It's that time of year again: The wonderful, terrifying week when hackers and security gurus descend upon Las Vegas to show off their skills and unleash presentation after presentation full of scary-sounding exploits. This year is no different. Over the previous week, we've heard tales of planes brought down by rogue code, snoops spying on your security cameras, and secretive, undetectable code that can turn any USB drive into an unstoppable malware vessel.
If the past is any indication, most of these exploits are scarier in theory than in fact—but they still offer a startling glimpse into the dangers inherent in an increasingly connected world. Here are the creepiest security stories coming out of Black Hat and Def Con in 2014.
BadUSB: Silent but deadly
Let's start with one of the more startling revelations. Researchers from Security Research Labs say they've developed a proof-of-concept attack that targets a thumb drive's firmware, rather than the files on the drive itself. The infected drive, when inserted into any PC, pretends to be a keyboard to download malware.
Since the vast majority of thumb drive makers don't protect their firmware in any way, and antimalware solutions don't scan firmware for heinous activity, the attack could theoretically be used to spread hard-to-find, hard-to-stop malware to PCs and any thumb drive you connect to those PCs. You can read the full details here. Fortunately, this type of attack has never been found in the wild.
Falling from grace
Another proof-of-concept attack could have far more physical repercussions. Ruben Santamarta, a researcher at IO interactive, claims he's discovered flaws that allow him to hack into the satellite communications of airplanes via their Wi-Fi and in-flight entertainment systems—opening the door for attackers to interfere with the plane's navigation and safety systems.
Makers of the communications equipment downplayed the threat when contacted by Reuters, calling both the odds of an attack as well as the potential damage "minimal." The vendors said they're already working to plug the holes revealed by Santamarta, however.
Smile for the camera
Is your Dropcam live feed being watched by someone else?
Synack's Patrick Wardle and Colby Moore tore apart one of the $200 security cameras to find out how it works, finding numerous flaws that would allow attackers to view the videos stored by a hacked Dropcam, or to upload third-party videos that appear to originate from the camera. "It would allow an attacker to basically hijack or take over the video stream," Wardle told PCWorld.
Fortunately, there's one big gotcha to this scary-sounding hack: The hacker would need physical access to your Dropcam. And if an attacker already has unfettered, undisturbed access to your home for the length of time it would take to enact this hack, you're probably going to have larger problems than a spied-on video feed.
Taking down Tor
Between the demise of the Silk Road drug trading post and endorsements from NSA leaker Edward Snowden, the Tor network has been in the limelight for the past year. Tor offers anonymity as you browse the web by shifting your traffic from relay node to relay node to relay node before reaching your final destination, with each node only knowing the identity of the nodes it directly connects with. But ruh-roh: Carnegie Mellon researcher Alexander Volynkin now says it's possible to break the Tor network's anonymity at minimal cost. That's bad.
How? That's still not clear. Volynkin suddenly canceled his Black Hat demonstration at CMU's urging. Tor's operators have uncovered a group of malicious relay nodes attempting to decrypt user anonymity, however, and those nodes are suspected to be tied to the now-canceled demonstration. Read the details here.
Symantec Endpoint Un-Protection
How's this for ironic? Mati Aharoni, lead trainer and developer for Offensive Security, found a trio of vulnerabilities in Symantec's Endpoint Protection that could give attackers high-level access to victims' computers. In other words, attackers could breach your defenses through your security software itself.
On the plus side, Symantec has already plugged the holes. Yay?
But forget about software. Your home networking equipment itself might be the source of your security downfall. During a Black Hat keynote, In-Q-Tel chief information security officer Dan Geer said that your router—yes, your router—is one of the easiest (and therefore juiciest) targets for attackers, according to Ars Technica. They're easily found in online scans, they often retain their default login information, and the vast majority of folks never, ever think about updating their router to the latest firmware.
Of course, PCWorld readers are already well aware that home networking is the vulnerability story of 2014. An Electronic Frontier Foundation-sponsored router hacking contest will also be running during Def Con, charmingly dubbed "SOHOplessly Broken."
