Locknote: Highlights & Key Takeaways from Black Hat Asia 2025
Description
Black Hat Asia 2025 review board members discuss key conference takeaways, ranging from the immaturity of hardware supply chain security to the nuances of AI in vulnerability research. The panel provides essential advice for researchers on how to craft successful conference submissions and the importance of technical storytelling.
Inside Black Hat Asia 2025: Hardware Gaps, AI Realities, and the Future of Research
The cybersecurity landscape is in a state of constant flux, oscillating between the excitement of emerging technologies like AI and the realization that foundational issues—like hardware security—remain largely unsolved. At the Black Hat Asia 2025 Locknote, a panel of elite security researchers and review board members sat down to deconstruct the conference’s most important findings. From the intricacies of the hardware supply chain to the 'AI-washing' of research papers, the discussion provided a roadmap for where the industry is heading and how researchers can leave their mark.
The Hardware Supply Chain Blind Spot
One of the most striking takeaways from the conference was the continued vulnerability of the hardware supply chain. While software security has benefited from decades of open-source scrutiny and rapid threat intelligence sharing, hardware remains a 'black box.' Asuka Nakajima, a Senior Security Research Engineer at Elastic, noted that the industry’s understanding of hardware threats is still immature.
The challenge lies in visibility. In the software world, a malicious payload can be identified and blocked across the globe within minutes. In hardware, tampering often occurs in geographically and culturally distant manufacturing hubs like Shenzhen. The board discussed the need for a 'Zero Trust' approach to hardware, acknowledging that we can no longer take the integrity of our physical components for granted. This represents a massive shift for the industry, moving from a model of implicit trust in manufacturers to one of continuous verification.
AI: Beyond the Buzzword
Artificial Intelligence was, unsurprisingly, the most submitted track at Black Hat Asia this year. However, the review board warned against the trend of 'AI-washing'—the practice of shoehorning AI into a talk to increase its perceived value. Ryan Flores, leader of Forward-Looking Threat Research, pointed out that the most compelling research isn't just about AI; it's about the intersection of AI and existing security challenges.
For example, researchers are now looking at how AI can automate the extraction of TTPs (Tactics, Techniques, and Procedures) from raw data or how it can be used to model vulnerabilities in quantum computing systems. The consensus was clear: AI is a powerful tool for scaling operations and speeding up analysis, but it does not replace the need for the 'creative spark' of a human researcher. Vitaly Kamluk emphasized that deeply technical work, such as Linux kernel exploitation, still requires a level of ingenuity that current AI models simply cannot replicate.
The Rise of SBOM and VEX Automation
In the wake of supply chain crises like Log4j, the industry has turned to Software Bill of Materials (SBOM) as a solution. However, having an SBOM is only half the battle; the real challenge is managing the metadata and determining which vulnerabilities are actually exploitable in a specific environment.
Vandana Verma highlighted research focused on automating VEX (Vulnerability Exploitability eXchange) scripts. This automation allows organizations to filter through the noise of vulnerability scanners and focus on the risks that truly matter. This transition from static lists to dynamic, automated exploitability data is a critical evolution for DevSecOps and modern application security.
Mastering the Art of the Submission
For many in the audience, the most practical advice concerned the Black Hat Call for Papers (CFP) process. The board offered a rare look behind the curtain at how talks are selected. The key, they argued, is storytelling. A successful submission doesn't just present data; it takes the reviewers on a journey.
Key tips for a winning CFP:
- Be Specific: Don't just say 'we researched X.' Tell the board what is unique about your approach and why it matters now.
- Provide Supplementary Material: Links to raw data, GitHub repositories, and video demonstrations go a long way in building reviewer confidence.
- Focus on Key Takeaways: What will the audience leave the room with? If the takeaways aren't clear, the talk won't be selected.
- Leverage the SCP: The Speaker Coaching Program is an invaluable resource for first-time speakers, helping technical experts transform their research into engaging, professional presentations.
Conclusion: The Human Element
As Black Hat Asia 2025 concluded, the overarching message was one of balance. While we must embrace new tools like generative AI and automated supply chain tracking, the core of security remains human-centric. Whether it is the manual reverse engineering of a complex loader or the ability to tell a compelling story on stage, the researcher's creativity and communication skills are what ultimately move the needle. As we look toward Black Hat 2026, the challenge for the community is to leverage these new technologies without losing the 'old school' hacking spirit that defines the conference.
AI Summary
The Black Hat Asia 2025 Locknote serves as a retrospective on the current state of cybersecurity research, featuring a panel of review board experts including Daniel Cuthbert, Asuka Nakajima, Ryan Flores, Vitaly Kamluk, and Vandana Verma. The session opens with a discussion on the 'resurgence of old-school hacking,' where deep technical dives into protocols and reverse engineering are once again taking center stage amidst the modern buzz of AI. A significant portion of the conversation focuses on the hardware supply chain. Asuka Nakajima reflects on the opening keynote by Bunny Huang, noting that hardware security remains dangerously immature. Unlike software, where threat intelligence is shared rapidly, hardware crimes are often well-hidden, particularly in manufacturing hubs like Shenzhen. The board suggests that the industry needs to adopt zero-trust principles for hardware and develop better visibility into the manufacturing process. AI is addressed not as a magic bullet, but as a maturing toolset. While the AI track received the highest number of submissions, many were criticized for 'AI-washing'—superficially adding the term to boost acceptance chances. The board highlights that the most impactful research involves the intersection of AI with other fields, such as using AI for quantum computing, automating TTP extraction, or securing the platforms that host AI models. Conversely, researchers like Vitaly Kamluk emphasize the value of manual, creative work in areas like Linux kernel exploitation, where human ingenuity still outperforms automated tools. The panel explores Software Supply Chain security, specifically the advancement of SBOM (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange). Vandana Verma notes that recent research has successfully automated VEX scripts, which is crucial for organizations trying to manage the volume of vulnerabilities identified in their software components. Finally, the session provides a comprehensive guide to the Black Hat Call for Papers (CFP) process. The board encourages researchers to move beyond just reporting results and instead focus on 'storytelling.' Successful submissions are characterized by an interesting narrative, unique findings, clear key takeaways, and the provision of supplementary material like raw data or video demos. They also highlight the Speaker Coaching Program (SCP), a initiative designed to help technical experts refine their presentation skills and overcome stage fright, ensuring that groundbreaking research is communicated effectively to the community.
More from this Playlist
Dismantling the SEOS Protocol
