Full Report
In one week, it’s 44CON time again! One of our favourite UK hacker cons. In keeping with our desire to make more hackers, we’re giving several sets of training courses as well as a talk this year. Training: Hacking by Numbers – Mobile Edition If you’re in a rush, you can book here. We launched it at Blackhat USA, and nobody threw anything rotting, in-fact some said it went pretty well; our latest addition to the Hacking by Numbers training.
Analysis Summary
# Industry News: SensePost Drives Mobile Security Training and Discloses Z-Wave Vulnerabilities at 44CON
## Summary
SensePost is leveraging the 44CON 2013 conference to promote the latest iteration of its "Hacking by Numbers – Mobile Edition" training, following a successful debut at Black Hat USA. Concurrently, the firm is presenting critical research exposing significant security flaws, including remote exploitation capabilities, in widely used Z-Wave home automation systems, signaling a growing focus on securing the emerging IoT/smart home sector.
## Key Details
- Date: Announced September 2013 (for 44CON event week)
- Companies Involved: SensePost, 44CON Conference Organizers
- Category: Product Launch (Training Course Update) & Technical Disclosure (Vulnerability Research)
## The Story
SensePost announced its heavy participation in the upcoming 44CON 2013, emphasizing their commitment to knowledge dissemination and practical skill development within the UK hacking community. The core announcement is the promotion of their **"Hacking by Numbers – Mobile Edition"** course, which provides a practical methodology for testing vulnerabilities in iOS and Android applications and platforms, aimed at experienced penetration testers expanding into mobile security.
Additionally, the company is highlighting two specialized offerings: a malware reverse engineering workshop targeted at understanding advanced attacks, and a highly anticipated technical talk titled **‘Honey, I’m Home’**, detailing research into the Z-Wave home automation protocol. This research claims vulnerabilities allowing an attacker to perform packet capture, injection, and potentially disable security measures and unlock doors using a low-cost kit.
## Business Impact
### For the Companies Involved
- **SensePost:** This activity directly supports their core business model by marketing high-value, specialized training services (HBN Mobile). The public research disclosure (Z-Wave) significantly raises their profile as thought leaders in security research, lending credibility and authority to their consulting and training offerings.
### For Competitors
- **Training Competitors:** SensePost sharpens its competitive edge by offering specialized, battle-tested training derived from high-profile engagements, putting pressure on competitors offering generalist or less specialized mobile security training.
- **IoT Security Firms:** The Z-Wave disclosure validates the market need for deep-dive security assessments in the nascent smart home/IoT ecosystem, potentially driving up demand for specialized IoT security services across the industry.
### For Customers
- **Enterprise Clients:** Customers looking for application security services benefit from SensePost validating its deep expertise in emergent areas like mobile and IoT security.
- **Security Professionals/Trainees:** They gain access to cutting-edge training methodologies for mobile platforms and specialized workshops for malware analysis.
### For the Market
- The promotion of mobile security training reflects the industry-wide shift in focus towards securing mobile endpoints, confirming mobile application testing as a mature B2B service offering.
- The Z-Wave findings act as a major wake-up call for the rapidly expanding home automation and IoT market regarding inherent protocol-level security risks.
## Technical Implications
The **HBN Mobile** course focuses on practical application testing across iOS and Android, suggesting methodologies are platform-agnostic where possible but cover native specifics. The **Z-Wave research** is technically significant as it targets the Zigbee/Z-Wave protocols underpinning home automation, specifically detailing weaknesses in packet capture, injection, and potential flaws in the AES cryptography implementation.
## Strategic Analysis
- **Market Positioning:** SensePost positions itself at the intersection of high-demand technical training and cutting-edge vulnerability research, particularly targeting lucrative emerging markets like mobile and IoT.
- **Competitive Advantage:** The combination of highly technical, published research (Z-Wave) alongside commercialized training (HBN Mobile) creates a powerful feedback loop: research informs training, and market awareness from research drives training sales.
- **Challenges:** Successfully scaling specialized training and maintaining the velocity of research disclosures required to sustain this positioning will be key challenges.
## Industry Reactions
- **Analyst Opinions:** Analysts would likely view this dual announcement positively, seeing it as a strong demonstration of a security consultancy successfully linking deep technical acumen to viable commercial products (training). The severity of the Z-Wave findings would attract significant attention from IoT vendors and consumer safety groups.
- **Expert Commentary:** Expect community focus on the Z-Wave research. Such a low-cost, high-impact attack vector against home security systems always generates intense discussion about protocol standards and vendor accountability.
- **Market Response:** High demand for the HBN Mobile training spots is anticipated, and Z-Wave protocol custodians would likely face immediate pressure to respond to the disclosed flaws.
## Future Outlook
- We can expect SensePost to continue leveraging security conferences for both training promotion and high-impact research releases.
- Watch for follow-up patches or official responses from hardware manufacturers utilizing the Z-Wave protocol, and potentially an advanced "IoT Security" training track emerging from SensePost in response to their own research findings.
## For Security Professionals
Practitioners looking to upskill must prioritize mobile application testing methodologies, as this area is solidifying as a core competency. Furthermore, professionals focused on infrastructure or hardware security need to urgently review the implications of the Z-Wave research, as these types of embedded system risks are moving from industrial controls into consumer environments, creating new attack surfaces.