks, exploits, vulnerabilities and other techniques. This session will provide practical advice on how to reduce the risk of legal action and suggest several approaches to responsible disclosure.
 

Cyberhijacking Airplanes: Truth or Fiction?, by Dr. Phil Polstra & Captain Polly

There have been several people making bold claims about the ability to remotely hack into aircraft and hijack them from afar. This talk will take a systematic look at the mechanisms others are claiming would permit such cyberhijacking. Each of the most popular techniques will be examined myth buster style. Along the way several important aircraft technologies will be examined in detail.Attendees will leave with a better understanding of ADS-B, ADS-A, ACARS, GPS, transponders, collision avoidance systems, autopilots, and avionics networking and communications. No prior knowledge is assumed for attendees.
 

Just what the Doctor Ordered?, by Scott Erven & Shawn Merdinger

You have already heard the stories of security researchers delivering lethal doses of insulin to a pump, or delivering a lethal shock to a vulnerable defibrillator. But what is the reality of medical device security across the enterprise? Join us for an in-depth presentation about a three-year independent research project, encompassing medical devices across all modalities inside today’s healthcare landscape. Think they are firewalled off? Well think again. Scarier yet, many remain Internet facing and are vulnerable to strategic attack with the potential loss for human life. And yes you will be amazed at what we found in just 1 hour! We will prove that an attacker can access medical devices at thousands of healthcare facilities from anywhere in the world with the potential loss of human life.This discussion will also highlight the fallout from security standards not being a requirement for medical device manufacturers, and our experience in identifying and reporting vulnerabilities. We will provide our insight into what needs to be done for healthcare organizations to respond to the new threat of cyber-attack against medical devices. We are working towards a future where cyber security issues in medical devices are a thing of the past. We will discuss the recent success and traction we have gained with healthcare organizations, federal agencies and device manufacturers in addressing these security issues. The train is now moving, so please join us to find out how you can get involved and make a difference by ensuring patient safety.
 

A Survey of Remote Automotive Attack Surfaces, by Charlie Miller & Chris Valasek

Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.Last year, we discussed 2 particular vehicles. However, since each manufacturer designs their fleets differently; analysis of remote threats must avoid generalities. This talk takes a step back and examines the automotive network of a large number of different manufacturers from a security perspective. From this larger dataset we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last 5 years? What does the future of automotive security hold and how can we protect our vehicles from attack moving forward?
 

Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment, by Jesus Molina

Have you ever had the urge to create mayhem at a hotel? Force every hotel guest to watch your favorite TV show with you? Or wake your neighbors up (all 290 of them!) with blaring music and with their blinds up at 3 AM?For those with the urge, I have the perfect place for you. The St. Regis ShenZhen, a gorgeous luxury hotel occupying the top 28 floors of a 100 story skyscraper, offers guests a unique feature: a room remote control in the form of an IPAD2. The IPAD2 controls the lighting, temperature, music, do not disturb light, TV, even the blinds and other miscellaneous room actions. However, the deployment of the home automation protocol contained several fatal flaws that allow an arbitrary attacker to control virtually every appliance in the hotel remotely. I discovered these flaws and as a result, I was able to create the ultimate remote control: Switch TV off 1280, 1281, 1283 will switch off the TV in these three room. The attacker does not even need to be at the hotel – he could be in another country.

This talk provides a detailed discussion of the anatomy of the attack: an explanation of reverse engineering of the KNX/IP home automation protocol; a description of the deployment flaws; blueprints on how to create an Ipad Trojan to send commands outside the hotel; and, of course, solutions to avoid all these pitfall in future deployments. Attendees will gain valuable field lessons on how to improve wide scale home automation architectures and discussion topics will include the dangers of utilizing legacy but widely used automation protocols, the utilization of insecure wireless connection, and the use of insecure and unlocked commodity hardware that could easily be modified by an attacker.

 

Attacking the Internet of Things using Time, by Paul McMillan

Internet of Things devices are often slow and resource constrained. This makes them the perfect target for network-based timing attacks, which allow an attacker to brute-force credentials one character at a time, rather than guessing the entire string at once. We will discuss how timing attacks work, how to optimize them, and how to handle the many factors which can prevent successful exploitation. We will also demonstrate attacks on at least one popular device. After this presentation, you will have the foundation necessary to attack your own devices, and a set of scripts to help you get started.
 

Optical Surgery; Implanting a DropCam, by Patrick Wardle & Colby Moore

Video Monitoring solutions such as DropCam aim to provide remote monitoring, protection and security. But what if they could be maliciously subverted? This presentation details a reverse-engineering effort that resulted in the full compromise of a DropCam. Specifically, given physical access and some creative hardware and software hacks, any malicious software may be persistently installed upon the device.Implanting a wireless video monitoring solution presents some unique opportunities, such as intercepting the video stream, ‘hot-micing’, or even acting as persistent access/attack point within a network. This presentation will describe such an implant and well as revealing a method of infecting either Windows or OS X hosts that are used to configure a subverted DropCam.
 

