In the heat of the desert summer, when the annual cybersecurity circus known as Black Hat comes to Las Vegas, no industry or technology is safe. Flaws are found, vulnerabilities are identified, fixes are issued (or not) and life in the digital world goes perilously onward.

This week’s Black Hat USA 2018 gathering was no different, as security researchers from around the world presented findings that demonstrated lack of cyberprotection across a broad spectrum of industrial and consumer products. And the problem for the cybersecurity industry remains how to deal with the multitude of threats as nation states and well-financed criminal actors grow more adept at wreaking havoc.

“World events have caught up with us and we’re being tested,” Black Hat founder and director Jeff Moss said during his keynote remarks at the conference on Wednesday. “It feels like our adversaries have strategies and we have tactics. That’s not very good.”

Chinese music in voting drives

One of the strategic questions very much in the news these days surrounds whether foreign governments have been meddling in U.S. elections. As voters prepare to go to the polls in November, the potential for remote manipulation of voting machines remains a real and present danger.

On Thursday, Carsten Schuermann, associate professor at IT University of Copenhagen, offered his forensic analysis of eight decommissioned WINVote machines used in a number of state elections for over a decade. His findings were not encouraging. The security researcher found machines with open ports using a 2002 version of Windows XP that had not been updated, along with system drives accessible using the password “abcde.”

He also discovered downloaded MP3 files playing Chinese songs on one machine and more than sixty files modified during a one-hour period on another. Both voting machines were used for gubernatorial elections in Virginia. At one point, there were 4,000 WINVote machines installed in states across the country, according to Schuermann.

“It’s kind of strange that there are MP3 files like this on a voting machine,” Schuermann said. “It’s not very good.”

Compromised airplane Wi-Fi

Communication system vulnerabilities discovered in satellite technology have also put aviation, the military and maritime under scrutiny this week. Researchers from IOActive Inc. presented findings Wednesday that showed remote attacks through SATCOM could compromise security.

Research by Reuben Santamarta, principal security consultant for IOActive, on SATCOM systems found that onboard public Wi-Fi on airplanes could be disrupted from the ground. He also presented evidence of similar interception capability for maritime and access to locational data for military units. Santamarta was careful to emphasize that his research affected nonsafety communications and that the IOActive team had been cooperating with government agencies and vendors to review the findings.

“We can control the antennas and transmission,” Santamarta told the assembled media. “We’re working with authorities to disclose the issues.”

It’s one thing to deal with compromised security on machines and systems in the world at large. It’s another when the vulnerability could be inside the human body. Researchers Jonathan Butts, founder of QED Secure Solutions, and Billy Rios, founder of WhiteScope LLC, presented findings at Black Hat on Thursday that raised concern that a lack of encryption on firmware updates could open the door for malicious hackers to compromise Medtronic pacemakers.

The conference demonstration involved compromising a device used by physicians to control pacemakers after they’ve been implanted. Medtronic plc took steps last fall to address some of the researchers’ findings, which were partially disclosed as a proof-of-concept in 2017, and the company posted a new security update on Tuesday.

These were just a few of the highlights from Black Hat, which offered plenty of sessions over two days covering everything from attacks on industrial “internet of things” systems to vulnerabilities found in Microsoft Corp.’s Cortana. Yet the underlying messages behind many of the talks in Las Vegas centered on the potential for using new technologies to shore up the cybersecurity arsenal against persistent threats.

Hope for blockchain and AI

If software is eating the world, as Marc Andreessen famously declared in 2011, then blockchain could come along for dessert. The distributed ledger platform has been viewed as such an ultimate salvation for many technology challenges that Parisa Tabriz (pictured), Google LLC’s director of engineering, flatly declared in her keynote address at Black Hat on Wednesday morning: “If there is one thing I want you to take away from my remarks today, it is that blockchain will not solve all of our security problems.”

In some cases, blockchain does offer some hope for improving the security picture. Developers from Trustar demonstrated a new blockchain surveillance tool at the conference this week called White Rabbit that detects emerging ransomware campaigns.

However, researchers are also struggling with security concerns surrounding blockchain itself. Jay Little, security engineer for Trail of Bits, presented an analysis of secure values from various blockchain solutions on Wednesday and documented a bug flaw in the contract programming language Solidity. His firm has posted a repository in GitHub of Ethereum vulnerabilities under the heading “Not So Smart Contracts.”

Machine learning and artificial intelligence have also been positioned within the security community as another beacon of hope, with numerous companies presenting the latest analytics tools at Black Hat for discovering and avoiding malicious attacks. But there is concern that bad actors are farther ahead of the security community in this area.

On Wednesday, IBM Corp. researchers detailed a new class of attacks labeled DeepLocker that employs AI to evade cybersecurity protections. The malware uses AI to hide in benign targets and can be activated when it recognizes a particular preselected user.

“Adversarial machine learning and artificial intelligence are going to get way more fun for the attackers, and it’s going to become less fun for you,” warned Adam Shostack, a member of Microsoft’s Security Development Lifecycle strategy team. “The technology is only going to get better and faster.”

During her keynote presentation on Wednesday, Google’s Tabriz showed the audience a photo of the iconic arcade game “Whack-A-Mole,” where players use a rubber mallet to bludgeon critters as they poke out of various holes. It was an appropriate metaphor to describe the common feeling among security professionals in 2018, as the risks continue to grow and the stakes are high.

“As things get more interconnected, we have to stop playing ‘Whack-A-Mole,’” Tabriz said. “Computer security is increasingly becoming the security of the world.”

Photo: Black Hat