As they do every year, hackers descended on Las Vegas this week to show off the many ways they can decimate the internet’s security systems. Here’s a collection of some of our favorite talks from this week’s Black Hat conference, including some we didn’t get the chance to cover in depth.
Before the week even began, we took a look at how $15 worth of magnets could overcome a “smart” gun’s protections, turning it into just a regular ol’ gun. Similarly, a popular safe turned out to be anything but against a homemade robot safecracker. Also not so secure? Some of the popular tools hackers use to control other people’s systems, which turn out to be riddled with vulnerabilities themselves. Radioactivity sensors are easy to hack and not likely to get fixed. Entire wind farms can be shut down or hijacked with some lock picking tools and a proof-of-concept worm. And a bug in a Broadcom chip that lives inside every iPhone and lots of Android devices ended up exposing a billion or so smartphones to Wi-Fi attacks. Yes, billion.
At least some people are doing it right. Netflix managed to DDoS itself, but on purpose, and to help other services defend against the same obscure (for now) attack. After months of trying, Google finally patched the tricky Cloak & Dagger attack that threatened Android users, and still does if you’re not on Android O, which, uh, no one is yet. They also stopped some highly sophisticated malware, likely from a cyberarms dearly, that impacted a handful of high-value targets. Some researchers are open-sourcing a tool that might help fix the SS7 vulnerability that has plagued cell networks for years. But others demonstrated a cheap and easy way to ferret out zero-days from IoT devices, so it evens out. Also? Evil bubbles! Just trust us.
Otherwise, we watched shotguns shoot down some poor unfortunate drones. Which seems like an appropriate way to go out. Here are the rest of the talks we found interesting but didn’t get to cover in depth.
Leave it to hackers to turn the wholesome American institution of the carwash into a horrifying death trap. Security researchers Billy Rios and Jonathan Butts have offered a vivid new demonstration the consequences of connecting industrial equipment to the internet, hacking an automatic carwash to close its doors around a victim vehicle and repeatedly strike it with the system’s robotic arm. They found that they could locate 150 of the carwashes publicly on the internet, guess their default usernames and passwords, and even disable a safety feature meant to prevent the carwash’s equipment from touching a vehicle. They convinced one family carwash to let them test their attacks, but didn’t actually try them on a vehicle to avoid causing damage to the arm. But they did create a kind of proof-of-concept video (below) showing the carwash door repeatedly slamming on the hood of their pickup truck.