Playing with Car Firmware or How to Brick your Car, by Paul Such & Agix

A lot of papers have already been done/produced on hacking cars through ODB2/CanBus. Looking at the car firmware could also be something really fun :) How to access the firmware, hidden menus & functionalities, hardcoded SSID, users and passwords (yes, you read right), are some of the subjects we will cover during this short presentation.
 

Elevator Hacking – From the Pit to the Penthouse, by Deviant Ollam & Howard Payne

Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don’t do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it’s easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevators work… allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!

 

Related Talks at BSidesLV, Black Hat and DEF CON

The annual Las Vegas convergence of hackers, researchers, consultants, vendors, press and others is nearly upon us. That’s right it’s time again for BSidesLVBlack Hat USA and DEF CON. This trilogy of events sees some of the most original content presented to some of the largest crowds of the year. This year much of that content will be relavent to I Am The Cavalry topics. We have more detail on the day of I Am The Cavalry sessions at BSidesLV.

BSidesLV: August 5th-6th

Date Time Where Title Who
8/5 15:00 Common Vulnerability Assessments on SCADA: How I 'owned' the Power Grid Fadli B. Sidek
8/5 18:00 Proving Back Dooring the Digital Home David Lister
8/6 10:00 IATC Introduction and Overview – I Am The Cavalry and Empowering Researchers
8/6 11:00 IATC Problem Space Overview
8/6 12:00-18:00 IATC Building Skills, Understanding and Influencing People
8/6 12:00-18:00 TBA Drop-In Sessions

Black Hat: August 6th-7th

Date Time Where Title Who
8/6 11:45 Lag K Survey of Remote Automotive Attack Surfaces Charlie Miller & Chris Valasek
8/6 14:15 Palm A Embedded Devices Roundtable: Embedding the Modern World, Where Do We Go From Here? Don Bailey & Zach Lanier
8/6 15:30 SS CD Why Control System Cyber-Security Sucks… Dr. Stefan Lders
8/6 17:00 Palm A Responsible Disclosure Roundtable: You Mad Bro? Trey Ford
8/6 17:00 Lag K Breaking the Security of Physical Devices Silvio Cesare
8/6 17:00 MB D Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment Jesus Molina
8/7 10:15 Palm A Medical Devices Roundtable: Is There A Doctor In The House? Security and Privacy in the Medical World Jay Radcliffe
8/7 11:45 MB D Smart Nest Thermostat: A Smart Spy in Your Home Yier Jin, Grant Hernandez & Daniel Buentello
8/7 14:15 SS E Home Insecurity: No Alarms, False Alarms, and SIGINT Logan Lamb

DEF CON: August 7th-10th

Date Time Where Title Who
8/8 13:00 P & T Hacking US (and UK, Australia, France, etc.) traffic control systems Cesar Cerrudo
8/9 10:00 T 2 Hacking 911: Adventures in Disruption, Destruction, and Death Christian Dameff, Jeff Tully & Peter Hefley
8/9 10:00 P & T The Cavalry Year[0] & a Path Forward for Public Safety Josh Corman & Nick Percoco
8/9 10:00 T 1 Hack All The Things: 20 Devices in 45 Minutes CJ Heres, Amir Etemadieh, Khoa Hoang & Mike Baker
8/9 11:00 T 1 The Internet of Fails: Where IoT Has Gone Wrong and How We're Making It Right Mark Stanislav & Zach Lanier
8/9 12:00 101 How to Disclose an Exploit Without Getting in Trouble Jim Denaro & Tod Beardsley
8/9 12:00 T 1 Home Insecurity: No Alarms, False Alarms, and SIGINT Logan Lamb
8/9 12:00 T 2 Cyberhijacking Airplanes: Truth or Fiction? Dr. Phil Polstra & Captain Polly
8/9 13:00 T 2 Just what the Doctor Ordered? Scott Erven & Shawn Merdinger
8/9 15:00 T 1 A Survey of Remote Automotive Attack Surfaces Charlie Miller & Chris Valasek
8/9 16:00 T 1 Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment Jesus Molina
8/9 17:00 T 1 Attacking the Internet of Things using Time Paul McMillan
8/10 11:00 T 2 Optical Surgery; Implanting a DropCam Patrick Wardle & Colby Moore
8/10 13:00 T 1 Playing with Car Firmware or How to Brick your Car Paul Such & Agix
8/10 15:00 T 1 Elevator Hacking – From the Pit to the Penthouse Deviant Ollam & Howard Payne