Vegas is Scary

Vegas is scary. Well, not the city itself.  I love Las Vegas!  (And I'll be there again soon for CTIA's Super Mobility Week. Ping me to meet up.)  The hackers that descended upon the desert oasis for Black Hat and DEFCON are the scary ones.  Their bag of tricks, more specifically.

I was on a mission to find and pick the brains of the most interesting attendees.  I came away somewhat traumatized, since I knew just enough to be truly disturbed by how many vulnerabilities were discussed.  Here are just a few, with links to more commentary by PC Mag. Max Eddy and Fahmida Rashid both did a stellar job and should be followed on Twitter.

Nest is Cracked

Saw it, wrote about it, followed Yier Jin on Twitter (and he followed me back. Very cool.)  Bottom line - Internet of Things devices should not be a doorway into your entire home network.  Consumers should consider setting up a quarantine, at least until these manufacturers figure it out.

Side note: what the hell, Nest? You're part of Google now. You're commonly considered some of the best and brightest. Shouldn't you be setting a better example for the IoT vendors to come?

Airport Security Scanners Are Vulnerable

I'm not sure this is a great classic hack, per se, but it's definitely a candidate for the Darwin Awards.  Who are the geniuses that are hardwiring login credentials into TSA-issue airport security scanners?  And to make it better, connecting them to the public internet?  Billy Rios, director of threat intelligence at Qualys, successfully identified two such systems.  He located 6,000 connected scanners, two of which were at airports.  PC Mag reported that one has been decommissioned since.  I want to know where this last rogue system is located... and I'm considering not flying until it is removed.

Satcom Links Become Slot Machines

IOActive's Ruben Santamarta was able to hack the satellite communications systems used in airliners, cruise ships and other remote deployments.  Again, using hardcoded credentials and backdoors, Santamarta proved that several methods of alternate communications are vulnerable.  Making matters worse, the use cases when these devices are in play are exactly the situations that you don't want to be hacked.  If you're hitting SOS on a plane or a boat, the last thing you want to see is a Black Hat video slot machine!

Google Glass Steals Passwords

Ok, that one looks like click bait. In a way, it is. Qinggang Yue demonstrated that an iPhone or even a traditional camcorder would still do the trick, but the popular wearable poster child is the most sneaky.  He was stealing Android users' PIN codes at an alarming rate - even 100% of attempts from 44 meters away, albeit with a camcorder on the fourth floor of the building to achieve an advantageous angle.  The upshot? Randomized keypads can't become ubiquitous fast enough. They will negate the advantage of most PIN-stealing techniques, including this voyeur strategy. Without a direct and clear angle, Yue's model was built to make assumptions about the location of each button.  By randomizing the location, users will not be able to rely on muscle memory to unlock their phone, access the ATM, enter their front door, etc., but hackers will have to work much, much harder.

Photo credit: Ryan Clarke

Bonus Story - The Puzzle Mastermind Behind DEFCON's Hackable Badges

Ryan Clarke aka LostboY aka LosT has a really cool gig. Wired's Kim Zetter has the story, and while it's not about a vulnerability, impending danger or security, I highly recommend taking a couple minutes to read it. Clarke designs seven badge types each year: attendees (humans), goons (conference volunteers), vendors, speakers, contest leaders, the press, and the Uber badge. Players have to collect each of them to decipher part of a math-based challenge. The lanyards holding the badges also contain puzzles. This level of creativity and craftsmanship is not commonplace, and it makes you want to attend DEFCON just to get one of these sophisticated works of art. And it makes me want to watch a movie like The Game again, just to get that thrill. Well done, LostboY, well done.