Two of the biggest hacker conferences have just wound up in Las Vegas, finishing with what looked like an attack on one unfortunate casino’s slot machines:
Someone glitched all the slots in the Linq casino, they're all out of action it seems. Play nicely now.
— Darren Oliveiro-Priestnall (@TheNewAutonomy) August 11, 2018
For the past few days, Vegas has been host to the annual Black Hat and DEF CON conferences.
It’s mostly pretty dry content for the rest of the world, but generally, one or two of the more spectacular demonstrations make headlines.
Here are some of the highlights of this year’s events:
The past two years at DEF CON have been notable for investigations into how voting machines can be hacked — a hot topic following the 2016 presidential election in the US.
In March this year, DEF CON’s Voting Machine Hacking Village — the section which is home to vote-hacking demonstrations — won a Cybersecurity Excellence Award for promoting the awareness of the machines’ vulnerabilities.
Before this year’s event had even begun, the US’ National Association of Secretaries of State (NASS) made a point of saying the conference environment “in no way replicates state election systems, networks or physical security”.
In a release, NASS says:
“Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.
Obviously, the Voting Machine Hacking Village struck a nerve. And this year, the demonstrations were just as unkind to NASS.
Former National Institutes for Standards and Technology security expert Joshua Franklin lead a team of independent researchers who planned to show that three of every 10 candidates running for the US House of Representatives have significant security problems with their websites.
One hacker took a voting machine in use in at least 20 US states and turned it into a jukebox with an Illuminati GIF:
— DEFCON VotingVillage (@VotingVillageDC) August 10, 2018
Oh, and 11-year-old child accessed a replica of the Florida secretary of state’s website and was able to change voting results found there in under 10 minutes.
Florida’s Secretary of State spokesperson stressed to BuzzFeed that “changing the appearance of the vote on a website isn’t the same as changing actual votes”.
Perhaps the most alarming Black Hat presentation for many this week came from Ruben Santamara of IOActive.
He showed how by accessing a satellite communications network, he could access phones, tablets and laptops on planes as they flew overhead.
Hypothetically, Santamara said, he could damage parts of the planes by transferring energy toward sensitive parts via radio frequencies.
Security firm McAfee bought a heart monitor off eBay and spent a couple months working out a way to hack into a medical network and falsify a patient’s vital signs.
VentureBeat reports “they were able to switch the display of a patient’s heartbeat from 80 beats a second to zero within five seconds”.
Researchers at Check Point sent a scare through HP after showing how they could take over tens of millions of fax-ready HP OfficeJet inkjet printers.
“There is no prerequisite for this attack,” they said. “All you need to do is send a malicious fax to the printer and you have control.”
HP had already been warned by Check Point and released patches to shut down the vulnerability prior to the start of the conference.
Sparked by the human error in January that had Hawaiians believing their homes were under missile attack, IBM’s X-Force Red Team look at “smart city” systems to see if it could find openings to launch “super villain” attacks.
In four city systems, it found 17 vulnerabilities, nine of which were considered “critical in nature”.
In one demonstration, the team hacked an IoT gateway that cities use to monitor alert sensors, and showed how it could be forced to record false readings.
SC Magazine reports IBM showed a hypothetical situation where that capability was used to release water from a dam and flood a fake road.
Elon Musk made an appearance for a Q&A session with engineers from Tesla and SpaceX.
Great Q&A @defcon last night. Thanks for helping make Tesla & SpaceX more secure! Planning to open-source Tesla vehicle security software for free use by other car makers. Extremely important to a safe self-driving future for all.
— Elon Musk (@elonmusk) August 11, 2018
But some of the best hacks were in play even before DEF CON began, as attendees burned the wait time by hacking their own hotel services. This one was deleted soon after being posted:
At this point we can clone any Linq hotel room card.
So if someone hears what room you’re in and they get within half a foot of you, they can copy your room key.
Next thing to do is figure out their data schema. If we can do that, we might be able to make a key for any room.
— Tinker ❎ @ DefCon (@TinkerSec) August 10, 2018
At Caesar’s Palace, the load on air conditioners made an unexpected jump for the weekend:
For all the DefCon folks staying in Caesar's: the VIP override for the Honeywell thermostat in your room is:
– While holding down "display"
– Press "off"
– Press "Up" arrow
– Release "display" button
Disables room occupancy sensor and lowers min temp setting.
— ꜳꝛꝍꞥ (@TheTarquin) August 8, 2018
Fortunately for one janitor, there were a few white hats in attendance:
— alt_bier (@alt_bier) August 9, 2018
Business Insider Emails & Alerts
Site highlights each day to your inbox.