There was plenty of nervous laughter at DEF CON this summer when renowned researchers Charlie Miller and Chris Valasek showed how they were able to hack the electronics of the 2010 Toyota Prius and Ford Escape to override the cars' smart steering, braking, acceleration, engine, and other features. The researchers, who had no experience with car electronics prior to their dismantling the dashboards and figuring out the car's networks, released the tools they built that allowed them to jerk the steering wheel out of the driver's control and to disable the brakes.
Source: Miller and Valasek whitepaper
Researchers at UC-Berkeley took biometric authentication to another level this year, using brainwaves as a replacement for the password. Researchers used wireless headsets with embedded EEG sensors to study whether brainwave signals of users performing specific tasks could be matched to the correct individual. The researchers were able to match the brainwave signals with 99 percent accuracy.
Source: University of California-Berkeley
A live demo at Black Hat USA simulating an environmental catastrophe via a cyberattack on an oil-well pumping station sprayed some of the bluish-green dyed liquid from the crude model built by the researchers, drawing audience laughter. But the sobering message was clear in how simple it is to fool and, ultimately, sabotage systems regulating remote oil-drilling stations.
Drones have been all the rage this year, culminating with Amazon's plans for a drone delivery fleet, but a new prototype created by a privacy and security researcher could divert those flights. Samy Kamkar, of "Samy" worm fame, constructed SkyJack, a drone that automatically finds and hijacks nearby Parrot drones, amassing an army of zombie drones.
Don't look now, but even that docking station on your desk that you snap your laptop into has been hacked. A British researcher at Black Hat Europe constructed a single-board Raspberry Pi-based device that can be inserted right inside the docking station to potentially steal corporate data and listen in on voice calls and videoconferences.
Source: NCC Group
A prototype distributed mobile tracking network called Snoopy takes advantage of weaknesses in the way mobile devices search for WiFi signals in order to track a person's online and physical movements, and to intercept data from their devices. Snoopy, the creation of Daniel Cuthbert, can even use a smartphone as the drone surveillance device.
The Automatic Identification System (AIS) used by ships helps vessels avoid collisions on the high seas by identifying and locating them, but white-hat hackers discovered AIS could be hijacked and hit by man-in-the middle attacks. An attacker could modify a ship's position and create a fake vessel, or wage phony "man-in-the-water" distress beacons.
Source: Trend Micro
Bug bounties aren't just for grown-ups: Three participants in the kid version of DEF CON, R00tz Asylum (formerly called DEF CON Kids), scored cash from Samsung for finding flaws in its apps for its smart TVs. CyFi, 12, who made her mark there two years ago with the discovery of the so-called "time traveler" class of vulnerabilities across mobile platforms, scored $1,000 for the bug she found.
So much for that sophisticated alarm system in your building. A pair of security researchers found that all it takes to circumvent a building's alarm system sensor is an infrared light "bomb," or holding up a piece of cardboard to fool and bypass it. They also hacked the alarm sensor keypads with a homegrown rogue cellular base station.
Source: Bishop Fox
Russian researcher Alexey Sintsov got more than he bargained for when his aggressive honeypot experiment resulted in the counterattack of the desktop of an intelligence agency in a nation that was formerly part of the Soviet Union. Sintsov built the honeypot to test the ability to hack back at, and gather intel on, attackers.
Source: Sintsov whitepaper
Smart TVs were hijacked with rootkit technology and weak Web apps in order to turn the screens into stealthy surveillance systems, unbeknown to their owners. Two different groups of researchers at Black Hat USA showed how they were able to photograph, videotape, and employ browser-based attacks on smart TVs.
Source: iSEC Partners
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio