As they do every year, hackers descended on Las Vegas this week to show off the many ways they can decimate the internet’s security systems. Here’s a collection of some of our favorite talks from this week’s Black Hat conference, including some we didn’t get the chance to cover in depth.
Before the week even began, we took a look at how $15 worth of magnets could overcome a “smart” gun’s protections, turning it into just a regular ol’ gun. Similarly, a popular safe turned out to be anything but against a homemade robot safecracker. Also not so secure? Some of the popular tools hackers use to control other people’s systems, which turn out to be riddled with vulnerabilities themselves. Radioactivity sensors are easy to hack and not likely to get fixed. Entire wind farms can be shut down or hijacked with some lock picking tools and a proof-of-concept worm. And a bug in a Broadcom chip that lives inside every iPhone and lots of Android devices ended up exposing a billion or so smartphones to Wi-Fi attacks. Yes, billion.
At least some people are doing it right. Netflix managed to DDoS itself, but on purpose, and to help other services defend against the same obscure (for now) attack. After months of trying, Google finally patched the tricky Cloak & Dagger attack that threatened Android users, and still does if you’re not on Android O, which, uh, no one is yet. They also stopped some highly sophisticated malware, likely from a cyberarms dearly, that impacted a handful of high-value targets. Some researchers are open-sourcing a tool that might help fix the SS7 vulnerability that has plagued cell networks for years. But others demonstrated a cheap and easy way to ferret out zero-days from IoT devices, so it evens out. Also? Evil bubbles! Just trust us.
Otherwise, we watched shotguns shoot down some poor unfortunate drones. Which seems like an appropriate way to go out. Here are the rest of the talks we found interesting but didn’t get to cover in depth.
Hackers Hijack a Carwash to Cause Vehicle-Destroying Mayhem
Leave it to hackers to turn the wholesome American institution of the carwash into a horrifying death trap. Security researchers Billy Rios and Jonathan Butts have offered a vivid new demonstration the consequences of connecting industrial equipment to the internet, hacking an automatic carwash to close its doors around a victim vehicle and repeatedly strike it with the system’s robotic arm. They found that they could locate 150 of the carwashes publicly on the internet, guess their default usernames and passwords, and even disable a safety feature meant to prevent the carwash’s equipment from touching a vehicle. They convinced one family carwash to let them test their attacks, but didn’t actually try them on a vehicle to avoid causing damage to the arm. But they did create a kind of proof-of-concept video (below) showing the carwash door repeatedly slamming on the hood of their pickup truck.
Chinese Hackers Take Over a Tesla—Again
In September of last year, security researchers at the Keen Labs group of the Chinese tech giant Tencent pulled off an impressive feat of automotive hacking, completely undermining the security of a Tesla S to disable its brakes after it automatically connected to their rogue Wi-Fi hotspot. Tesla responded with a batch of security fixes, and even added a new security measure to its vehicles known as codesigning, which requires that any code installed on the car’s head unit be signed with an unforgeable key held only by Tesla. Now, less than a year later, the same hackers have struck again, this time finding a path into the Tesla X’s innards that works via not just a Wifi connection, but via a cellular signal, vastly increasing its range. And after defeating Tesla’s codesigning protection and installing their own firmware on the vehicle to take control of its brakes, they added a wonderfully unnecessary flourish, captured in the video below.
Sonic Gun Attack Can Glitch Oculus Headsets or Hoverboards
One group of hackers has modernized the old party trick of the woman singing a high pitched note at the perfect frequency to break a wine glass. With nothing but soundwaves emitted from a small “gun” device they created, they were able to vibrate the MEMS sensors that function as accelerometers and gyroscopes that stabilize everything from quadcopter drones to hoverboards to the image inside an Oculus Rift headset. By merely firing resonant sound waves at exactly the right frequency at those devices, the hackers say they could cause the hoverboard to tip, making the image inside the Oculus shake nauseatingly, and potentially knock a drone out of the sky. But the hackers, who work for Chinese e-commerce firm Alibaba, didn’t exactly carry out all those dramatic attacks; They tested their drone hacking technique on a non-moving drone with its rotors removed for safety, and had to install the sonic emitter inside the hoverboard’s case to make that attack work. But they argue those demos nonetheless prove their attack works, and could be made more powerful with larger, more expensive sonic equipment.
Taking Down the Avalanche Botnet
On Wednesday, FBI Cyber Division Unit Chief Tom Grasso gave a Black Hat audience details of the December Avalanche takedown orchestrated by a group of international law enforcement agencies. It took four years of work to eliminate the sophisticated online criminal infrastructure known as “Avalanche.” The platform could act as a botnet, and was also used to power malware distribution, launch phishing attacks, and move stolen money. The initiative involved sinkholing more than 800,000 malicious domains, Grasso said, and in January 2016 when Avalanche administrators moved one of their private domain registration servers from Moldova to the US, officials got a search warrant and ultimately accessed administrator email addresses and a list of more than 200 clients.
Grasso particularly emphasized the crucial role of international cooperation in the operation. In addition to the necessity of law enforcement collaboration, the private sector also contributes to the FBI’s cyber crime work, offering everything from threat intelligence to technical help. In the case of Avalanche, numerous third parties including the Shadowserver Foundation and the German application research firm Fraunhofer contributed to the investigation. And Grasso made a plea for further assistance. “If you think you want to go out and take down a threat yourself but you’re like, ‘I don’t know if that would be legal,” we can make it legal for you to do that. We can take your good ideas and formulate them into a sound legal plan.”