Network-attached storage devices are even more riddled with flaws than routers, though, according to one researcher. Jacob Holcomb, a security analyst at Independent Security Evaluators, led a major study into router vulnerabilities in 2013, and he focused on NAS boxes in his Black Hat talk this year.
"There wasn’t one device that I literally couldn’t take over," Holcomb said. "At least 50 percent of them can be exploited without authentication." By compromising a NAS device an attacker could also hijack traffic from other devices on the same network, using techniques like ARP spoofing, he said.
Even scarier: While Holcomb says he'd reported all the vulnerabilities to NAS box makers, the ones he demonstrated at the show have yet to be patched. NAS fixes can take months to reach customers, he said.
The wrong kind of network management
Remember Carrier IQ and the big brouhaha that erupted when it was found? While it appeared at first to be a rootkit for carriers to spy on all your traffic, the truth was more mundane (if still creepy): It was a diagnostic tool to help carriers manage network capacity. But the device management tools that carriers load onto handsets can leave your phone vulnerable to attack, as Accuvant's Mathew Solnik and Marc Blanchou outlined at Black Hat. The exploits can be used to run remote code and bypass the operating system's native defenses.
The researchers say 70 to 90 percent of all phones sold worldwide include the device management software. Other devices—including laptops, wireless hotspots, and Internet of Thing gizmos—are also at risk from the vulnerable OMA-DM protocol.
Who needs Slim Jims?
The vulnerability of the Internet of Things is sure to be a hot topic among hackers this weekend, but the security of everyday objects with built-in wireless connections extends beyond Dropcam spies and Tweeting coffee pots. Qualsys researcher Silvio Cesare will show how to cobble together a tool, made from cheap and easily obtainable parts, that is capable of conquering the keyless entry systems of automobiles.
"I can use this to lock, unlock, open the trunk," Cesare told Wired. "It effectively defeats the security of the keyless entry." He's tried the technique only on his own 10-year-old car, however, and it requires attackers to stay in range for up to two hours—so don't look for carjackers to trade in their crowbars for computers quite yet.
The IoT vulnerabilities detailed by security consultant Jesus Molina at Black Hat are far more practical—and eye-opening. While staying at the five-star St. Regis Shenzhen hotel in China, Molina figured out how to reverse-engineer the "Digital Butler" iPad app provided to guests, abusing a flaw in the KNX/IP home automation protocol powering the app. Molina limited his tinkering to triggering various Do Not Disturb lights in hallways, but says the flaw could be used to control the lights, TVs, temperature, in-room music, and heck, even the automated blinds in over 200 rooms—and the attacker wouldn't even need to be in the same country as the hotel.
The St. Regis called the claim "unsubstantiated," but told the South China Morning Post that it had "temporarily suspended the control system of the in-room iPad remote controls for system upgrading" nonetheless.
Bonus(?): Massive Russian hacker database
The scariest security news of the week did not come out of the Las Vegas desert, however. Instead, it came from Asia, where Russian hackers have amassed a massive database of 1.2 billion stolen username/password combinations and 500 million email addresses, according to Alex Holden of Hold security.
The report leaves some glaring questions unanswered, and that—combined with Hold Security's announcement of a $120 per month security service that lets you know if your name winds up in the database—left some doubting if it was entirely accurate, despite Holden's strong reputation in the security industry. However, noted security researcher and journalist Brian Krebs says he's seen Holden's data and research firsthand and "can definitely say it's for real." Yikes. Time to brush up on those crucial security habits you aren't actually doing.
Keep on pwning in the real world
Okay, okay, after reading all that you'd be forgiven for wanting to curl up in a fetal position in the corner. But remember: Most of the scary stories coming out of Black Hat and Def Con are indeed troubling, but most are academic in nature and not actively being used by bad actors. They sound worse than they actually are in reality, in other words.
But the eight scariest digital security stories of 2014 (so far), on the other hand? Those are all very, very real…
Today's Best Tech Deals
Picked by PCWorld's Editors