Black Hat @ designwest 2012

The San Jose McEnery Convention Center

March 29, 2012

Don Bailey

War Texting: Identifying and Interacting with Devices on the Telephone Network

Devices have been attached to the telephone network for years. Typically, we think of these devices in terms of modems, faxes, or TTY systems. Now, there is a growing shift in the nature of the devices that are accessible over the telephone network. Today, A-GPS tracking devices, 3G Security Cameras, Urban Traffic Control systems, SCADA sensors, Home Control and Automation systems, and even vehicles are now telephony enabled. These systems often receive control messages over the telephone network in the form of text messages (SMS) or GPRS data. These messages can trigger actions such as firmware updates, Are You There requests, or even solicitations for data. As a result, it is imperative for mobile researchers to understand how these systems can be detected by attackers on the global telephone network, then potentially abused.

These systems are increasingly capable of affecting the physical world around us. Additionally, devices attached to the phone network cannot be easily compartmentalized or firewalled from potential abusers the same way that IP enabled systems can. Therefore, understanding the threat models associated with these devices and the telephone network will allow mobile researchers and embedded engineers to correctly implement security solutions that minimize a device's exposure to threat actors.

Empirical evidence will be presented that demonstrates creative and successful ways to classify potential devices amongst millions of phone numbers world wide. Once properly classified, devices can be interacted with in simple and efficient ways that will be revealed by the speaker. Simple scripts and software will be released that exemplify these techniques with real world examples, but are designed in a pluggable fashion that allows mobile researchers to develop their own device profiles and methods for interaction.


Don A. Bailey is a Security Consultant with iSEC Partners, Inc. Don has discovered many unknown security vulnerabilities in well used software, analyzed new and proprietary protocols for design and implementation flaws, and helped design and integrate security solutions for up and coming internet software.

While Don's primary expertise is in developing exploit technologies, he is also well versed at reverse engineering, fuzzing, enterprise and embedded programming, source code auditing, rootkit detection and design, and network penetration testing. In addition, Don has helped develop and enhance risk management programs for several Fortune 500 companies and has been invited to speak about risk management from a CISO perspective at government organized conferences.

For the past six years, Don has presented research at several international security conferences discussing topics such as stealth root-kit design, zero-day exploit technology, DECT, GSM, and embedded security. Most recently, Don spoke at Blackhat Barcelona 2011 and SyScan Singapore 2011 regarding vulnerabilities in embedded architectures and issues in the global telephone network.

Joe Grand

The Current State of Hardware Hacking: Like Shooting Fish in a Barrel

Hardware hacking is on the rise and most of the electronics industry is in denial. Recent high-profile attacks of ATMs, voting machines, parking meters, medical devices, and printers were so simple, they should never have been allowed to happen in the first place. Challenges, constraints, and trade-offs are part of any product design, but it's time security was taken a little more seriously.

In this session, Joe will discuss the increasing trend of hardware hacking, common attack vectors against embedded systems, and why engineers need to think more like hackers.


Joe Grand is an electrical engineer and the President of Grand Idea Studio, Inc. He specializes in the invention, design, and licensing of consumer products and modules for electronics hobbyists. Joe is a former member of the legendary hacker collective L0pht Heavy Industries and has testified before the United States Senate Governmental Affairs Committee regarding government and homeland computer security. He has spent nearly two decades finding security flaws in hardware devices and educating engineers on how to increase the security of their designs.

Joe was a co-host of Prototype This, an engineering entertainment show on Discovery Channel. He holds a Bachelor of Science degree in Computer Engineering from Boston University and a Doctorate of Science in Technology (Honorary) degree from the University of Advancing Technology.

Barnaby Jack

Life Threatening Vulnerabilities

Diabetes currently affects 285 million people worldwide which is 6.4% of the population. This number is expected to reach 438 million by the year 2030. Many diabetics are looking to technology to treat their disease and insulin pumps provide a convenient alternative to manual insulin injections. All modern insulin pumps support some form of wireless communication. Thanks to this wireless capability, a remote attack surface exists.

Although there has been some limited prior research performed on these devices, the researcher was unable to bypass authentication and any attacks could only be carried out on his own individual pump and he required knowledge of the pumps unique serial number. I will walk through the process I took to find a critical remote vulnerability in the Medtronic line of insulin pumps, the most widely used insulin pumps in the US. In a live but controlled environment, I will demonstrate software which leverages this vulnerability to locate any insulin pump within a 300 foot radius, and issue commands to the pump - including the ability to dispense a full reservoir of insulin. No prior knowledge of the pumps serial is required. These devices are not designed to be updated in the field, and a recall is typically required to fix these vulnerabilities. I will talk about recent developments that could potentially allow these devices to be patched over their integrated wireless link.


