As the founder of the Hacking Exposed series, I know what it takes to educate the defenders: kinetic learning a.k.a. learning by doing. So again this year weve got some amazing stunts in store for the Hacking Exposed LIVE audience at RSA.
Kicking off the day on Wednesday at 8am PST in the Advanced Track, the Cylance team and I will be Exposing the world of embedded systems. This world exists silently all around us. To do this we will be demonstrating brand new ways to hack into Embedded systems including a Smart TV, a build management/industrial control system, and a physical lock box. Why a physical lock box? Because when all else fails, the bad guys go physical - why shouldn't the protectors.
Ive spent the better part of 15 years tirelessly demonstrating how Advanced hacks work, and literally wrote the book on advanced hacks with my first edition of Hacking Exposed. If you look at the back inside cover of that first edition (or any subsequent edition) you will find what people today call Advanced but how advanced can it truly be if weve known about these techniques for some 15 years? Not very. The only advanced part really is the prolific use of 0-day vulnerabilities in their payloads or techniques. And even those are not revolutionary or ground breaking. They are using the same old and tired techniques just in a new format. The embedded world is no different.
The same, tired and old techniques are what define embedded vulnerabilities today. They are the same hacks just miniaturized. Weve seen hacks that take advantage of buffer overflows in automobiles to take over the CANbus. Weve seen hardcoded backdoors allowing authentication bypassing on life-giving insulin pump devices. Weve seen weak cryptography allowing eavesdropping and eventually control of the device. But remember that these tiny systems contain the same basic functionality of all common computers: input/output and processing.
With nearly 10 billion embedded devices on the planet today, we simply cannot ignore this elephant in the living room any longer we MUST address the countermeasures and fixes TODAY, before its too late.
We hope to help this effort.
Attending RSA 2013? Stuart McClure is holding several, FREE book signings: