The best hacks and security research from Black Hat and Def Con 2024

Date:

Share post:


Thousands of hackers, researchers and security professionals descended on the Black Hat and Def Con security conferences in Las Vegas this week, an annual pilgrimage aimed at sharing the latest research, hacks, and knowledge across the security community. And TechCrunch was on the ground to report on the back-to-back shows and to cover some of the latest research.

CrowdStrike took center stage, and picked up an “epic fail” award it certainly didn’t want. But the company acknowledged it messed up and handled its scandal several weeks after releasing a buggy software update that sparked a global IT outage. Hackers and security researchers seemed largely willing to forgive, though maybe not easily forget.

As another round of Black Hat and Def Con conferences wrap up, we look back at some of the highlights and the best in research from the show that you might’ve missed.

Hacking Ecovac robots to spy on their owners over the internet

Security researchers revealed in a Def Con talk that it was possible to hijack a range of Ecovacs home vacuum and lawnmower robots by sending a malicious Bluetooth signal to a vulnerable robot within a close proximity. From there, the on-board microphone and camera can be remotely activated over the internet, allowing the attacker to spy on anyone within ear- and camera-shot of the robot.

The bad news is that Ecovacs never responded to the researchers, or TechCrunch’s request for comment, and there is no evidence that the bugs were ever fixed. The good news is that we still got this incredible screenshot of a dog taken from the on-board camera of a hacked Ecovacs robot. 

A dog seen through a hacked Ecovacs device. Image Credits: Dennis Giese and Braelynn / supplied.
Image Credits: Dennis Giese and Braelynn

The long game of infiltrating the LockBit ransomware game and doxing its ringleader

An intense cat and mouse game between security researcher Jon DiMaggio and the ringleader of the LockBit ransomware and extortion racket, known only as LockBitSupp, led DiMaggio down a rabbit hole of open source intelligence gathering to identify the real-world identity of the notorious hacker. 

In his highly detailed diary series, DiMaggio, spurred on by an anonymous tip of an email address allegedly used by LockBitSupp and a deep-rooted desire to get justice for the gang’s victims, finally identified the man, and got there even before federal agents publicly named the hacker as the Russian national, Dmitry Khoroshev. At Def Con, DiMaggio told his story from his perspective to a crowded room for the first time.

Hacker develops laser microphone that can hear your keyboard taps

Renowned hacker Samy Kamkar developed a new technique aimed at stealthily determining each tap from a laptop’s keyboard by aiming an invisible laser through a nearby window. The technique, demonstrated at Def Con and as explained by Wired, “takes advantage of the subtle acoustics created by tapping different keys on a computer,” and works so long as the hacker has a line-of-sight from the laser to the target laptop itself. 

Prompt injections can easily trick Microsoft Copilot

A new prompt injection technique developed by Zenity shows it’s possible to extract sensitive information from Microsoft’s AI-powered chatbot companion, Copilot. Zenity chief technology officer Michael Bargury demonstrated the exploit at the Black Hat conference, showing how to manipulate Copilot AI’s prompt to alter its output.

In one example he tweeted out, Bargury showed it was possible to feed in HTML code containing a bank account number controlled by a malicious attacker and trick Copilot into returning that bank account number in responses returned to ordinary users. That can be used to trick unsuspecting people into sending money to the wrong place, the basis of some popular business scams. 

Six companies saved from hefty ransoms, thanks to ransomware flaws in ransomware leak sites

Security researcher Vangelis Stykas set out to scope dozens of ransomware gangs and identify potential holes in their public-facing infrastructure, such as their extortion leak sites. In his Black Hat talk, Stykas explained how he found vulnerabilities in the web infrastructure of three ransomware gangs — Mallox, BlackCat, and Everest — allowing him to get decryption keys to two companies and notify four others before the gangs could deploy ransomware, saving in total six companies from hefty ransoms. 

Ransomware isn’t getting better, but the tactics law enforcement are using against gangs that encrypt and extort their victims are getting more novel and interesting, and this could be an approach to consider with gangs going forward.





Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Zepto raises another $350 million amid retail upheaval in India

Zepto has secured $350 million in new funding, its third round of financing in six months, as...

Battery unicorn Northvolt files for bankruptcy, upending Europe’s industrial plan

Beleaguered Swedish battery manufacturer Northvolt announced today that it was filing for bankruptcy in the U.S., striking...

Brave Search adds AI chat for follow-up questions after your initial query

Brave announced on Thursday that it’s introducing an AI chat mode for follow-up questions based on initial...

Cruise fesses up, Pony AI raises its IPO ambitions, and the TuSimple drama dials back up

Welcome back to TechCrunch Mobility — your central hub for news and insights on the future of...

WhatsApp rolls out voice message transcripts

WhatsApp announced on Thursday it’s rolling out voice message transcripts. The Meta-owned company says the new feature...

Threads adjusts its algorithm to show you more content from accounts you follow

After several complaints about its algorithm, Threads is finally making changes to surface more content from people...

Spotify tests a video feature for audiobooks as it ramps up video expansion

Spotify is enhancing the audiobook experience for premium users through three new experiments: video clips, author pages,...

Candela brings its P-12 electric ferry to Tahoe and adds another $14M to build more

Electric passenger boat startup Candela has topped off its most recent raise with another $14 million, the...