This week, thousands of hackers, researchers, and security professionals gathered in Las Vegas for the security conferences Black Hat and Def Con, annual pilgrimages aimed at sharing the latest research, hacks, and knowledge across the security community. TechCrunch was on-site to report on the back-to-back shows and bring you some of the latest research.
CrowdStrike got the attention and the “big fail” award it didn't want, but the company addressed the scandal and admitted it screwed up just weeks after releasing a buggy software update that caused a global IT outage. Hackers and security researchers may not forget easily, but they seem mostly willing to forgive.
As another round of Black Hat and Def Con conferences comes to an end, we're looking back at some of the show's highlights and best research that you may have missed.
Hacking Ecovac robots to spy on their owners over the internet
Security researchers revealed in a talk at Def Con that it's possible to take over Ecovacs home vacuums and lawnmower robots by sending malicious Bluetooth signals to vulnerable nearby robots. From there, the on-board microphones and cameras can be remotely activated over the internet, allowing the attacker to spy on anyone within the robot's ears and camera's field of view.
Unfortunately, Ecovacs did not respond to the researchers or to TechCrunch's request for comment, and there is no evidence that the bug has been fixed. The good news is that we still have some great screenshots of the dog captured by the hacked Ecovacs robot's onboard camera.
A dog seen through a hacked Ecovacs device. Image courtesy of Dennis Guise and Braelyn / Courtesy. Image courtesy of Dennis Guise and Braelyn
The long-term battle to break into LockBit ransomware and expose the identity of its masterminds
A wild chase between security researcher John DiMaggio and the mastermind behind the LockBit ransomware and extortion ring, known only as LockBitSupp, led DiMaggio into a maze of open-source intelligence gathering to discover the notorious hacker's actual identity.
In a series of highly detailed diaries, DiMaggio was driven by an anonymous tip about an email address allegedly used by RockBitsap and a deep-seated desire to deliver justice for the gang's victims, and he eventually identified the man — and he did so before federal agents publicly named the hacker as Russian national Dmitry Khoroshev. At DEFCON, DiMaggio told his story from his perspective for the first time in front of a packed audience.
Hackers develop laser microphone that can listen to keyboard keystrokes
Famed hacker Sammy Kamkar has developed a new technique for surreptitiously identifying taps on a laptop keyboard by shining an invisible laser through a nearby window. Demonstrated at Def Con and explained by Wired, the technique “uses the subtle acoustic sounds produced by tapping various keys on a computer,” and works as long as the hacker can maintain a line of sight from the laser to the target laptop itself.
Prompt injection can easily trick Microsoft Copilot
A new prompt injection technique developed by Zenity has been shown to allow for the extraction of sensitive information from Copilot, Microsoft's AI-powered chatbot companion. Zenity Chief Technology Officer Michael Bargury demonstrated the exploit at the Black Hat conference, showing how to manipulate Copilot AI prompts to change their output.
In one example, Burglee tweeted, he showed how a malicious actor could enter HTML code containing a bank account number they control and trick CoPilot into returning that bank account number in a response to a consumer. This can be used to trick unsuspecting people into sending money to the wrong place, a common business fraud technique.
Sending an email caused an RCE in M365 Copilot
~RCE means complete remote control
The action – Search for sensitive content (SharePoint, Mail, Calendar, Teams), run plugins
And output – bypassing DLP controls, manipulating referrals, social engineering users… pic.twitter.com/r1yMRLXKAG
— mbg @ Defcon (@mbrg0) August 8, 2024
Ransomware leak site's ransomware flaw saves six businesses from hefty ransoms
Security researcher Vangelis Stikas set out to investigate dozens of ransomware gangs and identify potential holes in their public infrastructure, such as extortion leak sites. In his Black Hat talk, Stikas described how he discovered vulnerabilities in the web infrastructure of three ransomware gangs (Mallox, BlackCat, and Everest), obtained decryption keys for two of them before the gangs deployed their ransomware, and notified four others, saving a total of six gangs from paying high ransoms.
While ransomware has not improved, the tactics used by law enforcement against gangs who encrypt and blackmail their victims are becoming more innovative and interesting, and this may be an approach to consider against gangs in the future.