The top 4 things that happened at DEF CON 24

DEF CON, one of the biggest hacker conventions around, was just held in early August in Las Vegas. As one of the largest gatherings of hackers and cybersecurity experts on the planet, DEF CON showcases the present and future of hacking, cybersecurity and networking.

Of everything that went on over the conference, here are the four biggest things that happened:

1) Tesla cars can be hacked

Today, many cars come equipped with various sensors that go off when the vehicle is close to an object like a wall. These sensors are mostly for aiding drivers right now, but their functionality will prove even more critical as self-driving vehicles become more popular and ubiquitous over time.

“Car sensors are potentially susceptible to hackers.”

But, as a team of researchers from various universities demonstrated at DEF CON this year, these sensors are potentially susceptible to hackers. The team was able to use various devices to jam the sensors on a variety of cars, including the Tesla Model S. While this work was done in a highly controlled setting, Business Insider noted that such sensor-jamming technology could be much more widespread in a few years’ time.

“Normally the car will not move. However, when we jam the sensor it moves,” said Chen Yan, a PhD student at Zhejiang University who was part of the research team, according to Business Insider. He added, “It hit me.”

Smart homes are not safe from ransomware.

2) Thermostats are not immune to ransomware

One of the earliest devices to become a popular example of the Internet of Things was the smart thermostat, which would learn a user’s temperature preferences over time and automatically adjust settings as necessary. But, because these thermostats are connected to the internet, they are susceptible to hackers, which was definitively proven at DEF CON this year. One of the proof-of-concepts presented at the conference showed how a popular brand of smart thermostat could be taken over by ransomware. Luckily, the researchers did not say what brand of thermostat was vulnerable, in part to give the device manufacturer time to plug the hole before the defect is leaked.

3) Magnetic strips are problematic at hotels and shops

The fact that the magnetic stripes found on everything from hotel keycards to credit cards are less than ideal in terms of security is not surprising. After all, the mass introduction of EMV chips in payment cards came about particularly because of the vulnerabilities inherent in swiping. However, during DEF CON this year, cybersecurity expert Weston Hecker showed how brute force attacks could be used to guess magnetic stripe information on the fly, which could lead to everything from hotel doors being forced open to malware being inserted into a point-of-sale terminal.

“From field observations, the brute force susceptibility appears to affect most any property management system that uses magstripe key cards, so it’s multi vendor,” Hecker said, according to eSecurity Planet.

4) Mobile wallets are susceptible

Mobile device-based payment systems – think Apple Pay, Google Pay, etc. – are still nascent at the moment but they are rising in popularity. But, some of the features within mobile wallets are not as secure as they could be. During the conference this year, a hacker showed how it’s theoretically possible for someone to make up a fake token for Samsung Pay or intercept the unique identifiers belonging to someone else and then use it for purchases.

“If an attacker analyses the tokens very carefully, he/she could implement a guessing method,” said hacker Salvador Mendoza, according to ITProPortal.

But, Samsung refuted the findings as not significant. In particular, the device manufacturer noted that the distance needed to intercept a token makes it incredibly hard to pull off, and that making up a token that can be accepted is far from an easy feat.

As this year’s DEF CON illustrated, exploiting the IoT is becoming far more common. With the IoT rising in popularity, cybercriminals are increasingly seeking to exploit it. For those looking to adopt IoT devices, security and privacy must remain core concerns.

 

See what Untangle announced at DEF CON 24: