Black Hat Android talk: No show, no credibility

Riley Hassell, founder of Privateer Labs, and co-worker Shane Macaulay, ditched their Android security talk at Black Hat without notice. Now they have a big credibility problem.

I wasn’t there, and normally I wouldn’t care to write about something that did — or in this case, didn’t — happen two weeks ago. But the more I think about what happened, the more I think these guys cheated a lot of people who had put faith in them.

Rob Lemos wrote about what the talk was supposed to be about:

The presentation would have outlined results of the company’s analysis of third-party applications using a scanning tool known as SCURVY, Hassell said.

“We found vulnerabilities in dozens of the most popular apps,” he says. “Some are information disclosure — getting information on the mobile user — others are privilege escalation.”

A particularly pernicious problem is known as activity reuse, where one application can exploit a vulnerability in another application to use that program’s elevated permissions. The security weaknesses occur because many developers allow other programs to use certain activities without checking to see if they have the permissions to take a particular action on their own.

Using SCURVY, the researchers analyzed more than 600 applications offering interfaces to more than 3,500 activities and found that 61 percent of the allowable actions did not impose acceptable security precautions on the use of their activities. For example, a version of the voice-over-IP program, Skype, could be exploited by other programs to make calls without notifying the user.

“The way to stop this is to apply appropriate permissions,” Hassell says.

That sounds like some important stuff. So why not lay out the findings, as you offered to do, and guide conference attendees on steps they could take to mitigate the threats?

Rumors wafted around the Vegas strip that week that one or both researchers had partied hard the night before. But everyone who attends these Vegas conferences parties hard. Some of the best talks I’ve attended included badly hung over presenters.

Their official reason was this hard-to-believe explanation as reported by Reuters:

Hassell and colleague Shane Macaulay decided not to lay out their research at the gathering for fear criminals would use it attack Android phones.

Really? Isn’t that the danger at any Black Hat talk? You show people the flaws with the hope that they will go home and adjust their company security procedures accordingly. You also do it to put pressure on a vendor to fix the problems more quickly.

But there is always the risk of someone using the details to attack the device in question. If every Black Hat or Defcon talk was scrubbed for this reason, there’d be no reason to have these events at all.

Talks are cancelled all the time for good reasons. The presenter might get sick or have a family emergency. Sometimes the vendors under the microscope use legal action to halt a talk.

But to simply not show with no notice? If their stated reason for skipping the talk is true, they had plenty of time to pull their talk the right way, so attendees wouldn’t have to sit there getting their time wasted.

Sorry, guys. I’m not buying your excuse. What you did was irresponsible.

It throws all of your research into question. No talk means we’re left to wonder about the exact nature of the flaws you supposedly discovered.

It would have been better had you showed up and given a less than perfect talk. Hell, everyone who gives a talk bombs once in awhile. I know I have.

But to not show with no warning or reason, leaving us with half-baked press quotes about all the flaws you found with no actionable detail behind it?

That’s the kind of behavior that gives this community a black eye.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a