Thousands of computer hackers are heading to Las Vegas this week for Black Hat and Def Con, back-to-back information security conventions where attendees are warned not to send passwords over Wi-Fi or use the ATMs due to a surge in digital mischief-making.
It’s traditional for these skilled programmers to unveil their greatest exploits at the conventions, prompting a wave of press attention as seemingly-secure parts of our daily lives are turned against their users. Here’s how to hack an iPhone within one minute of plugging it in to a tampered charger. Here’s how to "trivially" gain access to surveillance cameras in homes, banks, prisons, and military facilities.
It’s traditional for hackers to unveil their greatest exploits here
So fire up your Faraday cage — here's the top 10 hacks should you expect this year as Def Con and Black Hat get underway.
10. Surprise: hackers can find your old Snapchats.
Ephemeral apps like Snapchat and Facebook Poke are getting increasingly popular as people recognize the allure of self-destructing messages. We’ve known for a while that these messages do not truly disappear, but two digital forensic investigators are here to tell you exactly how insecure they are. By examining a phone’s internal storage, monitoring the data as it is sent, and pinging the app’s servers, they’ve figured out how to pull data from your messages before, after, and during transmission. Researchers at Def Con found no exploits in the self-destructing private messenger app Wickr, however.
9. Your GoPro is now a spycam.
Imagine mountain biking with your GoPro portable video camera strapped to your head, oblivious that someone is listening to your every word. Amateur and professional videographers love the GoPro for its internet connectivity and layers of software. But this complexity also makes the camera vulnerable to attackers. Two security researchers have figured out multiple ways to turn the GoPro into a remote audio or video bug, as well as a way to control the device remotely. That could be trouble for soldiers using the cameras to record themselves on duty in Afghanistan.
8. If a high-security lock can’t be broken electronically, it can be picked with 3D-printed keys.
Your Wi-Fi-enabled door lock is one thing — you’d expect a hacker to get into that. But this year at Def Con, one team of hackers will present software that can generate 3D models for keys to any Schlage Primus, one of the most common high-security locks in the United States, when given the lock’s serial number.
If that’s not scary enough, another team of lock experts has targeted an extremely common home lock that can be "opened, bypassed, or decoded in seconds." They’re waiting until the conference to reveal which lock it is.
7. Someone is listening to your cell phone calls with $250 equipment.
Two years ago, hackers figured out how to listen in on conversations on cell phones that use the GSM system, which includes AT&T and T-Mobile customers, for under $1,500. Now, a team of three security consultants have figured out how to do the same for CDMA phones, operated by Verizon and Sprint, for under $300.
"You don't even know you're connected to me."
"I have a box on my desk that your cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the internet," reads the description for the Black Hat panel. "I own this box. I watch all the traffic that crosses it and you don't even know you're connected to me." The box they’re talking about is a femtocell, commonly sold for under $250 — or simply given away by the phone company as a signal booster. When in range, a mobile phone will route all its traffic through it without alerting the user.
6. Tiny computers around town are mapping your every move.
Security researcher Brendan O’Connor has created a system of $60 sensors designed to be planted around a neighborhood or city. The sensors track anything with a signal, including cell phones and mobile devices, feeding the data back to a central database that places the signals on a map. Of course, because most people carry at least one such device all the time, that means the sensors are actually tracking people as they go about their days. "It takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware," O’Connor says.
The fact that it’s called CreepyDOL isn’t even the eeriest part. Consider the fact that at least some of O’Connor’s research was funded by the Defense Advanced Research Projects Agency (DARPA), and these sensors are just one aspect of a holistic monitoring system.
5. Hackers could shut down a power plant.
Wireless networks are pretty useful for controlling power plants. They’ve also been implemented in nuclear, oil, gas, and water facilities. A pair of hackers discovered a vulnerability in a certain type of wireless device made by three of the leading industrial wireless automation solution providers. The vulnerability means that a hacker within a 40-mile range of the plant could read and write data into theses devices using only radio transceivers. From there, the attacker could inject false sensor measurements in order to wreak havoc on the plant’s operations, triggering surges of electricity or mixing oil in the wrong proportions. The hacker could also simply disable the network and shut down the entire facility. This type of interference could have disastrous consequences depending on the size of the plant.
4. Hackers are haunting your house.
Let’s start with your smart television: hackers can grab your account information, install a virus, or take over your webcam and microphone and stare at you while you scarf popcorn on the couch. Suddenly you’re sweating: the hackers have cranked up your thermostat to sauna levels. Next, the lights start flickering on and off. And finally, your smart door-lock, which uses Wi-Fi or Bluetooth, suddenly clicks open. As connected devices make our home lives more convenient, the paths of entry multiply from just the computer to everything in the house.
3. You could be shocked to death by your own pacemaker.
In 2006, about 350,000 pacemakers and 173,000 internal defibrillators were implanted in patients in the US alone. That’s also the year the Food and Drug Administration started fully approving wirelessly connected devices. Notorious hacker Barnaby Jack was scheduled to give a lecture on how to talk to and remotely take over these medical devices. This cyber attack is deadly: a hacker could stop a patient’s heart from 30 feet away. Jack passed away suddenly last week, but that doesn’t make what he discovered any less scary. He’s not the only one to have discovered vulnerabilities, either; security analyst Jay Radcliffe has been studying how bugs and viruses can seriously disrupt modern medical devices.
2. Hackers could take control of your car while you’re driving.
Car hacking is one of the biggest hacking trends of the year
Car hacking has turned out to be one of the biggest hacking trends of the year. Hackers can break into your car remotely or sneak in to tweak things under the dashboard. You might be driving and find that suddenly your brakes don’t work, or your wheel starts jerking, or your display is showing the fuel tank is full when it’s actually empty. Charlie Miller, security researcher at Twitter, and Chris Valasek, director of security intelligence at IOActive, recently demonstrated these terrifying feats with Forbes reporter Andy Greenberg behind the wheel. Four other teams will be presenting car-related hacks at Def Con, including exploits for vehicle security and driverless cars.
1. You’re being hacked by the government.
The US is becoming a dystopian surveillance state. Or at least, that’s how the hackers tell it. The government is no longer content to request data from private companies, demanding backdoor systems that afford unfettered, real-time access. The government even has a team of hackers in Virginia prepared to hack American citizens, says Chris Soghoian, senior policy analyst at the American Civil Liberties Union. "While politicians are clearly scared about hacks from China, our own law enforcement agencies are clearly in the hacking business," he writes.
Not only is the government monitoring citizens, as we learned during the PRISM debacle, it’s also not doing anything to stop private parties from doing the same. The government’s contemptuous attitude toward civilian privacy is what prompted Def Con organizer Jeff Moss to publicly request that federal agents not attend the conference this year. Malicious programmers can do a lot of damage, but hackers would argue that systematic monitoring by an entity as powerful as Uncle Sam is a much bigger concern.
These hacks aren't the only things happening at Black Hat and Def Con — we'll be reporting from both conferences all week, with lots more to come. Stay tuned — and stay vigilant.