April Webinar RegistrationApril Webinar Registration


Black Hat 2016: Ransomware Could Lock Your Brakes ... At 75 MPH

An attendee awaits a session at this year's Black Hat, where good-guy hackers dealt with dark subjects, such as the rise of ransomware. CHINE NOUVELLE/SIPA

LAS VEGAS -- If the giant robot at the Malwarebytes booth and arcade game at WatchGuard weren't sufficient clues, maybe a Cylance speaker using Morpheus, from "The Matrix," as a prop was: Black Hat USA 2016 in Las Vegas was the ultimate hacker-nerd mecca -- but with a serious focus of dealing with topics such as cyberwarfare, ransomware and IoT security.

Black Hat's most recent iteration this month drew more than 15,000 cybersecurity-minded professionals to Las Vegas, topping last year's event by at least 4,000. Neon was seemingly the color du jour, in theme with the Strip's bright lights.

The future of cybersecurity, experts say, is just as resplendent. Hackers are leveraging the Internet of Things to push new ransomware attacks. The Ukraine-Russia conflict is setting the model for modern cyberwarfare. Apple (AAPL) and Android are engaged in a donnybrook for mobile security dominance.

All that along with the Terminators -- a nickname for drones capable of hacking and surveying industrial infrastructure complexes used by speaker Jeff Melrose, principal technologist for industrial automation company Yokogawa US.

Intel Security CTO Steve Grobman demonstrates how ransomware can hijack your home network. (Allison Gatlin)
Intel Security CTO Steve Grobman demonstrates how ransomware can hijack your home network. (Allison Gatlin)

To keep pace, the cybersecurity industry can't fall back on old tricks, says Intel (INTC) Security CTO Steve Grobman. There's no "silver bullet" technology, and threat intelligence is faulty by design. It's all about innovation -- just ask the men who hacked a 2014 Jeep Cherokee ... again.

"Nothing is perfect," Grobman told IBD. "Attackers in the wild are using new methods, new techniques. And because of that, there's an inherent lag in addressing them (threats). Recognizing that cycle is important." Benefiting from it is an absolute certainty.

How Important Are Your Brakes?

Your vehicle's infotainment center lights up with a message as you barrel down the freeway at 75 mph. "Going somewhere? Too bad, we've blocked your system and brakes," the message taunts. "To continue your journey and decrypt the system, give us a call."

Ransomware, malicious software designed to hold data hostage until a sum of money is paid, can be deadly. In February, hackers paralyzed Hollywood Presbyterian Medical Center in Los Angeles with a $3.6 million Bitcoin ransom on the facility's servers. Officials ultimately paid the equivalent of $17,000 in Bitcoin.

Ransomware has yet to roil the consumer world, but some billions of Internet of Things devices slated to come online by 2020 offer a drool-worthy opening, Intel's Grobman says.

"What if you couldn't drive your car for two months until you could get an appointment at the dealer, or pay $200 in ransomware?" he posited. "There's not yet ransomware on vehicles, but Intel Security's Advanced Threat Research team is trying to figure out the next generation of attacks."

TripWire researcher Craig Young breaks financially-motivated malware into three segments: ransomware, blackmail and extortion. Blackmailers will threaten to unveil some nebulous crime unless a victim pays up, extortioners prey on businesses with threats of crashing their operations unless a ransom is paid.

Whatever the flavor, hackers are relying on statistics, says Nathan Shuchami, head of threat prevention for Check Point Software Technologies (CHKP). If only 10% of ransomware attacks reap financial rewards, that's a big success, he told IBD.

"Most visible attacks are by cybercriminals using ransomware," he said. "Attempts to hack banks and retailers represent the majority of these threats. ... These guys are interested in the easiest way to be successful.

"They're generating billions in ransom. It's a simple effect because it's not targeted."

Cyberterrorists are just as likely to attack the IoT infrastructure as banks and retailers, he says. Flicking on and off the connected lights in a home might not spur much terror, but felling the entire Internet-linked vehicular world? That would be catastrophic.

Uber Advanced Technologies Center researchers Chris Valasek and Charlie Miller proved in 2015, in a Black Hat presentation, that attacks on vehicles are viable. This year, they upped the ante from "parlor tricks" to cutting power steering, locking the parking brake and pulling the steering wheel of a 2014 Jeep Cherokee into a right-hand skid.

Each of those attacks relied on a plugged-in USB device and, unlike their 2015 antics, were performed at speeds greater than 5 mph. But, Miller told the 2016 Black Hat audience, those vulnerabilities could have easily been exploited remotely.

"The Jeep vulnerability was discovered by ethical researchers," Grobman said. "But imagine if that exploit was done by a cybercriminal where all those Jeeps were impacted with ransomware. ... What happens as the same criminal business model starts moving into the consumer end?"

Ukrainian Conflict Turns Digital

Everyday citizens are already under attack in Ukraine, where Russian forces have occupied portions of the country since 2014, says Kenneth Geers, a senior research scientist for security firm Comodo. Geers is based in Ukraine and lives blocks from where Belarusian journalist Pavel Sheremet was killed in a car bombing.

The death toll in Ukraine has rocketed into the thousands amid a conflict pitting pro-Westerners interested in deepening ties with the European Union and pro-separatists in the east aligned with Russia.

The conflict is the bloodiest Europe has seen in decades. It's also quickly becoming an archetype for modern cyberwarfare, Geers told a Black Hat audience. The North Atlantic Treaty Alliance (NATO) last month officially recognized cyberspace as a military domain.

So, even though Ukraine isn't a NATO member, it's already setting the stage for cyberwarfare in the 21st century. Geers says both sides are armed with "weapons on mass disruption." That seemed the case in 2014, when a virus crippled Ukraine's Central Election Commission ahead of the presidential election.

Last December, hackers attacked a Ukrainian power plant, plunging 230,000 into darkness amid the harsh winter. The attack was a simple and highly effective spear-phishing venture that let hackers gain deeper access. Both countries also have hacked smart billboards with their own propaganda.

But attribution is tricky, Geers said. Using a country's specific cyberattack M.O. -- technology, language and political motivations -- it's fairly simply to mimic an attacker, Intel's Grobman said. Retribution against an innocent, falsely accused third-party country could be ruinous.

"It's difficult in cyberspace because everything is so evasive," Geers said. "Can you get solid attribution? Can you get to the person at the keyboard? Absolutely. But you might need law enforcement and Russia is now finding out you can crowdsource an attack."

There ought to be limits to government power in cyberspace, Geers argues. "There are plenty of governments that would take advantage of it in a heartbeat," he said. For that reason, the U.S. and its allies need to outline peacetime cyberinitiatives, he says.

Does that include peacetime hacking? After all, cyberwarfare is reality, and the invisible battleground has real implications in the physical one that could mean the difference between a felled and an optional weapon, Geers says.

Hackers, he says, also could "turn out the lights" to confuse leaders, or exploit holes in critical applications.

"Then," he said, "it might be a very long day on the battlefield."