Skip links

Black Hat – Windows isn’t the only mass casualty platform anymore

Windows used to be the big talking point when it came to exploits resulting in mass casualties. Nowadays, talks turned to other massive attack platforms like #cloud and cars

In years past, a massive Windows exploit netted mass casualties, but here at Black Hat, talks turned toward other massive attack platforms like clouds and cars. Windows is no longer alone at the front of the pack, hackwise – it has company.

It makes sense. If you can find a cloud exploit like one presented here on multi-tenant cloud platform database hacks, one user can slurp up data from another company with a few commands. That’s not good.

The cloud, by nature, is multi-tenant. This means multiple clients rent a segment of a single shared resource from a cloud provider. But where the intersections exist between tenants and hardware, a single flaw can expose many tenants to badness, and how would they know? How would you know?

Cloud vendors are more anxious to publish their security efforts than their security holes. And unlike Windows, where malware has to go snooping about machine by machine with comparatively small connections between them, the cloud naturally facilitates massive exploit spreading velocity between platforms, users, and data.

While some cloud vendors have made promises to protect you against this sort of thing, they favor themselves over your data. You, on the other hand, probably feel your own data is the more important thing.

Still, there’s a perfect storm between massive-scale attack surfaces, single security implementations across those whole entire providers’ fabrics, and the potential for one security hole to spread like wildfire and gobble up many companies’ data in record time.

It’s true that the companies here at Black Hat are leaning into the problem and are more aware than more rank-and-file cloud users, but there are many more small businesses out there that don’t have the resources – they’re focusing on trying to stay in business in a tough economy.

To the large cloud providers’ credit, they tend to handle security reports relatively quickly. But when seconds count, they’ll have it fixed in days or weeks. That’s plenty of time for a single exploit to wipe out many companies.

I’m typing this from a car security session, one where someone figured out how – using cheap hardware – to hack a whole class of cars across multiple manufacturers. How would a manufacturer fix that and roll out the fix in a meaningful timeframe?

Meanwhile, this hack would allow a fleet of tow trucks could go scoop up swaths of certain families of cars and spirit them off to the chop shop, using replay attacks on key fob signals to unlock them. That also means if you pay off a parking attendant to install a listener, you can shop selectively and harvest a crop of cars of your liking.

Whether attackers focus on manipulating (jamming/replaying) signals from a key fob, or hacking key management and cryptographic algorithms: the session quoted UK Daily Mail, saying such attacks are on the rise, citing “keyless entry car technology now accounts for nearly 50% of all vehicle threats”.

It’s no longer a theoretical threat. There is even a company that started rolling out car security scorecards by model.

Windows crowded the stage for quite a long time here at Black Hat, but now there’s competition, the scary, fast-spreading kind, that can truly wreak havoc if unchecked.