Just a quick update on the happenings here at Blackhat. The good news is that this year the quality of the presentations seems to have improved, or maybe I’be just gotten better at choosing interesting sessions.
Most of the research that had a direct impact on control systems, specifically in the electric sector, was presented yesterday. We’ll start with the smart meter/AMI work from Mike Davis that I mentioned earlier. All in all I don’t think this presentation revealed much that we didn’t already know, many of the smart meters have significant implementation flaws. Some of this is due to poor coding standards, creating situations for buffer overflows and other standard bugs to occur, but the more serious problems involve things like poorly implemented cryptography and firmware signing. That said, the presentation was heavily sanitized, likely due to legal concerns as well as practical ones, and I was left wanting to know a lot more and I know many others in the audience felt the same way.
Grand, Applebaum, and Tarnovskys presentation on attacks against smart parking meters was impressive. Much like the devices we typically think of in critical systems, these devices were not designed to stand up to any sort of an attack outside of vandalism. Municipalities are investing very heavily into building out their parking systems, and with it being incredibly easy to bypass the payment mechanism with commodity parts, many of which were used in the widespread practice of hacking satellite systems, they should probably take a closer look at these devices before rolling them out in such force. This all assumes an independent node approach, networked devices could cause even more problems, similar to the AMI meters above.
And the last one Ill mention in this post is Moxie Marlinspikes demonstration of a new technique to attack SSL certificates. An excellent presentation, and one that you can, and should watch. Theres still a lot of problems to be worked out in the trust architecture/framework we’ve built, insights like these wont be the last.
Thats all for now, I’m off to Defcon to learn some more, they’ll be more follow-up posts on the conference material, and likely more from the conversations here. There is a lot more control system presence than most would think, and I’ve had some excellent discussions with everyone from operators to consulting groups to vendors.