Black Hat is an international information security series, containing briefings and training sessions. Black Hat travels around the world from Las Vegas, to Europe and Asia every year. As a student studying in the field of information security, attending an event such as Black Hat has always been on my wish list.
In October 2019 I applied for a scholarship briefings pass with little expectation that I would receive a ticket. I knew that the Black Hat organizers would not be distributing a large number of scholarships. However, in November I had received confirmation that I had been granted a briefings pass. This meant that I would be able to attend all the talks held by the security researchers. During the introduction by Jeff Moss I was made aware that the Black Hat organizers released 80 scholarship tickets. I am extremely grateful of the opportunity that was presented to me and I was super excited to book my travel arrangements to London. This post is meant to be a personal reflection about the trip that I took to Black Hat in London.
My favorite Briefings
There are two talks which stood out to me and that I enjoyed the most. Firstly, a talk about contactless card payments called “First Contact: New vulnerabilities in Contactless Payments ” (slides, and whitepaper). In the UK, contactless payments are restricted to £30 before requiring second verification such as the customer’s PIN. Galloway and Yunusov both showed how it is possible to circumvent this restriction, and managed to authorize payments over the £30 restriction. The problem lies with the architecture of the contactless payment architecture, and how the user is able to manipulate flags sent to the point of sale system. The craziest thing is that during the talk, the Galloway and Yunusov said that VISA and MasterCard are not willing to fix this vulnerability. I find it hard to believe that paying out the fraud is more cost effective than fixing the issue.
The second talk which stood out to me was about Android malware, titled “Androids Invisible Foreground Services and How to (Ab)use Them” (slides). Sutter showcased an architectural flaw with Android OS permissions, by setting up scheduled tasks with intention to capture GPS data, live camera pictures, or start/stop microphone recordings. You might think that sending pictures and regular GPS capture would drain the battery and use a lot of mobile data, and while this is true Sutter said that these tasks can be configured so that data is only sent over Wi-Fi and when connected to the charger. The outcome of this is that the victim is unlikely to notice the spyware. This talk was eye opening to me, it is insane how easy it is to create spyware which will not leave persistent notifications (such as when you listen to music). The demo was using the latest November 2019 security patch, with the latest Android OS.
Other briefings which I really enjoyed were:
- HTTP Desync Attacks: Request Smugling Reborn (slides, whitepaper). I will admit, this briefing was a little over my head. However, Kettle presented very clearly such that I could still follow along throughout.
- How to break PDF encryption (slides). This is a fundamental issue with the PDF encryption method. As I have understood it, breaking the encryption requires a successful MiTM attack.
- Trust in Apple’s Secret Garden: Exploring & Reversing Apple’s Continuity Protocol (slides).
At the time of writing this post, I have about 200 days before I hand in my final masters thesis. Before I attended Black Hat I was asked (coincidentally) whether I would like to pursue research for an employer after university. Initially I had not considered further research however attending the above briefings and others, I realize that I would be interested in spending time to be an information security researchers; I was inspired to do more research in uncovered grounds. In addition, Kettle said some wise words during his briefing; to always tackle research in topics which you are fearful of. It makes sense, focus on your weaknesses and you have potential to learn the most. However, I believe that this method could lead to a lot of frustration – albeit worth it!
In summary, I had a fantastic time and I am very grateful for the opportunity presented to me and my peers. I really had a blast!