= Attackers can manipulate certain Flash storage devices in order to hide potentially malicious files on them or to render them useless, a situation that will be explored in a session by Josh Thomas, a researcher at Accuvant Labs. He will release two proof-of-concept tools at the show for Android one that injects and hides files on Android devices and one that finds such files. He will also show how devices as diverse as smartphones and industrial-control systems can be disabled by tinkering with their NAND Flash memory a vulnerability he says cannot realistically be patched or fixed.
= Low-energy Bluetooth (sold as Bluetooth Smart) employs a key exchange that security consultant Mike Ryan of iSEC Partners says is weak. He will demonstrate how to sniff those keys in order to decrypt traffic sent by such devices, release a tool that does the sniffing and show how to fix the problem using Elliptic Curve Diffie-Hellman key exchange instead.
= Barnaby Jack, director of embedded security research at IOActive, will reveal software that employs a bedside transmitter to scan for and interrogate medical devices such as pacemakers that are implanted in human patients. He will point out the shortcomings of security on these devices and ways to improve it.
= A researcher who showed at Black Hat 2011 how to take over routing tables on the OSPF routers in a single autonomous system have found a new way to do the same thing. "The attack may be utilized to induce black holes, network cuts or longer routes in order to facilitate DoS of the routing domain or to gain access to information flows which otherwise the attacker had no access to," according to the briefing description by Gabi Nakibly, a fellow at the National EW Research & Simulation Center in Israel. "The attack can also be used to easily DoS a victim router using a single packet." Router vendors are working on a fix.
= A tool to make Dropbox a backdoor into corporate networks was introduced at Black Hat Europe earlier this year, and the upcoming Black Hat in Las Vegas the developer of that tool, called DropSmack, will release DropSmack v 2, an upgrade that deals with "some of the unique operational challenges posed by synchronization environments. In particular, we added the ability to work with more synchronization services automatically," according to the description of the talk by Jacob Williams, a principal at CSRGroup Computer Security Consultants. The talk goes beyond Dropbox to include cloud backup services in general and their use of synchronization in particular.
Sign up for Computerworld eNewsletters.