Posted by Robert Vamosi on July 18, 2016
On Monday the Tenth Annual Pwnie Awards nominations were announced in 16 categories.
The awards, literally spray-painted My Little Ponys, are given out each year at the Black Hat USA conference, which will take place on Aug. 3, 2016, in Las Vegas. The awards are “judged by a panel of respected security researchers—the closest to a jury of peers a hacker is likely to ever get.”
Perhaps the most anticipated category is Pwnie for Best Junk or Stunt Hack. To give a sense of how these nominations are written, here’s what they have on their site for this award.
Awarded to the researchers, their PR team, and participating journalists for the best, most high-profile, and fear-inducing public spectacle that resulted in the most panic-stricken phone calls from our less-technical friends and family members. Bonus points for it being a needlessly sophisticated attack against a needlessly Internet-enabled “Thing.”
Credit: John McAfee
The reigning master of hacking and presidential campaign performance artist of our time, John McAfee, broke the news of his hack to Cybersecurity Ventures by phone that his team was able to demonstrate that WhatsApp messages between two cooperating researchers using compromised Android phones…could be compromised. They breathlessly reported that:
Cybersecurity expert John McAfee and a team of four other hackers, using their own servers located in a remote section in the mountains of Colorado, were able to read an encrypted WhatsApp message.
While the fact that end-to-end cryptography could be compromised at either end should not be news to many here, we all should heed McAfee’s warning:
I have been warning the world for years that we are teetering on the edge of an abyss, that our cyber security paradigms no longer function, and that chaos will descend if something is not done. The fundamental operating system (Android), used by 90% of the world, and that should be the first bulwark against malicious intrusion, is flawed. Should I not bring this to the world’s attention through a dramatic demonstration? Do I not owe it to the world?
Yes, John, yes you do.
Credit: Charlie Miller and Chris Valasek
They may not have been the first, but in our not-so-biased opinion, Charlie and Chris wore it best. The car hacking papers from researchers at UCSD and UW just lacked sufficient…Andy Greenberg freaking out.
This high-profile demo caused Chrysler to recall 1.4M vehicles in order to address the vulnerabilities that
Charlie and Chris identified. More importantly, it demonstrated to the entire industry how expensive not properly securing smart vehicles’ systems could be and that proper software security programs just might be a good idea.
Credit: Runa Sandvik and Michael Auger
If a hacked and out of control car on the freeway doesn’t scare you into never leaving the house, maybe a hacked
precision-guided rifle will. Runa and Michael showed just how this nightmare scenario could come true. When asked why they’d hack a firearm, Runa replied: “Because cars are boring.” Tell that to Andy Greenberg.
Credit: John Hering, Jon Oberheide, Adam Laurie, et al
Engadget described a particularly hand-wavey demo thusly:
At the beginning of this contrived little drama, Alfonsi is using an iPhone. You know how everyone and everything these days is telling you not to click links, download files or install applications you don’t expect to receive? Well, he told her to do exactly that — click, download, install his app — with a text message he sent her. To do this in real life, she’d receive warnings, and she’d have to disable the security features on her iPhone. But in the next shot, suddenly our reporter is being spied on by Hering though an Android phone propped up on her desk.
So, let’s make sure that we got this straight:
Credit: Earlence Fernandes, Jaeyeon Jung, Atul Prakash
As long as you stay off the roads, you’ll be safe from hacked cars. As long as you don’t go outside, you’ll be safe from hacked sniper rifles. As long as you turn off your smart phones, you’ll be safe from it being tracked and hacked too. Just stay home, where you’ll be safe from all of that insecure “smart” crap getting hacked…or not.
These researchers from University of Michigan demonstrated how weaknesses in Samsung’s SmartThings and SmartApps could be abused to plant backdoor door unlock codes, steal existing door unlock codes, disable home vacation mode, and trigger a fire alarm. All the attacker needs to do is trick their victim into installing a fake app and steal an OAuth token from an existing SmartApp. How to do that is left as an exercise for the reader, but maybe John McAfee or John Hering would be willing to help them out.
That’s just one category. The rest of the nominations in all the categories can be found here.
Get the latest Software Integrity news, thought leadership, and more.