Greetings from the gaudy hellscape of Las Vegas, and that overcrowded maelstrom of surly hackers known as DEF CON! What follows is a brief rundown of the talks here (and its big corporate sister Black Hat) that seemed particularly interesting. Short version: software is eating the world; software can be hacked; ergo, the world can be hacked. Be afraid.
Hack The Android
Joshua Drake of Zimperium’s highly publicized discovery of a bug that allows attackers to hack into most Android phones by simply sending them a carefully customized MMS message. Also: Wen Xu of KEEN on a Linux kernel vulnerability that can be used to root most Android devices.
Hack The Car
Charlie Miller of Twitter and Chris Valasek of IOActive on their Jeep hack that caused Chrysler to recall 1.4 million vehicles. Also: Marc Rogers of CloudFlare and Kevin Mahaffey of Lookout on “How to Hack a Tesla Model S.” (They’re also releasing a tool that allows Model S owners to track the telemetry information generated by their car in real time.) Also: Samy Kamkar on more tools and techniques to “wirelessly steal cars.”
Hack The Government
The always entertaining Cory Doctorow on his new mission in life: the EFF’s Project Apollo 1201. Its objective? To rid the world of all DRM in the next ten years. If you’re a hacker or researcher who’s dealing with DRM, or a developer or designer whose plans have been thwarted by DRM (Doctorow refers to such projects as “stolen from our future,”) he wants to hear from you.
Hacks By The Government
Morgan Marquis-Boire of Citizens Lab / The Intercept, Marion Marschalek of Cyphort, and Claudio Guarnieri on identifying and attributing malware crafted by nation-states to target their adversaries. Featuring: the USA, the UK, China, etc etc etc. Also: Adam Kozy of Crowdstrike and Johannes Gilger on China’s Great Cannon, the offensive counterpart to their Great Firewall.
Hack the Gun
Hack The GPS
Lin Huang and Yang Qing of Qihoo 360 on how to spoof GPS signals easily and cheaply using software-defined radios.
Hack The Home
Tobias Zillner and Sebastian Strobl of Cognosec on flaws in the Zigbee standard, widely used by Internet-of-Things devices. “Due to interoperability and compatibility requirements, as well as the application of legacy security concepts, it is possible to compromise ZigBee networks and take over control of all connected devices.” Also: Li Jun of Qihoo 360 and Yang Qing of Qihoo 360 on another technique to defeat ZigBee security.
Hack The Hypervisor
Yuriy Bulygin, Mikhail Gorobets, Alexander Matrosov, and Oleksandr Bazhaniuk of Intel Security’s Advanced Threat Research team “demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines.” (Hypervisors are the software which orchestrate virtual machines. Most Internet servers are virtual machines. So attacks on them are kind of a big deal.)
Hack The Neighbor’s Drone
Michael Robinson of Stevenson University ponders the question: “Would it be possible to force a commercial quad copter to land by sending a low-level pulse directly to it along the frequencies used by GPS?”
Hack The NFC
Hack the RAM
I’ve written about this before, but it’s too amazing not to mention again. Google’s Mark Seaborn and Halvar Flake on the “Rowhammer” attack that uses electromagnetic leakage within RAM chips to take over a computer. This is amazing. “Rowhammer, to our knowledge, represents the first public discussion of turning a widespread, real-world, physics-level hardware problem into a security issue.”
Hack The Satellite
Colby Moore of Synack on flaws in the Globalstar satellite system (widely used for asset tracking) that give exploiters “ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.”
Hack The Skateboard
Mike Ryan of eBay and Richo Healey of Stripe “investigate the security of several popular skateboards, including Boosted’s flagship model and demonstrate several vulnerabilities that allow complete control of a an unmodified victim’s skateboard.”
Hack The Planet!
The crowd at DEF CON is a mass of self-proclaimed misfits, rebels, and iconoclasts, and while much of that is obviously empty posturing, it still always cheers me up. In an era where dissent is not so much actively stifled as passively marginalized and ignored, pervasive contempt for the status quo among people who have the intellectual tools and capacity to incite real change is one of the most hopeful things around; and for all its multitudinous flaws, DEF CON is home to many such people. I suppose that’s why I keep coming back.