Def Con, one of the most prominent annual hacking conferences in the world, was held in Las Vegas over the weekend. The conference is essentially a cavalcade of terrifying reminders that the technology that we rely on to maintain a somewhat functioning society is not as secure as we think. Here are some of the most jaw-dropping device vulnerabilities that hackers revealed at this year’s Def Con.
Researchers from the Chinese tech conglomerate Tencent presented the results of a months-long project to devise a way to surreptitiously convert Amazon’s Echo smart speaker into a surveillance device on Sunday. Wired reports that Tencent representatives Wu Huiyu and Qian Wenxiang said that the research team managed to string together multiple bugs in the second-generation Echo that would allow a hacker to remotely stream audio from the device’s microphone. However, Echo owners need not fret—the researchers already notified Amazon of their methods, and the company rolled out automatic security updates to the speakers last month. Plus, the attack is fairly sophisticated and requires access to a target’s Wi-Fi network, so Echo owners who aren’t being hounded by highly trained and dedicated hackers would’ve been safe anyway.
The researchers found that they could alter an Echo by retrofitting the flash chip with their own firmware and then use it to attack other Echos via the local network that allows the devices to communicate with each other. The infiltration method would have been particularly effective against Echos in hotels, schools, or other places where a large group of people are sharing the same Wi-Fi.
This is the second year that Def Con organizers have filled a conference room with the same types of voting machines that will likely be deployed for the midterms so that hackers can try their hand at election tampering. Participants ultimately managed to upload their own software to the machines and manipulate the vote tallies. One hacker even found a way to make a voting machine loop the Supa Hot Fire GIF.
In addition, organizers had around 40 children between the ages of 6 and 17 attempt to infiltrate replicas of the election board websites for several swing states. The kids exploited vulnerabilities that allowed them to tamper with vote tabulations and change the names of candidates to “Bob Da Builder,” “Richard Nixon’s Head,” and other spoof terms. An 11-year-old reportedly hacked into a mock-up of the Florida secretary of state’s website and changed the voting results within 10 minutes.
Voting machine manufacturers and some election officials predictably indicated that they were unimpressed with the results, arguing that the Def Con tests did not accurately simulate all of the security features and time restrictions that a hacker would face at an actual polling place.
Police Body Cameras
On Saturday, a consultant named Josh Mitchell from the cybersecurity firm Nuix reported the results of a test he had conducted on five different body camera models that surveillance companies are marketing to U.S. law enforcement. With the exception of one device made by Digital Ally, Mitchell was able to remotely download, alter, and then re-upload footage onto the cameras without leaving a trace.
Mitchell also devised a way to livestream footage from the cameras, potentially allowing a criminal to track a cop’s location and predict upcoming law enforcement actions. He further found that he could infect some of the cameras with malware, which could then spread to other databases and systems in a police department when an officer syncs the device with a computer connected to the network.
Hacker Martin Vigo presented research showing that a vulnerability in voicemail could allow a nefarious actor to access a target’s accounts for online services like PayPal and WhatsApp. According to Vigo, most major carriers have failed to update the security of their voicemail features and still rely on easily guessable PINs as passwords.
People who don’t set their own PINs are particularly at risk because the default is usually just the last four digits of their phone numbers. Yet even people who have changed the code from the default are still vulnerable to brute-force attacks, since most voicemail systems don’t have a limit on the number of times you can guess the password. Once hackers have broken into the voicemail system, they can request that WhatsApp send the target’s code via a phone call. If the target doesn’t pick up, the call is transferred to voicemail where the hackers can hear it.
Vigo claims that slight variations on this scheme allow hackers to break into PayPal, eBay, LinkedIn, and other accounts.