Barnaby Jack is a Research Architect with the TRACE research team at McAfee.

Jack's role within TRACE involves researching new and emerging threats with a specific focus on embedded technology.

Jack has over 10 years of experience in the security research space and previously held research positions at IOActive, Juniper Networks, eEye digital Security, and FoundStone. Over the course of his career, Jack has targeted everything from low-level Windows drivers to the exploitation of Automated Teller Machines. He has been credited with the discovery of numerous vulnerabilities, and has published multiple papers on new exploitation methods and techniques.

Jack's work has been featured in many major media outlets including CNN, Forbes, MSNBC, Reuters and Wired.

Jack has been an invited speaker at international security conferences in both the government and private sector including Black Hat, CanSecWest, IT-Defense and SysCan. Jack is often called upon for his opinions regarding the future of security research.

John McNabb

Vulnerabilities of Wireless Water Meter Networks

Why research wireless water meters? Because they are a potential security hole in a critical infrastructure, which can lead to a potential leakage of private information, and create the potential to steal water by lowering water bills? It's a technology that's all around us but seems to too mundane to think about. Because a hacker can't resist exploring technology to see how it works and how to break it… because they are there? In this talk the speaker, who managed a small water system for 13 years, will first present an overview of drinking water security, review reported water system security incidents and the state of drinking water security over the past year, and will then take a deep dive into the hardware, software, topology, and vulnerabilities of wireless water meter networks and how to sniff wireless water meter signals.


John McNabb is Principal of InfraSec Labs, which researches security of critical infrastructures. He was an elected Water Commissioner for a small New England drinking water utility for 13 years. His current research focuses primarily on security of the drinking water infrastructure. He has presented papers on that subject at Defcon 18 (Cyberterrorism and the Security of the National Drinking Water Infrastructure), Defcon 19, Black Hat, and ShmooCon. John has published several papers on drinking water infrastructure issues and recently wrote a chapter on drinking water security for the book Weapons of Mass Destruction and Terrorism, 2nd Edition (McGraw-Hill, 2012).

Chris Tarnovsky

Hacking Chips


Chris Tarnovsky is the principal at Flylogic. Their mission is to perform security risk analysis and assessment of semiconductors.

Marc Witteman & Jasper Van Woudenberg

Why Are We Still Vulnerable to Side Channel Attacks? (and why should I care?)

With an increasing number of security functions in embedded systems, and increasing attention to software hardening, attackers are shifting their focus to another domain: side channel attacks. These attacks have been uncovered in the late 1990's on smart cards, and have since been extensively studied.

Passive side channel attacks use inadvertently leaked signals produced by an electronic device to analyze the secret data it is processing, whether this be PIN codes, content decryption keys or electronic votes. Active side channel attacks are a more recent trend, where an attacker is actively manipulating a secure device into leaking its secrets, by glitching its power supply, or even hitting the die of the chip with high powered lasers. This talk highlights four perspectives of the side channel issue: cost, maturity, applications and technology. Each perspective is analyzed, and concrete technical examples are given. This talk is suitable for anyone involved in the development of secure applications using embedded systems.

Bio - Marc Witteman

Marc Witteman has a long track record in the smart card security industry. He has been involved with security and smart card projects for over a decade and worked on applications in mobile communications, payment industry, identification and pay television. In these areas he has worked with smart cards in various form factors, including RFID and NFC, but also embedded devices like terminals, cell phones and PDA?s.

In terms of analysis methods he has developed and practiced many different attacks. In 1995 he first performed logical penetration testing on smart cards, and was amongst the first to apply in 1997 side-channel attacks on this technology. He is the architect of several powerful tools for programming and testing Java Cards and a platform for conducting side-channel analysis.

Bio - Jasper Van Woudenberg

Jasper's interest in security matters was first sparked in his mid-teens by reverse engineering his software. During his studies for a master's degree in both CS and AI, he worked for a small firm, penetration testing internal and external infrastructure and applications of government, telecommunication and financial institutions. After moving into hardware-oriented security testing, he performed security analysis of digital TV receivers, ADSL modems, mobile phones, payment terminals and smart cards based on logical and side channel weaknesses. Based on his long-standing security experience and academic research he is currently leading security testing projects as CTO North America for Riscure, and regularly appears at (scientific) conferences.