Thousands of hackers, researchers, and security professionals flocked to the Black Hat and Def Con security conferences in Las Vegas this week, an annual event that aims to share the latest research, breakthroughs, and knowledge across the security community. TechCrunch was on the ground to report on the back-to-back conferences and cover some of the latest research.
CrowdStrike took center stage, earning a “failure” award it certainly didn’t want. But the company admitted it had made a mistake and dealt with its scandal weeks after releasing a buggy software update that caused a global IT outage. Hackers and security researchers seemed largely willing to forgive, though they may not forget easily.
As another round of Black Hat and Def Con conferences comes to a close, we’re taking a look at some of the highlights and best research from the show that you may have missed.
Ecovac robots hacked to spy on owners online
Security Researchers Revealed in Def Con chat A group of Ecovacs home vacuum and lawnmower robots could have been hijacked by sending a malicious Bluetooth signal to a vulnerable robot in close proximity. From there, the robot’s onboard microphone and camera could be activated remotely over the internet, allowing the attacker to spy on anyone within earshot of the robot and its cameras.
The bad news is that Ecovacs never responded to the researchers’ request for comment or TechCrunch’s request for comment, and there’s no evidence that the bug was ever fixed. The good news is that we still have an amazing screenshot of a dog captured from the camera on board the hacked Ecovacs robot.
The Long Game of Infiltrating the LockBit Ransomware and Shaming Its Leader
Intense cat and mouse game between Security Researcher John DiMaggio The leader of the LockBit ransomware extortion network, known only as LockBitSupp, led DiMaggio down a rabbit hole of open source intelligence gathering to determine the true identity of the infamous hacker.
in His highly detailed series of memoirsEventually, thanks to an anonymous reference to an email address allegedly used by LockBitSupp and a deep-rooted desire to see justice for the gang’s victims, DiMaggio was able to identify the man, and he got there even before federal agents publicly identified the hacker as Russian national Dmitry Khoroshev. At Def Con, DiMaggio told his story from his perspective to a packed room for the first time.
Hacker Develops Laser Microphone That Can Hear Keyboard Keys
Renowned hacker Sami Kamkar has developed a new technology that aims to secretly identify every keystroke on a laptop keyboard by shining an invisible laser through a nearby window. The technology was demonstrated at the Def Con conference and As explained by Wired“This method exploits the microacoustics generated by clicking different keys on a computer,” and works as long as the hacker has a line of sight from the laser to the targeted laptop itself.
Quick injections can easily trick Microsoft Copilot
New rapid injection technology Developed by Zeniti It shows that it is possible to extract sensitive information from Copilot, an AI-powered chatbot from Microsoft. Michael Bargory, chief technology officer at Zenity, demonstrated the exploit in Black Hat Conferenceshows how to handle a Copilot AI request to change its output.
In one example He tweetedBargori showed that it is possible to inject HTML code containing a bank account number controlled by a malicious attacker and trick Copilot into returning that bank account number in the responses returned to normal users. This can be used to trick uninformed people into sending money to the wrong place, which is the basis for some common commercial scams.
Six companies saved from massive ransomware, thanks to ransomware flaws on ransomware leak sites
Security researcher Vangelis Stekas set out to study dozens of ransomware gangs and identify potential vulnerabilities in the infrastructure they handle, such as extortion leak sites. Talking about the black hatStyx explained how he discovered vulnerabilities in the web infrastructure of three ransomware gangs — Malox, Blackcat, and Everest — that allowed him to obtain decryption keys for two companies and notify four others before the gangs could deploy the ransomware, saving six companies in total from a massive ransom.
Ransomware isn’t getting any better, but the tactics law enforcement is using against gangs that encrypt and extort their victims are becoming more modern and interesting, and this may be an approach to consider with gangs in the future.