BlackHat Europe 2014: Printers, Lasers, and Drones! Oh My!

Last updated at Fri, 21 Jul 2017 13:03:01 GMT

If you've even been to the BlackHat conference in Vegas, then the European version is kind of like that except much, much… much smaller. Did I mention it was much smaller? The business hall consisted of about dozen vendors including Rapid7. We spent two days at the Amsterdam RAI giving away almost 500 Metasploit t-shirts, and one pair of bright orange Beatz headphones. What I did notice about BlackHat Europe is the diversity of the 1000 plus attendees – I spoke with people from all over Europe, and even from Asia Pacific and the U.S. The official press release said that over 68 countries were represented.

In between giving away goodies, I also attended as many talks as I could. Adi Shamir, aka the ‘S' in RSA, gave the keynote to open the conference. His latest research looks into attacking air gap systems via a multi-function printer/scanner. Here's how it works: first, you have to get malware inside the network (via phishing or a USB attack), then use a long-range laser to flash light signals at the scanner from up to 1.2 km away, which are interpreted as a kind of Morse code by the malware. Exfiltrating the data is even trickier. I won't go into it but it involves a video camera and a flying drone. Very cool stuff, but probably not the easiest attack to pull off.

Internet of Things is a hot topic in security right now, with everything from home alarms to smart cars shown to be vulnerable. In one talk, researchers hacked into smart electricity meters widely deployed across Europe. Attackers could potentially tamper readings, switch meter IDs, remotely shut down power, or even insert a worm into the network to cause widespread blackouts. That's scary stuff! In another talk, the speaker demonstrated how to bypass HTTP Strict Transport Security (HSTS).  A MITM attack (using a tool appropriately named the Delorean) was used to manipulate system time and force the HSTS policies to expire, meaning secure internet browsing is, well, not actually secure.

Thanks to everyone who visited our booth – we had a blast and hope to see you again next year!