The Recurity Lablog

Infosecurity.it

Dirk Breiden and FX of Recurity Labs went to an IT security trade show in Milano, Italy, following an invitation of fellow hackers Stefano Zanero, Igor Falcomata, Raoul Chiesa and other members of Sikurezza.org. We gave a talk on the current state of independent research into the security of RIM's BlackBerry solution.

Our Italian friends were exceptionally nice and forthcoming, making sure we had everything and were well entertained all the time. Many thanks go to the organizers of our daily and evening events.

One thing that struck me as strange was the security trade show itself. The exhibitors came almost exclusively from the usual suspect section of security software and appliance vendors and distributors. Many displayed embedded boxes of various sizes with little or no LCD displays that somehow made something secure. As far as we could tell, none of them sent any technical personal to the event and the attendees didn't seem to mind at all.

We talked to one particular vendor's booth personal since we happen to use one of their products and happened to stumble across some 0day vulnerabilities in it. The person did not know what a vulnerability is and, once we started to explain that their embedded product runs on Linux, insisted that we must be wrong, since it only supports Windows and Apple. Oh well. While I'm totally aware of the fact that a trade show booth is not the recommended vulnerability reporting channel, I did actually expect the company representative to know a certain minimum about their product.

Afterwards, it crossed my mind that at every trade show, may it be cars, construction equipment, tools, boats and even food, the exhibitors get out of their way to show the inner workings of their product, like engines, safety mechanisms and any other aspect that highlights the quality and uniqueness. At the security product show, nobody seemed to consider opening their magic appliances to even show the PCB and the hardware within; leave alone explained the inner workings in any considerable detail. And even then, people seemed to like the stuff, as far as we could tell. Very interesting.