Thousands of hackers, researchers and security experts flocked to Las Vegas this week for the Black Hat and Def Con security conferences, an annual pilgrimage to share the latest research, hacks and insights within the security community. And TechCrunch was on hand to cover the back-to-back shows and showcase some of the latest research.
CrowdStrike took center stage, taking home an award for “epic failure” that it surely didn’t want. But the company admitted it had made a mistake and dealt with the scandal several weeks after releasing a faulty software update that triggered a worldwide IT outage. Hackers and security researchers seemed largely willing to forgive, even if they may not forget so easily.
As another round of Black Hat and Def Con conferences comes to a close, we look back at some of the highlights and best research from the show that you may have missed.
Hacking Ecovac robots to spy on their owners over the Internet
Security researchers revealed in a Def Con talk that it was possible to hijack a number of Ecovacs vacuum cleaners and lawnmower robots by sending a malicious Bluetooth signal to a vulnerable robot nearby. From there, the built-in microphone and camera can be remotely activated over the internet, allowing the attacker to spy on anyone within listening and camera range of the robot.
The bad news is that Ecovacs never responded to the researchers or TechCrunch’s request for comment, and there’s no evidence the bugs were ever fixed. The good news is that we still have this incredible screenshot of a dog captured by the onboard camera of a hacked Ecovacs robot.
The long game of infiltrating the LockBit ransomware game and doxing its leader
An intense game of cat-and-mouse between security researcher Jon DiMaggio and the leader of the LockBit ransomware and extortion gang, known only as LockBitSupp, led DiMaggio down a rabbit hole of open-source intelligence gathering to discover the real identity of the notorious hacker.
In his highly detailed diary series, DiMaggio finally identified the man, fueled by an anonymous tip about an email address allegedly used by LockBitSupp and a deep-rooted desire to seek justice for the gang’s victims. And he did so even before federal agents publicly identified the hacker as Russian citizen Dmitry Khoroshev. At Def Con, DiMaggio told his story from his perspective for the first time to a packed room.
Hacker develops laser microphone that can hear your keystrokes
Well-known hacker Samy Kamkar has developed a new technique that aims to secretly capture every keystroke on a laptop keyboard by shining an invisible laser through a nearby window. Demonstrated at Def Con and explained by Wired, the technique “takes advantage of the subtle acoustics created by tapping different keys on a computer” and works as long as the hacker has a line of sight from the laser to the target laptop itself.
Prompt injections can easily trick Microsoft Copilot
A new prompt injection technique developed by Zenity shows that it is possible to extract sensitive information from Microsoft’s AI-powered chatbot companion Copilot. Zenity’s chief technical officer Michael Bargury demonstrated the exploit at the Black Hat conference, showing how to manipulate Copilot AI’s prompt to change its output.
In an example he tweeted, Bargury showed that it’s possible to inject HTML code with a bank account number controlled by a malicious attacker and trick Copilot into returning that bank account number in responses to regular users. This can be used to trick unsuspecting people into sending money to the wrong address, which is the basis of some popular business scams.
Six companies were saved from high ransom demands thanks to ransomware vulnerabilities on ransomware leak sites
Security researcher Vangelis Stykas targeted dozens of ransomware gangs and identified potential vulnerabilities in their publicly accessible infrastructure, such as their extortion leak sites. In his Black Hat talk, Stykas explained how he found vulnerabilities in the web infrastructure of three ransomware gangs – Mallox, BlackCat and Everest – which allowed him to distribute decryption keys to two companies and notify four others before the gangs could deploy ransomware. In total, six companies were able to avoid paying large ransoms.
The fight against ransomware is not getting any better, but the tactics law enforcement is using against gangs that encrypt and extort their victims are becoming more novel and interesting. This may be an approach to consider against future gangs.
